Using Yubikey only to encrypt/sign
Farhan Khan
farhan at farhan.codes
Mon Feb 18 22:39:47 CET 2019
February 18, 2019 3:51 PM, "Andrew Gallagher" <andrewg at andrewg.com> wrote:
>> On 18 Feb 2019, at 20:35, Farhan Khan <farhan at farhan.codes> wrote:
>> Hey Andrew,
>> I was given the message "gpg: decryption failed: No secret key". I ran this:
>>
>> mv .gnupg .gnupg.bak
>> gpg --card-status
>> cat encrypted_message | gpg --decrypt
>>
>> This gave me the warning message:
>> gpg: encrypted with 2048-bit RSA key, ID BF0F750DB428FFFF, created 2019-02-18
>> "Farhan Khan <farhan at farhan.codes>"
>> gpg: public key decryption failed: Invalid ID
>> gpg: decryption failed: No secret key
>>
>> When I run gpg --list-secret-keys, I see the serial number listed for my card.
>> I suspect this is a gpg-agent issue?
>
> Would you mind posting the results of `gpg --list-secret-keys`? With the yubikey plugged in. It
> shouldn’t contain anything too sensitive. You may have the decryption key in the wrong slot.
>
> A
Sure!
So, I have two tracks I'm taking at once, and perhaps you can provide some clarity on usage. My intention was to have the key on both my disk for use locally and on card for use while away from my computer.
A. I have a keyring with the secret key. I ran --edit-key, then keytocard. When I list --secret-keys, I get this:
---
$ gpg --list-secret-keys farhan at farhan.codes
sec> rsa2048 2019-02-18 [SCEA] [expires: 2021-02-17]
7BEF02AB89AF9581194D57F1BF0F750DB428FFFF
Card serial no. = XXXX XXXXXXXX
uid [ultimate] Farhan Khan <farhan at farhan.codes>
---
Notice the serial card number. At this point, I cannot decrypt files without the key present. Has the secret key been removed from disk? If so, this means I can only have the key in one place at a time and risk losing it. Ideally I would like to have the secret key on my computer, which I trust, but not on other devices.
B. I moved ~/.gnupg and created a new keyring. Then, I imported my public key. This simulates a situation where I can access my public key from the internet, but will not store it on the machine. Here is the output you requested:
---
$ gpg --list-secret-keys farhan at farhan.codes
sec> rsa2048 2019-02-18 [SCEA] [expires: 2021-02-17]
7BEF02AB89AF9581194D57F1BF0F750DB428FFFF
Card serial no. = 0006 04708272
uid [ unknown] Farhan Khan <farhan at farhan.codes>
---
I expect to be able to decrypt messages, but cannot:
---
$ echo test | gpg --encrypt -r farhan at farhan.codes | gpg --decrypt
gpg: BF0F750DB428FFFF: There is no assurance this key belongs to the named user
pub rsa2048/BF0F750DB428FFFF 2019-02-18 Farhan Khan <farhan at farhan.codes>
Primary key fingerprint: 7BEF 02AB 89AF 9581 194D 57F1 BF0F 750D B428 FFFF
It is NOT certain that the key belongs to the person named
in the user ID. If you *really* know what you are doing,
you may answer the next question with yes.
Use this key anyway? (y/N) y
gpg: encrypted with 2048-bit RSA key, ID BF0F750DB428FFFF, created 2019-02-18
"Farhan Khan <farhan at farhan.codes>"
gpg: public key decryption failed: Invalid ID
gpg: decryption failed: No secret key
---
Please advise where my mistakes or incorrect assumptions are.
Thanks,
---
Farhan Khan
PGP Fingerprint: 7BEF 02AB 89AF 9581 194D 57F1 BF0F 750D B428 FFFF
More information about the Gnupg-users
mailing list