Scheduled Maintenance: We are aware of an issue with Google, AOL, and Yahoo services as email providers which are blocking new registrations. We are trying to fix the issue and we have several internal and external support tickets in process to resolve the issue. Please see: viewtopic.php?t=158230

 

 

 

GPG key problems

If none of the specific sub-forums seem right for your thread, ask here.
Post Reply
Message
Author
User avatar
PsySc0rpi0n
Posts: 322
Joined: 2012-10-24 13:54
Location: Bitcoin World
Has thanked: 8 times
Been thanked: 1 time

GPG key problems

#1 Post by PsySc0rpi0n »

Hello.

Recently I had to reinstall my whole Debian system because I ha a few problems. And I didn't do this for like 7 years or so. The result is that I didn't even remember to save my ~/.gnupg, so now I created new key and uploaded it to an online server.

Ok, but now, somehow, other programs say they cannot find the secret key.
And there are 2 contradictory scenarios.

Scenario 1 - GPG says there is a secret key available
Scenario 2 - GPG cannot export the secret key because says that there's nothing to export.

I'll show some commands outputs to kind of illustrate both scenarios and some more commands that may help to picture the whole situation.

Scenario 1:
The following command says "there is a secret key available

Code: Select all

$ gpg2 --edit-key 5306D6C5B1CCDE5D66B542B98345F0A70D1149F1
gpg (GnuPG) 2.2.12; Copyright (C) 2018 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Secret key is available.

sec  ed25519/8345F0A70D1149F1
     created: 2020-11-23  expires: 2021-11-23  usage: SC  
     trust: ultimate      validity: ultimate
sub  cv25519/930B7F6B3C1AC32C
     created: 2020-11-23  expires: 2021-11-23  usage: E   
[ultimate] (1). MyNickName (Generic usage key) <my-email-etc@email-provider.com>

gpg>
This command also suggests there is a secret key that needs to be deleted prior to key deletion:

Code: Select all

$ gpg2 --delete-key my-email-etc@email-provider.com
gpg (GnuPG) 2.2.12; Copyright (C) 2018 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

gpg: there is a secret key for public key "my-email-etc@email-provider.com"!
gpg: use option "--delete-secret-keys" to delete it first.
Also, after I have created this key, I did (or I thought I have) a backup with specific command for that:

Code: Select all

gpg2 --output my-backup-keys.gpg --armor --export --export-options export-backup my-email-etc@email-provider.com
and a file was created. According to manpage of gpg, this command is supposed to create a complete backup including specific data.
--export-options parameters
backup
export-backup
Export for use as a backup. The exported data includes all data which is needed to restore the key or keys later with GnuPG. The format is basically the OpenPGP
format but enhanced with GnuPG specific data. All other contradicting options are overridden.
So, I though all was good.
Moreover, there are 2 folders at ~/.gnupg named openpgp-revocs.d and private-keys-v1.d. Inside each of these folders is one file which I suppose to be the revoke and private keys.


SCENARIO 2
In this scenario all points to the fact there no secret key is available.

If I try to list secret keys with the following command:

Code: Select all

$ gpg2 --list-secret-keys
~/.gnupg/pubring.kbx
------------------------------------
sec   ed25519 2020-11-23 [SC] [expires: 2021-11-23]
      5306D6C5B1CCDE5D66B542B98345F0A70D1149F1
uid           [ultimate] MyNickName (Generic usage key) <my-email-etc@email-provider.com>
ssb#  cv25519 2020-11-23 [E] [expires: 2021-11-23]
So, I tried to import the private key I mentioned above from ~/.gnupg/private-keys-v1.d, but I got the following output:

Code: Select all

$ gpg2 --import ~/.gnupg/private-keys-v1.d/OMITTEDSTRINGJUSTINCASE.key 
gpg: no valid OpenPGP data found.
gpg: Total number processed: 0
Then, I created a file with some text to encrypt it and try to decrypt it. Result was that I was able to encrypt but unable to decrypt it by the same reasons. No secret key available.

Code: Select all

$ gpg2 --output message.gpg --encrypt message.log 
You did not specify a user ID. (you may use "-r")

Current recipients:

Enter the user ID.  End with an empty line: my-email-etc@email-provider.com

Current recipients:
cv25519/930B7F6B3C1AC32C 2020-11-23 "MyNickName (Generic usage key) <my-email-etc@email-provider.com>"

Enter the user ID.  End with an empty line: 
mymachine@mymachine:~/Documents$ gpg2 --output message-dec.log --decrypt message.gpg 
gpg: encrypted with 256-bit ECDH key, ID 930B7F6B3C1AC32C, created 2020-11-23
      "MyNickName (Generic usage key) <my-email-etc@email-provider.com>"
gpg: decryption failed: No secret key
mymachine@mymachine:~/Documents$
Lastly, I tried to import the private key from that folder I mentioned back there: ~/.private-keys-v1.d but got the following output

Code: Select all

$ gpg2 --import ~/.gnupg/openpgp-revocs.d/5306D6C5B1CCDE5D66B542B98345F0A70D1149F1.rev 
gpg: no valid OpenPGP data found.
gpg: Total number processed: 0
Then, I also tried to import the revocation key from the other folder but the output was the same as the above command:

Code: Select all

$ gpg2 --import ~/.gnupg/openpgp-revocs.d/5306D6C5B1CCDE5D66B542B98345F0A70D1149F1.rev 
gpg: no valid OpenPGP data found.
gpg: Total number processed: 0

So, what you guys think that went wrong? And is this key doomed to die when expiration time comes? I can't even revoke it.
BTW, I know the password to unlock the private key (encryption I suppose). I'm not sure how this works, but seems to me that one private key is used to encrypt (maybe it's the pub key, commonly miscalled encryption private key), and another one is used to decrypt (this one seems to me to be the one missing).

Thanks for any help
Psy

sgosnell
Posts: 975
Joined: 2011-03-14 01:49

Re: GPG key problems

#2 Post by sgosnell »

Data is encrypted using the public key, and decrypted using the private key. Secret and private are used interchangeably. You can also encrypt/decrypt using the private key alone. Try installing gpa, which is a GUI frontend to gnupg, and see what you have. Generating a key pair should be all you need to do, and none of the other stuff is necessary. And you can have as many key pairs as you like. That gets confusing, though. The way it's supposed to work is that you post the public key on keyservers, and anyone who wants to send you encrypted messages uses that public key to encrypt it, and then when you receive it you use your private key to decrypt it. For local encryption for your own use, you can just run gpg -e, and gpg -d to decrypt. I'm really not clear on exactly what you're trying to do, nor what your level of understanding gnupg is.
Take my advice, I'm not using it.

User avatar
PsySc0rpi0n
Posts: 322
Joined: 2012-10-24 13:54
Location: Bitcoin World
Has thanked: 8 times
Been thanked: 1 time

Re: GPG key problems

#3 Post by PsySc0rpi0n »

sgosnell wrote:Data is encrypted using the public key, and decrypted using the private key.
Yes, I know. But the question here, at least to me, is if the public also has it's own secret key. Because if not, what is that secrete key that GPG says it's available in Scenario 1? I don't think it has one, but I can't understand this if it doesn't have one.
sgosnell wrote: Secret and private are used interchangeably. You can also encrypt/decrypt using the private key alone. Try installing gpa, which is a GUI frontend to gnupg, and see what you have.
I don't believe a GUI will show me anything else other than what I see with the bare commands in terminal.
sgosnell wrote: Generating a key pair should be all you need to do, and none of the other stuff is necessary. And you can have as many key pairs as you like. That gets confusing, though. The way it's supposed to work is that you post the public key on keyservers, and anyone who wants to send you encrypted messages uses that public key to encrypt it, and then when you receive it you use your private key to decrypt it. For local encryption for your own use, you can just run gpg -e, and gpg -d to decrypt. I'm really not clear on exactly what you're trying to do, nor what your level of understanding gnupg is.
Well, my level of understanding is very basic, but enough to understand everything yo told me here. Thank you for that.
What I'm trying to do is to create a new key because my old one got lost when I forgot to save a backup of my ~/.gnupg folder. This key will be used for many purposes, 2 of which will be to use along with software like internet messengers to encrypt messages and also to encrypt files, folders, etc. Very basic usage.

So, in one particular case, I use this XMPP messenger client that supports GPG encrypted messages. And this is one of the cases where this software complains about not being able to decrypt messages sent to me. An if I can't really get this private key back, this will be the 2nd or 3rd key I lose and which are already on public online servers. I can't even revoke them.

sgosnell
Posts: 975
Joined: 2011-03-14 01:49

Re: GPG key problems

#4 Post by sgosnell »

If you lost the previous private key, there is no way at all to decrypt any messages encrypted with the associated public key. Cannot be done, by design. When a key pair is generated, you get a private key and an associated public key. You should generate a revocation immediately, and store that along with the private key. If you don't have the revocation cert, then you can't revoke the public key. Just ignore it, and generate another key and put the public key on the keyservers, and make sure anyone who might correspond with you has a copy of the current public key. You can generate as many key pairs as you like, but the pairs must be used together. A file or message encrypted by a public key can only be decrypted with the associated private key. The gpa GUI makes it easier, at least for me, to see which pairs go together, because I have several. It's not essential, it just makes things easier for me. YMMV.
Take my advice, I'm not using it.

User avatar
PsySc0rpi0n
Posts: 322
Joined: 2012-10-24 13:54
Location: Bitcoin World
Has thanked: 8 times
Been thanked: 1 time

Re: GPG key problems

#5 Post by PsySc0rpi0n »

sgosnell wrote:If you lost the previous private key, there is no way at all to decrypt any messages encrypted with the associated public key. Cannot be done, by design. When a key pair is generated, you get a private key and an associated public key. You should generate a revocation immediately, and store that along with the private key. If you don't have the revocation cert, then you can't revoke the public key. Just ignore it, and generate another key and put the public key on the keyservers, and make sure anyone who might correspond with you has a copy of the current public key. You can generate as many key pairs as you like, but the pairs must be used together. A file or message encrypted by a public key can only be decrypted with the associated private key. The gpa GUI makes it easier, at least for me, to see which pairs go together, because I have several. It's not essential, it just makes things easier for me. YMMV.
Yes, I understand that. What I can't understand is how, in Scenario 1, seems to exist a secret key, and in Scenario 2, one seems not to exist. So, how and why GPG says there is a secret in Scenario 1?

Also, why can't the files inside these two folders I mentioned, not be used to restore the private key and to import the revocation key so that I can revoke the key and upload the revoked key?

These are the two questions I would like to find an answer for..

sgosnell
Posts: 975
Joined: 2011-03-14 01:49

Re: GPG key problems

#6 Post by sgosnell »

Run

Code: Select all

gpg --list-secret-keys
That will tell you what keys exist.
A # after the initial tags sec or ssb means that the secret key or subkey is currently not usable.
Then you can decide what to do.

Code: Select all

gpg --help
man gpg
are also essential.
Take my advice, I'm not using it.

User avatar
PsySc0rpi0n
Posts: 322
Joined: 2012-10-24 13:54
Location: Bitcoin World
Has thanked: 8 times
Been thanked: 1 time

Re: GPG key problems

#7 Post by PsySc0rpi0n »

sgosnell wrote:Run

Code: Select all

gpg --list-secret-keys
That will tell you what keys exist.
A # after the initial tags sec or ssb means that the secret key or subkey is currently not usable.
Then you can decide what to do.

Code: Select all

gpg --help
man gpg
are also essential.
I guess I already said that I don't understand and that's what I'm trying to understand, why that --list-secret-keys command show my pub key fingerprint instead of showing what it is supposed to show, which is a secret key.

And this is case where the help and man pages are completely useless. Can you find there a reason why the two commands shows the exact same output? Or maybe why --list-secret-keys is said there to show secret keys and then, what it really shows is the fingerprint of the public key? Which in turn is exactly the same as the output of --list-keys. So, in this case, man pages says completely nothing about this. Therefore, it's useless in this specific case!

sgosnell
Posts: 975
Joined: 2011-03-14 01:49

Re: GPG key problems

#8 Post by sgosnell »

You still have not shown the output of anything. I have no idea what you're seeing from --list-keys or --list-secret-keys, nor anything else. Rants give no usable information. The easy way to solve all this is to just generate new keys and get on with liife.
Take my advice, I'm not using it.

User avatar
mike acker
Posts: 131
Joined: 2017-06-28 21:23

Re: GPG key problems

#9 Post by mike acker »

PsySc0rpi0n wrote:Hello.

Recently I had to reinstall my whole Debian system because I ha a few problems. And I didn't do this for like 7 years or so. The result is that I didn't even remember to save my ~/.gnupg, so now I created new key and uploaded it to an online server.

Ok, but now, somehow, other programs say they cannot find the secret key.
uh oh

there are certain things in your home directory that .....you should back up, at least once in a while, one of these will be your keyrings. you have two type of keys on your gpg keyrings: (1) secret keys, and (2) public keys. Public keys you share with anyone you want; secret keys you share with nobody but yourself.

So: if I encrypt a message for you: I do that using your public key. You have to have your secret key -- to decrypt it ( and to authenticate it ) .

So, if you didn't backup your secret keys, and you have now reformatted your disc and installed a new system: your secret keys -----are history. oh well; we live and learn.

GPG has commands for exporting both secret and public keys. you could do that and then copy the files to a thumb drive(s). you secret key is useless without your passphrase so just throw the thumb drives in a desk drawer but take care to protect your pass phrase

when you generate keys you should also generate the revoke key; at this time you should upload your revoke key for your ealrlier key-pair to the keyservers. uh--- you should generate that when you generate a key-pair and put a copy on those backup thumb drives. this is done so that if I decide to send you a secret message when i go to get your public key from the key server I'll recognize that you have voided your earlier key and I'll know to use your new key.
Viva la Resistencia

sgosnell
Posts: 975
Joined: 2011-03-14 01:49

Re: GPG key problems

#10 Post by sgosnell »

I went back to the top and reread things. The --list-secret-keys command does list a secret key. You cannot import a key that is already present. To encrypt, just

Code: Select all

gpg2 -e filename
To decrypt it,

Code: Select all

gpg2 -d filename
If you want to encrypt as you type, then you can use an interactive session, but I've never used that beyond a brief trial. I'm not exactly sure what the OP expects, or wants to do. I need a clearer exposition of that, and why.
Take my advice, I'm not using it.

Post Reply