Mailing List Archive

On Sun, 2020-07-05 at 14:30 +0000, renws via Gnupg-users wrote:
> Hi,
>
> I've accidentally deleted ~/.gnupg/pubring.gpg and now I'm not able to see any output from `gpg --list-keys' and `gpg --list-secret-keys'.
>
> Is it possible to still use my private key to decrypt previously encrypted .gpg files? Are private keys stored in ~/.gnupg/private-keys-v1.d ? If so how can I make use of it?
>

Reimport your public key and things should start working again. You may
look if ~/.gnupg doesn't contain a backup copy, or fetch it from
keyservers, someone who used it, etc...


--
Best regards,
Micha? Górny

Hi Micha?,

Thanks for your reply. However I've never uploaded the public key to any keyservers, is it possible to recover the public key from the private key (I still have ~/.gnupg/private-keys-v1.d)?

Regards,
Wenshan

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

On Mon, 6 Jul 2020 09:58, renws said:

> Thanks for your reply. However I've never uploaded the public key to
> any keyservers, is it possible to recover the public key from the
> private key (I still have ~/.gnupg/private-keys-v1.d)?

If you really can't find a backup of the public key you can create an
new key compatible to the old key. There is no instant way to do this
and it requires quite some manual work now; for example you need to
figure out the exact key creation time to get the same fingerprint.
Decryption can be done simpler.

The upshot is that you better create a fresh new key and use the manual
restore process only if you need to decrypt important data (but in that
case you should have created a backup in the first place ;-).


Shalom-Salam,

Werner

--
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.

Werner Koch via Gnupg-users wrote:

> On Mon, 6 Jul 2020 09:58, renws said:
>
> > Thanks for your reply. However I've never uploaded the public key to
> > any keyservers, is it possible to recover the public key from the
> > private key (I still have ~/.gnupg/private-keys-v1.d)?
>
> If you really can't find a backup of the public key you can create an
> new key compatible to the old key. There is no instant way to do this
> and it requires quite some manual work now; for example you need to
> figure out the exact key creation time to get the same fingerprint.
> Decryption can be done simpler.

Mmmhhh, I was under the impression when he still has the secret key that
he exports his secret-key (makes a back-up, just in case) re-imports
and then GnuPG automatically regenerates a pub key from the secret key.

Regards
Stefan

--
my 'hidden' service gopherhole:
gopher://iria2xobffovwr6h.onion

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Stefan Claas wrote:

> Werner Koch via Gnupg-users wrote:
>
> > On Mon, 6 Jul 2020 09:58, renws said:
> >
> > > Thanks for your reply. However I've never uploaded the public key to
> > > any keyservers, is it possible to recover the public key from the
> > > private key (I still have ~/.gnupg/private-keys-v1.d)?
> >
> > If you really can't find a backup of the public key you can create an
> > new key compatible to the old key. There is no instant way to do this
> > and it requires quite some manual work now; for example you need to
> > figure out the exact key creation time to get the same fingerprint.
> > Decryption can be done simpler.
>
> Mmmhhh, I was under the impression when he still has the secret key that
> he exports his secret-key (makes a back-up, just in case) re-imports
> and then GnuPG automatically regenerates a pub key from the secret key.

... makes a back-up and then deletes the secret-key in the key ring.

Regards
Stefan

--
my 'hidden' service gopherhole:
gopher://iria2xobffovwr6h.onion

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

On Tue, 7 Jul 2020 22:22, Stefan Claas said:

> Mmmhhh, I was under the impression when he still has the secret key that
> he exports his secret-key (makes a back-up, just in case) re-imports

The gpg-agent does not store the OpenPGP secret keyblock. It fact that
is only created when you run a gpg --export-secret-key. The agent
stored the bare numbers required for the crypto operations and nothing
else - it is protocol agnostic.

Sure, you can create a new public or (with --export-secret-key) secret
key from that but it won't have the same preference, creation date,
expire date and so on. Even the fingerprint will be different because
the creation date is part of the fingerprint computation. That latter
is the reason why the OpenPGP card stored the creation date of the key,
so that the fingerprint can be re-computed from the the bare numbers.

If you know the fingerprint it is of course easy to find the creation
date; that are at worst a mere 710 million hashes (from 1998 to now).
it is just that we don't have the tooling. To make things easier I will
probably store the creation date as meta data along with the bare
numbers in the forthcoming 2.3.


Salam-Shalom,

Werner

--
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.

On 2020-07-09 at 10:19 +0200, Werner Koch via Gnupg-users wrote:
> If you know the fingerprint it is of course easy to find the creation
> date; that are at worst a mere 710 million hashes (from 1998 to now).
> it is just that we don't have the tooling. To make things easier I
> will
> probably store the creation date as meta data along with the bare
> numbers in the forthcoming 2.3.

I have some toll that could do that. It's a matter of bruteforcing 4
bytes. The user probably has some idea of *when* it was created, highly
simplifying it. In fact, assuming this is the same computer on which the
key was created (quite likely, since there is no backup), the filesystem
timestamp of the file holding the secret key shouild be at most a few
seconds off, thus making such search immediate.

i should note however, that if someone loses its public key, and it
wasn't published anywhere he can simply reach it (such as the
keyservers), yet he wants to keep using the same key, that probably
means that *someone* else has that public key, and thus it might be
problematic to create a new key. In which case, the public key could be
retrieved from one of the third parties having it.

Hi


On Thursday 9 July 2020 at 9:19:39 AM, in
<mid:87h7uhqew4.fsf@wheatstone.g10code.de>, Werner Koch via
Gnupg-users wrote:-


> Even the fingerprint will be
> different because
> the creation date is part of the fingerprint
> computation.

If the OP just wants to decrypt previously encrypted data, wouldn't
the options --try-secret-key or --try-all-secrets work in this
situation?

--
Best regards

MFPA <mailto:2017-r3sgs86x8e-lists-groups@riseup.net>

A closed mouth gathers no foot

On Sat, 11 Jul 2020 13:33, MFPA said:

> If the OP just wants to decrypt previously encrypted data, wouldn't
> the options --try-secret-key or --try-all-secrets work in this
> situation?

Yes, I think this should work. Have not looked into it, though.


Salam-Shalom,

Werner

--
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.

Hi,

I tried --try-all-secrets but it didn't work:

$ gpg -d --try-all-secrets myfile.txt.gpg
gpg: encrypted with RSA key, ID xxxxxxxxxxxxx
gpg: decryption failed: No secret key

I guess I'll have to create a new public key with the same fingerprint? I've searched "gpg create public key with same fingerprint" but didn't get much luck. Could you please provide more detailed how-to instructions?

Regards,
WS

Hi Veddal,


Thanks for your reply. Sorry I meant to reply to an answer of my original post https://lists.gnupg.org/pipermail/gnupg-users/2020-July/063772.html, but I'm a little confused how mailing list work so I might have created a new thread with the same title.

Basically, I've accidentally deleted ~/.gnupg/pubring.gpg and now I'm not able to see any output from `gpg --list-keys' and `gpg --list-secret-keys'.

And I don't have any backup of my public key, so I would like to know whether it's possible to decrypt my files (I've still got ~/.gnupg/private-keys-v1.d, which I think stores my private key?).

Tried your suggestions but didn't work for:

? .gnupg gpg /home/rws/.gnupg/secring.gpg
gpg: WARNING: no command supplied. Trying to guess what you mean ...
gpg: DBG: FIXME: merging secret key blocks is not anymore available
gpg: DBG: FIXME: No way to print secret key packets here
? .gnupg gpg 6906A68A85C4AEAC
gpg: WARNING: no command supplied. Trying to guess what you mean ...
gpg: can't open '6906A68A85C4AEAC'





Regards,
Wenshan



??????? Original Message ???????
On Tuesday, August 11, 2020 7:50 AM, <vedaal@nym.hush.com> wrote:

> On 8/8/2020 at 3:13 PM, "renws via Gnupg-users"gnupg-users@gnupg.org wrote:
>
> > Hi,
> > I tried --try-all-secrets but it didn't work:
> > $ gpg -d --try-all-secrets myfile.txt.gpg
> > gpg: encrypted with RSA key, ID xxxxxxxxxxxxx
> > gpg: decryption failed: No secret key
> > I guess I'll have to create a new public key with the same
> > fingerprint? I've searched "gpg create public key with same
> > fingerprint" but didn't get much luck. Could you please provide
> > more detailed how-to instructions?
>
> ==
>
> It's not clear what you did and what the problem is. Please explain more.
>
> The Subject is "Accidentally deleted ~/.gnupg/pubring.gpg"
>
> This is not so terrible, as the Secret Keys automatically contain the public keys, and they can be regenerated from them.
>
> Try this:
>
> gpg secring.gpg
> (you need to put in the exact path of where the secring.gpg is located, before the secring.gpg)
>
> GnuPG will list all the secret keys. It might detect the absence of a pubring.gpg and automatically create one, but I have not tried it, and do not have a test system here to try it.
>
> But
> I (have successfully) tried to restore a public key just by the command
> gpg keyname of the secret key.
>
> vedaal



_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

On Sun, 16 Aug 2020 04:33, renws said:

> And I don't have any backup of my public key, so I would like to know
> whether it's possible to decrypt my files (I've still got
> ~/.gnupg/private-keys-v1.d, which I think stores my private key?).

If you just want to decrypt your files, you can do this:

- Create a new key, best using the mail address you used in your lost
key.

- Add a subkey so you can decrypt old data, for example

$ gpg --expert --edit-key NEWKEYID
Secret key is available.

[Prints infor about that key]

gpg> addkey
Please select what kind of key you want:
(3) DSA (sign only)
(4) RSA (sign only)
(5) Elgamal (encrypt only)
(6) RSA (encrypt only)
(7) DSA (set your own capabilities)
(8) RSA (set your own capabilities)
(10) ECC (sign only)
(11) ECC (set your own capabilities)
(12) ECC (encrypt only)
(13) Existing key
(14) Existing key from card
Your selection? 13
Enter the keygrip:

here you need to enter the keygrip of your lost key. That is the
name of the file in private-keys-v1.d/ without the ".key" suffix.
With your new key you should have 4 files in that directory, chekc
the date to pick the right one; if it does not work, you picked then
signing key and not the encryption key. Start over in this case.

Enter "save" and you have a new encryption subkey which matches the
old one mathematically.

- To decrypt with the new/old file you need to add the option:

--try-all-secrets


The last point is an obvious drawback but it is the easiest way to get
to your data.



Salam-Shalom,

Werner


--
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.

It worked, and it was much easier than I expected, thank you so much!

WS

??????? Original Message ???????
On Monday, August 17, 2020 6:31 PM, Werner Koch <wk@gnupg.org> wrote:

> On Sun, 16 Aug 2020 04:33, renws said:
>
> > And I don't have any backup of my public key, so I would like to know
> > whether it's possible to decrypt my files (I've still got
> > ~/.gnupg/private-keys-v1.d, which I think stores my private key?).
>
> If you just want to decrypt your files, you can do this:
>
> - Create a new key, best using the mail address you used in your lost
> key.
>
> - Add a subkey so you can decrypt old data, for example
>
> $ gpg --expert --edit-key NEWKEYID
> Secret key is available.
>
> [Prints infor about that key]
>
> gpg> addkey
> Please select what kind of key you want:
> (3) DSA (sign only)
> (4) RSA (sign only)
> (5) Elgamal (encrypt only)
> (6) RSA (encrypt only)
> (7) DSA (set your own capabilities)
> (8) RSA (set your own capabilities)
> (10) ECC (sign only)
> (11) ECC (set your own capabilities)
> (12) ECC (encrypt only)
> (13) Existing key
> (14) Existing key from card
> Your selection? 13
> Enter the keygrip:
>
> here you need to enter the keygrip of your lost key. That is the
> name of the file in private-keys-v1.d/ without the ".key" suffix.
> With your new key you should have 4 files in that directory, chekc
> the date to pick the right one; if it does not work, you picked then
> signing key and not the encryption key. Start over in this case.
>
> Enter "save" and you have a new encryption subkey which matches the
> old one mathematically.
>
> - To decrypt with the new/old file you need to add the option:
>
> --try-all-secrets
>
> The last point is an obvious drawback but it is the easiest way to get
> to your data.
>
> Salam-Shalom,
>
> Werner
>
> --
> Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.
>



_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users