Mailing List Archive: GPG Decrypt Error based on a timeout function?

GPG Decrypt Error based on a timeout function?

Dec 17, 2020, 11:28 AM

Post #1 of 5 (85 views)

Good Day,

This very novice would appreciate some help.

My situation:

I have a Raspberry Pi 4 computer running the Raspberry Operating System
(Raspbian GNU/Linux [buster], Version ID=10) at my home. I need it to send
me an email notification when certain functions are performed.

To this end, I have configured the mail system called msmtp on the Raspberry
Pi 4 computer. I can send email to my myself via my email account manually
and interactively using msmtp on the Raspberry Pi 4 computer, with the
password not encrypted on the Raspberry Pi 4 computer.

I have gpg version 2.2.12-1+rpi1+deb10u1 installed on this Raspberry Pi 4
Computer.

Problem:

Following good security policies, I encrypted my email account password
using gpg. My encrypted password is stored in a file
(/home/pi/.msmtp-2d-ionos.gpg) on the Raspberry Pi4 computer.

I successfully created my gpg key. I was able to successfully run the
following command:

gpg --encrypt -o .msmtp-2d.ionos.gpg -r 2d@daviddonnelly.com -

The password provided was encrypted with no problems and the associated file
was created.

However, when I run the following command, it initially works. Meaning the
associated password is decrypted and the e-mail is sent:

msmtp -t < message.txt

But after a few minutes, when I retest the command:

msmtp -t < message.txt

I get the following error:

gpg: decryption failed: No secret key

When I run the following command:

gpg --encrypt -o .msmtp-2d.ionos.gpg -r 2d@daviddonnelly.com -

I am asked for my passphrase, once entered the file is decrypted and the
contents displayed. I then rerun the command:

msmtp -t < message.txt

and the associated e-mail is sent.

I wait a few minutes and the error repeats itself.

Is there some sort of timeout associated with gpg? Or my implementation is
wrong.or ?

Also, I have noticed, at times, gpg will not accept the passphrase until I
reboot the Raspberry pi 4.

Your help in this matter is greatly appreciated,

Dave

Re: GPG Decrypt Error based on a timeout function? [ In reply to ]

angel at pgp

Dec 17, 2020, 4:52 PM

Post #2 of 5 (85 views)

Permalink

On 2020-12-17 at 11:28 -0800, Dave via Gnupg-users wrote:
> Good Day,
> This very novice would appreciate some help.
>
> My situation:
>
> I have a Raspberry Pi 4 computer running the Raspberry Operating
> System (Raspbian GNU/Linux [buster], Version ID=10) at my home. I
> need it to send me an email notification when certain functions are
> performed.
>
> To this end, I have configured the mail system called msmtp on the
> Raspberry Pi 4 computer. I can send email to my myself via my email
> account manually and interactively using msmtp on the Raspberry Pi 4
> computer, with the password not encrypted on the Raspberry Pi 4
> computer.
> (...)
> When I run the following command:
>
> gpg --encrypt -o .msmtp-2d.ionos.gpg -r 2d@daviddonnelly.com -
>
> I am asked for my passphrase, once entered the file is decrypted and
> the contents displayed. I then rerun the command:

Probably a mistake in pasting the same as before. This command wouldn't
need the password for the private key.

> msmtp -t < message.txt
>
> and the associated e-mail is sent.
>
> I wait a few minutes and the error repeats itself.
>
> Is there some sort of timeout associated with gpg? Or my
> implementation is wrong…or ?
>
> Also, I have noticed, at times, gpg will not accept the passphrase
> until I reboot the Raspberry pi 4.

See gpg-agent settings. The few minutes it works, that's because gpg-
agent has the decrypted gpg key cached. You would need to increase that
timeout, or let the script provide the password directly to gpg / use a
passwordless key. When the sending fails, it should perhaps be asking
you to provide the gpg passphrase, my guess is that the way it runs (
--no-tty --batch maybe), it isn't able to launch a pinentry to ask the
password to the user.

If you really want the password decryption to be unattended, you could
configure the gpg password in the script, but then that would be
roughly equivalent to the email account password. It's turtles all way
down.

Regards

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

RE: GPG Decrypt Error based on a timeout function? [ In reply to ]

gnupg-users at gnupg

Dec 18, 2020, 10:25 AM

Post #3 of 5 (85 views)

Permalink

Angel,
Yes, I want the script to run unattended, which the gpg process is not the right method, as you say: " you could configure the gpg password in the script, but then that would be roughly equivalent to the email account password."

Many thanks and stay safe and healthy,
Dave

-----Original Message-----
From: Gnupg-users <gnupg-users-bounces@gnupg.org> On Behalf Of Ángel
Sent: Thursday, December 17, 2020 4:53 PM
To: gnupg-users@gnupg.org
Subject: Re: GPG Decrypt Error based on a timeout function?

On 2020-12-17 at 11:28 -0800, Dave via Gnupg-users wrote:
> Good Day,
> This very novice would appreciate some help.
>
> My situation:
>
> I have a Raspberry Pi 4 computer running the Raspberry Operating
> System (Raspbian GNU/Linux [buster], Version ID=10) at my home. I
> need it to send me an email notification when certain functions are
> performed.
>
> To this end, I have configured the mail system called msmtp on the
> Raspberry Pi 4 computer. I can send email to my myself via my email
> account manually and interactively using msmtp on the Raspberry Pi 4
> computer, with the password not encrypted on the Raspberry Pi 4
> computer.
> (...)
> When I run the following command:
>
> gpg --encrypt -o .msmtp-2d.ionos.gpg -r 2d@daviddonnelly.com -
>
> I am asked for my passphrase, once entered the file is decrypted and
> the contents displayed. I then rerun the command:

Probably a mistake in pasting the same as before. This command wouldn't need the password for the private key.

> msmtp -t < message.txt
>
> and the associated e-mail is sent.
>
> I wait a few minutes and the error repeats itself.
>
> Is there some sort of timeout associated with gpg? Or my
> implementation is wrong…or ?
>
> Also, I have noticed, at times, gpg will not accept the passphrase
> until I reboot the Raspberry pi 4.

See gpg-agent settings. The few minutes it works, that's because gpg- agent has the decrypted gpg key cached. You would need to increase that timeout, or let the script provide the password directly to gpg / use a passwordless key. When the sending fails, it should perhaps be asking you to provide the gpg passphrase, my guess is that the way it runs ( --no-tty --batch maybe), it isn't able to launch a pinentry to ask the password to the user.

If you really want the password decryption to be unattended, you could configure the gpg password in the script, but then that would be roughly equivalent to the email account password. It's turtles all way down.

Regards

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: GPG Decrypt Error based on a timeout function? [ In reply to ]

angel at pgp

Dec 18, 2020, 3:50 PM

Post #4 of 5 (85 views)

Permalink

On 2020-12-18 at 10:25 -0800, Dave via Gnupg-users wrote:
> Angel,
> Yes, I want the script to run unattended, which the gpg process is
> not the right method, as you say: " you could configure the gpg
> password in the script, but then that would be roughly equivalent to
> the email account password."
>
> Many thanks and stay safe and healthy,
> Dave

You cannot make a machine which needs a secret run fully unattended
without having such secret *somewhere*. You can move pieces around,
separate roles amongst different parts, protect a secret in a way that
a _different_ secret is needed instead, etc. But in the end, as the
machine needs that secret, you need to store it there. Or,
alternatively, have a human input it and have it stored in memory, with
the caveat that the machine won't be able to boot to a fully functional
state until that is provided.

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

RE: GPG Decrypt Error based on a timeout function? [ In reply to ]

gnupg-users at gnupg

Dec 18, 2020, 3:58 PM

Post #5 of 5 (85 views)

Permalink

Angel,
I came to that realization as I worked through with your guidance, the
configuration I wanted.
Technology, while here to help, can be a drawback at times. Or perhaps
better said, has its own limitations.

Many thanks and stay safe.
Dave

-----Original Message-----
From: Gnupg-users <gnupg-users-bounces@gnupg.org> On Behalf Of ?ngel
Sent: Friday, December 18, 2020 3:50 PM
To: gnupg-users@gnupg.org
Subject: Re: GPG Decrypt Error based on a timeout function?

On 2020-12-18 at 10:25 -0800, Dave via Gnupg-users wrote:
> Angel,
> Yes, I want the script to run unattended, which the gpg process is
> not the right method, as you say: " you could configure the gpg
> password in the script, but then that would be roughly equivalent to
> the email account password."
>
> Many thanks and stay safe and healthy, Dave

You cannot make a machine which needs a secret run fully unattended without
having such secret *somewhere*. You can move pieces around, separate roles
amongst different parts, protect a secret in a way that a _different_ secret
is needed instead, etc. But in the end, as the machine needs that secret,
you need to store it there. Or, alternatively, have a human input it and
have it stored in memory, with the caveat that the machine won't be able to
boot to a fully functional state until that is provided.

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Mailing List Archive

Mailing List Archive

Attached Files: