Mailing List Archive

On Fri, Oct 29, 2021 at 10:15 PM Matthias Apitz <guru@unixarea.de> wrote:

> The question here is: Can I somehow transfer the keys from the used
> OpenPGP card to this new card (and copy over the tree of encrypted
> passwords to the phone) or do I have to move the passwords in clear and
> crypt them again with the new card?
>

I guess you know this already, but if you didn't:

A secure gpg smart card will not allow (by hardware and design) read of
it's private keys - only public keys.
I think that might answer your question, no?

--
Med vennlig hilsen/Kind regards,
Christian Chavez
Phone/Tlf: +47 922 22 603

Hi,

I'm not sure to grasp the entirety of the problematic but I though that should be mention :

From 'man pass' :

```
id...
Initialize new password storage and use gpg-id
for encryption. Multiple gpg-ids may be
specified, in order to encrypt each password
with multiple ids. This command must be run
first before a password store can be used. If
the specified gpg-id is different from the key
used in any existing files, these files will
be reencrypted to use the new id. Note that
use of gpg-agent(1) is recommended so that the
batch decryption does not require as much user
intervention. If --path or -p is specified,
along with an argument, a specific gpg-id or
set of gpg-ids is assigned for that specific
sub folder of the password store. If only one
gpg-id is given, and it is an empty string,
then the current .gpg-id file for the
specified sub-folder (or root if unspecified)
is removed.
```

If you can get the 2 keys on your PC or the 2 keys on your phone you can add your new key or even replace the old with the new one by running 'pass Id ...'


On October 29, 2021 9:00:28 PM GMT+02:00, Matthias Apitz <guru@unixarea.de> wrote:
>Hello,
>
>For some years I do use an OpenPGP card with GnuPG to encrypt all my
>passwords (and other secrets). The passwors are managed with
>password-store which is basically a tree of passwords along the web
>sites where they're required to login.
>
>I got now a mobile phone device, running Debian, the Purism L5, which
>has its own OpenPGP card (until now no set up):
>
>purism@pureos:~$ gpg --card-status
>Reader ...........: TTXS serial 00 00
>Application ID ...: D27600012401030400050000A6FE0000
>Application type .: OpenPGP
>Version ..........: 3.4
>Manufacturer .....: ZeitControl
>Serial number ....: 0000A6FE
>Name of cardholder: [not set]
>Language prefs ...: de
>Salutation .......:
>URL of public key : [not set]
>Login data .......: [not set]
>Signature PIN ....: forced
>Key attributes ...: rsa2048 rsa2048 rsa2048
>Max. PIN lengths .: 64 64 64
>PIN retry counter : 3 0 3
>Signature counter : 0
>KDF setting ......: off
>Signature key ....: [none]
>Encryption key....: [none]
>Authentication key: [none]
>General key info..: [none]
>
>The question here is: Can I somehow transfer the keys from the used
>OpenPGP card to this new card (and copy over the tree of encrypted
>passwords to the phone) or do I have to move the passwords in clear and
>crypt them again with the new card?
>
>Thanks
>
> matthias
>
>--
>Matthias Apitz, ? guru@unixarea.de, http://www.unixarea.de/ +49-176-38902045
>Public GnuPG key: http://www.unixarea.de/key.pub
>August 13, 1961: Better a wall than a war. And, while the GDR was still existing,
>no German troups and bombs have been killed in Yugoslavia, Afghanistan, Afrika...
>
>_______________________________________________
>Gnupg-users mailing list
>Gnupg-users@gnupg.org
>http://lists.gnupg.org/mailman/listinfo/gnupg-users

Romain LEBRUN THAURONT
5TC - Département Telecommunication, Services et Usages
INSA Lyon
Responsable Logistique du Karnaval Humanitaire

** Please consider using PGP to communicate with me, encrypt your
e-mails https://www.openpgp.org/
My key's fingerprint: 912B 29BE EDBE 8E73 8E3F 8758 869E 9A75 3DCA 4320

On Fri, Oct 29, 2021 at 11:46 PM Romain LT via Gnupg-users <
gnupg-users@gnupg.org> wrote:

> If you can get the 2 keys on your PC or the 2 keys on your phone you can
> add your new key or even replace the old with the new one by running 'pass
> Id ...'
>
Never heard of the `pass id` command, maybe it's installed as a plugin on
your machine?
Not showing in my `man pass` at least, your description seems to fit `pass
init` though.

I can confirm this works, I've done the same myself:

```shell
$ pass init <Hex fingerprint of backup & daily gpg Key/smart card's primary
keys>
$ pass generate email/website/password
$ pass init -p email/website/2fa <Hex fingerprint of backup & daily 2fa gpg
Key/smart card's primary keys>
```

--
Med vennlig hilsen/Kind regards,
Christian Chavez
Phone/Tlf: +47 922 22 603

Hmm yes it's pass init ^^'

I miss read the man page which was wrongly display in my android screen
Thx

On October 30, 2021 12:09:16 AM GMT+02:00, Christian Chavez <x10an14@gmail.com> wrote:
>On Fri, Oct 29, 2021 at 11:46 PM Romain LT via Gnupg-users <
>gnupg-users@gnupg.org> wrote:
>
>> If you can get the 2 keys on your PC or the 2 keys on your phone you can
>> add your new key or even replace the old with the new one by running 'pass
>> Id ...'
>>
>Never heard of the `pass id` command, maybe it's installed as a plugin on
>your machine?
>Not showing in my `man pass` at least, your description seems to fit `pass
>init` though.
>
>I can confirm this works, I've done the same myself:
>
>```shell
>$ pass init <Hex fingerprint of backup & daily gpg Key/smart card's primary
>keys>
>$ pass generate email/website/password
>$ pass init -p email/website/2fa <Hex fingerprint of backup & daily 2fa gpg
>Key/smart card's primary keys>
>```
>
>--
>Med vennlig hilsen/Kind regards,
>Christian Chavez
>Phone/Tlf: +47 922 22 603

Romain LEBRUN THAURONT
5TC - Département Telecommunication, Services et Usages
INSA Lyon
Responsable Logistique du Karnaval Humanitaire

** Please consider using PGP to communicate with me, encrypt your
e-mails https://www.openpgp.org/
My key's fingerprint: 912B 29BE EDBE 8E73 8E3F 8758 869E 9A75 3DCA 4320

Matthias Apitz wrote:
> The question here is: Can I somehow transfer the keys from the used
> OpenPGP card to this new card (and copy over the tree of encrypted
> passwords to the phone) or do I have to move the passwords in clear and
> crypt them again with the new card?

If I understand correctly that your tool uses public keys, you will need to:

1. Generate keys on your new device.
2. Export the public key for your new smartcard.
3. Arrange for your password store to be encrypted for *both* public keys.
4. Copy the appropriately encrypted password store to the new device.
5. Use the new card's secret key to access the encrypted password store.

If your tool is using a symmetric key embedded in the smartcard, you
will need to transfer the passwords "in the clear" but you could use a
keypair to wrap the bundle during transit. The entire purpose of a
smartcard here is that the secret keys cannot be extracted from it.


-- Jacob


_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

El día viernes, octubre 29, 2021 a las 08:35:43p. m. -0500, Jacob Bachmeyer via Gnupg-users escribió:

> Matthias Apitz wrote:
> > The question here is: Can I somehow transfer the keys from the used
> > OpenPGP card to this new card (and copy over the tree of encrypted
> > passwords to the phone) or do I have to move the passwords in clear and
> > crypt them again with the new card?
>
> If I understand correctly that your tool uses public keys,

The password store is a tree of GnuPG encrypted file as:

$ find .password-store
.password-store
.password-store/web
.password-store/web/test1.gpg
.password-store/web/test2.gpg
.password-store/web/test3.gpg
.password-store/web/hwiconnect.net.gpg
.password-store/web/es-la.facebook.com.gpg
...

it was once (2017) initialized with

$ pass init guru@unixarea.de

and one can see the gpg-id in the file of the store:

$ cat .password-store/.gpg-id
guru@unixarea.de

This mail addr is the reference to the (public) key:

$ gpg2 -K
/home/guru/.gnupg-ccid/pubring.kbx
----------------------------------
5E69FBAC1618562CB3CBFBC147CCF7E476FE9D11
Card serial no. = 0005 0000532B
uid [ultimate] Matthias Apitz (GnuPG CCID) <guru@unixarea.de>

> you will need to:
>
> 1. Generate keys on your new device.

I did so and created for testing a password store on the mobile L5
with:

purism@pureos:~$ pass init 'CCID L5'
mkdir: created directory '/home/purism/.password-store/'
Password store initialized for CCID L5
purism@pureos:~$ cat .password-store/.gpg-id
CCID L5
purism@pureos:~$ echo secret | pass insert -m test
Enter contents of test and press Ctrl+D when finished:

purism@pureos:~$ find .password-store/
.password-store/
.password-store/test.gpg
.password-store/.gpg-id

purism@pureos:~$ killall gpg-agent
purism@pureos:~$ pass test
secret

(it asked me to unlock the OpenPGP card with its PIN)

> 2. Export the public key for your new smartcard.

I did so:

purism@pureos:~$ gpg --export --armor > ccid-L5-export-key-guru.pub
purism@pureos:~$ file ccid-L5-export-key-guru.pub
ccid-L5-export-key-guru.pub: PGP public key block Public-Key (old)

> 3. Arrange for your password store to be encrypted for *both* public keys.

Perhaps I should now import the above Public-Key on the laptop and
re-init there the password store with both gpg-id:

$ pass init 'GnuPG CCID' 'CCID L5'

I will test this after making bakups of GNUPGHOME and ~/password-store.

> 4. Copy the appropriately encrypted password store to the new device.
> 5. Use the new card's secret key to access the encrypted password store.
>

Thanks for your hints

matthias
--
Matthias Apitz, ? guru@unixarea.de, http://www.unixarea.de/ +49-176-38902045
Public GnuPG key: http://www.unixarea.de/key.pub
August 13, 1961: Better a wall than a war. And, while the GDR was still existing,
no German troups and bombs have been killed in Yugoslavia, Afghanistan, Afrika...

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Matthias Apitz wrote:
> El día viernes, octubre 29, 2021 a las 08:35:43p. m. -0500, Jacob Bachmeyer via Gnupg-users escribió:
>
>> Matthias Apitz wrote:
>>
>>> The question here is: Can I somehow transfer the keys from the used
>>> OpenPGP card to this new card (and copy over the tree of encrypted
>>> passwords to the phone) or do I have to move the passwords in clear and
>>> crypt them again with the new card?
>>>
>> If I understand correctly that your tool uses public keys,
>>
>
> The password store is a tree of GnuPG encrypted file as:
>
> $ find .password-store
> .password-store
> .password-store/web
> .password-store/web/test1.gpg
> .password-store/web/test2.gpg
> .password-store/web/test3.gpg
> .password-store/web/hwiconnect.net.gpg
> .password-store/web/es-la.facebook.com.gpg
> ...
>
> it was once (2017) initialized with
>
> $ pass init guru@unixarea.de
>
> and one can see the gpg-id in the file of the store:
>
> $ cat .password-store/.gpg-id
> guru@unixarea.de
>
> This mail addr is the reference to the (public) key:
>
> $ gpg2 -K
> /home/guru/.gnupg-ccid/pubring.kbx
> ----------------------------------
> sec> rsa4096 2017-05-14 [SC]
> 5E69FBAC1618562CB3CBFBC147CCF7E476FE9D11
> Card serial no. = 0005 0000532B
> uid [ultimate] Matthias Apitz (GnuPG CCID) <guru@unixarea.de>
> ssb> rsa4096 2017-05-14 [A]
> ssb> rsa4096 2017-05-14 [E]
>
> [...]
>> 3. Arrange for your password store to be encrypted for *both* public keys.
>>
>
> Perhaps I should now import the above Public-Key on the laptop and
> re-init there the password store with both gpg-id:
>
> $ pass init 'GnuPG CCID' 'CCID L5'
>
> I will test this after making bakups of GNUPGHOME and ~/password-store.
>

I do not know the details of how pass(1) operates, so this will be
necessarily vague. What you need to accomplish is re-encrypting all of
the files in password-store to both keys, where they are currently
encrypted only for your old key.

Importing your new public key on your old device is certainly a step in
this process, but I am not sure of the best way to re-encrypt the
files. There may be a way to do this with pass(1), or you may need to
use GPG directly. Check the pass(1) documentation for a "key rotation"
procedure.

There is also a question of whether you want to continue to use both
devices, if so, you will need to import your old public key on your new
device and configure the new password store to also use both public
keys. Then you need only synchronize the encrypted files between
devices and your passwords will be securely available on both.

> Thanks for your hints
>
You are welcome.



-- Jacob


_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users