Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. GnuPG>
  3. users
Is it possible to require two private keys to decrypt with gpg?
gnupg-users at gnupg
Dec 25, 2021, 7:47 PM
Post #1 of 6 (768 views)
Permalink
Hi!

I've currently got some sensitive data I'd like to require _two_ gpg keys
for decryption/unlocking.

As in both are needed (AND operation), not that either can decrypt on their
own (OR operation).
I can only find description of AND operation in manpages/tutorials online.

I'm hoping for a solution which doesn't just require encrypting twice
(though I admit that will give the same security benefit).
The reason why I'd like a "single gpg command solution" is the hope that
such a magical incantation would play well with other tools, such as pass
for passwordstore (e.g.).

Anyone on this mailing list got any tips on how that might be achieved?

--
Med vennlig hilsen/Kind regards,
Christian Chavez
Phone/Tlf: +47 922 22 603
Re: Is it possible to require two private keys to decrypt with gpg? [ In reply to ]
gnupg-users at gnupg
Dec 26, 2021, 3:06 AM
Post #2 of 6 (768 views)
Permalink
Christian Chavez via Gnupg-users <gnupg-users@gnupg.org> writes:

> Hi!
>
> I've currently got some sensitive data I'd like to require _two_ gpg keys for decryption/unlocking.
>
> As in both are needed (AND operation), not that either can decrypt on their own (OR operation).
> I can only find description of AND operation in manpages/tutorials online.
>
> I'm hoping for a solution which doesn't just require encrypting twice (though I admit that will give the same security benefit).
> The reason why I'd like a "single gpg command solution" is the hope that such a magical incantation would play well with other tools, such as pass for
> passwordstore (e.g.).
>
> Anyone on this mailing list got any tips on how that might be achieved?

Hi,

I think Shamir's Secret Sharing might be interesting to read up about -
I'm not sure about it's support in GnuPG or similar, tho.

https://en.wikipedia.org/wiki/Shamir%27s_Secret_Sharing


Regards,
Oscar

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Is it possible to require two private keys to decrypt with gpg? [ In reply to ]
gnupg-users at gnupg
Dec 27, 2021, 9:52 AM
Post #3 of 6 (768 views)
Permalink
A small correction:

On Sun, 26 Dec 2021, 04:47 Christian Chavez, <x10an14@gmail.com> wrote:
(...)

> As in both are needed (AND operation), not that either can decrypt on
> their own (OR operation).
> I can only find description of AND operation in manpages/tutorials online.
>
The second line is supposed to read "I can only find descriptions of OR
operation in man pages/tutorials online.

Apologies.

>
Re: Is it possible to require two private keys to decrypt with gpg? [ In reply to ]
angel at pgp
Dec 28, 2021, 5:33 PM
Post #4 of 6 (760 views)
Permalink
On 2021-12-26 at 04:47 +0100, Christian Chavez wrote:
> Hi!
>
> I've currently got some sensitive data I'd like to require _two_ gpg
> keys for decryption/unlocking.
>
> As in both are needed (AND operation), not that either can decrypt on
> their own (OR operation).
> I can only find description of AND operation in manpages/tutorials
> online.
>
> I'm hoping for a solution which doesn't just require encrypting twice
> (though I admit that will give the same security benefit).
> The reason why I'd like a "single gpg command solution" is the hope
> that such a magical incantation would play well with other tools,
> such as pass for passwordstore (e.g.).
>
> Anyone on this mailing list got any tips on how that might be
> achieved?

You could use a wrapper which calls gpg twice, while the user only
calls your wrapper (as if it is gpg) once.

However, I would like to question your need for requiring two gpg keys.
How are they two gpg going to be more secure? Usually, if someone was
able to steal one key, they could steal the second one as well as the
same time, and you could simply require a different second key, or
tweak the key parameters to get an higher level, if that's what you
want to achieve from the double encryption.

Kind regards



_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Is it possible to require two private keys to decrypt with gpg? [ In reply to ]
chd at chud
Jan 2, 2022, 2:23 PM
Post #5 of 6 (760 views)
Permalink
> However, I would like to question your need for requiring two gpg keys.
> How are they two gpg going to be more secure?

Guessing that possibly two different people need to be in agreement in
order to access data, along the lines of needing two keys to launch
missiles? :)

Otherwise, I agree just encrypting twice doesn't seem to buy much.

-C

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Is it possible to require two private keys to decrypt with gpg? [ In reply to ]
gnupg-users at gnupg
Jan 2, 2022, 3:19 PM
Post #6 of 6 (760 views)
Permalink
On Sun, Jan 2, 2022 at 11:01 PM Ángel <angel@pgp.16bits.net> wrote:

> You could use a wrapper which calls gpg twice, while the user only
> calls your wrapper (as if it is gpg) once.
>
Thank you, I think that sounds like the best solution I've come across so
far! =)

> However, I would like to question your need for requiring two gpg keys.
> How are they two gpg going to be more secure? Usually, if someone was
> able to steal one key, they could steal the second one as well as the
> same time, and you could simply require a different second key, or
> tweak the key parameters to get an higher level, if that's what you
> want to achieve from the double encryption.
>
False assumption here =)

One key is on me at all times, and also on a (physically and OS-wise)
locked air-gapped machine.
The other one is in a safe.

So I question the assumption that "if someone was able to steal one key,
they could steal the second as well" - considering that at least one of
them goes with me wherever I go, including work and vacation.
(The safe e.g. doesn't^^)

--
Med vennlig hilsen/Kind regards,
Christian Chavez
Phone/Tlf: +47 922 22 603

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal