Mailing List Archive

On 2024-02-09 14:36, Matthias Apitz wrote:
>
> Next question: Can I transfer somehow the key from one card to the
> other to use the same encrypted files foo.gpg from my password store:
>
> purism@pureos:~$ find .password-store/ -type f | wc -l
> 373

No, the entire point of an openpgp card is that you can't copy the key
material off it (otherwise it would have no advantages over a thumb
drive). I always recommend that people generate their key material on a
removable encrypted drive and then copy it onto the card, keeping a
backup copy on the encrypted drive. Otherwise you run the risk of data
loss when your card breaks or is lost.

> If not, I could with a script decrypt all the files in this tree and
> encrypt them again after setup the card. But, it would be better just
> copy the files over by SCP, also when passwords get added or updated.

It would depend on how `pass` works, whether there are any particular
parameters that need to be supplied with the encryption command. Perhaps
best to ask the `pass` maintainers about support for re-encryption in
general - the process shouldn't depend on whether or not you're using a
card.

A

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Hello Matthias,

Am 09.02.24 um 15:36 schrieb Matthias Apitz:
> So, can I buy this card here in Europe or even in Germany?

yes you can buy this Card also in Europe:

https://www.floss-shop.de
https://www.cryptoshop.com

or you can also buy a USB/NFC-Device at Nitrokey

https://nitrokey.com

I hope this helps.

Best regards
Juergen

--
/¯\ No |
\ / HTML | Juergen Bruckner
X in | juergen@bruckner.email
/ \ Mail |

On Fri, 9 Feb 2024 15:36, Matthias Apitz said:

> So, can I buy this card here in Europe or even in Germany?

floss-shop.de

> If not, I could with a script decrypt all the files in this tree and
> encrypt them again after setup the card. But, it would be better just
> copy the files over by SCP, also when passwords get added or updated.

Actually we have an open task for re-encryption:
https://dev.gnupg.org/T1825

For small messages this is easy but there is no easy solution for large
data. A detached encryption packet is a theoretical option.



Shalom-Salam,

Werner

--
The pioneers of a warless world are the youth that
refuse military service. - A. Einstein

Hi,

Am Fr den 9. Feb 2024 um 15:36 schrieb Matthias Apitz:
> Next question: Can I transfer somehow the key from one card to the
> other to use the same encrypted files foo.gpg from my password store:
>
> purism@pureos:~$ find .password-store/ -type f | wc -l
> 373

Well, pass has its mechanism itself. Just reinit your store with both
keys and it should reencrypt them.

I did that in the past with subdirs (where you can have different keys).

Regards
Klaus
--
Klaus Ethgen http://www.ethgen.ch/
pub 4096R/4E20AF1C 2011-05-16 Klaus Ethgen <Klaus@Ethgen.ch>
Fingerprint: 85D4 CA42 952C 949B 1753 62B3 79D0 B06F 4E20 AF1C

El día martes, febrero 13, 2024 a las 11:04:31a. m. +0100, Werner Koch via Gnupg-users escribió:

> On Fri, 9 Feb 2024 15:36, Matthias Apitz said:
>
> > So, can I buy this card here in Europe or even in Germany?
>
> floss-shop.de

I've contacted floss-shop.de. They can not provide (i.e. cut) the card
to Micro-SIM format. And I will not cut it itself because it must fit
exactly in the internal reader slot behint the battery, or it will not
come out anyore.

>
> > If not, I could with a script decrypt all the files in this tree and
> > encrypt them again after setup the card. But, it would be better just
> > copy the files over by SCP, also when passwords get added or updated.
>
> Actually we have an open task for re-encryption:
> https://dev.gnupg.org/T1825
>
> For small messages this is easy but there is no easy solution for large
> data. A detached encryption packet is a theoretical option.

The files of the password store are very small, normal two lines like

secret
Username: guru@unixarea.de

Is this code already available for testing?

Thanks

matthias
--
Matthias Apitz, ? guru@unixarea.de, http://www.unixarea.de/ +49-176-38902045
Public GnuPG key: http://www.unixarea.de/key.pub

I am not at war with Russia.
? ?? ???? ? ???????.
Ich bin nicht im Krieg mit Russland.

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

On 2024-02-13 14:32, Matthias Apitz wrote:
> El día martes, febrero 13, 2024 a las 11:04:31a. m. +0100, Werner Koch via Gnupg-users escribió:
>
>> On Fri, 9 Feb 2024 15:36, Matthias Apitz said:
>>
>>> So, can I buy this card here in Europe or even in Germany?
>> floss-shop.de
> I've contacted floss-shop.de. They can not provide (i.e. cut) the card
> to Micro-SIM format. And I will not cut it itself because it must fit
> exactly in the internal reader slot behint the battery, or it will not
> come out anyore.
Because the GPG specific code installed on the card is FLOSS, you might
be able to
buy blank cards in the desired form factor and install the code
yourself, provided
the parts (code and card) can be legally transported to Cuba despite US
sanctions.
In particular,  the Card Operating System or runtime may be of US origin
and thus
subject to sanctions.

Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded


_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

On Tue, Feb 13, 2024 at 02:32:04PM +0100, Matthias Apitz wrote:
> El d?a martes, febrero 13, 2024 a las 11:04:31a. m. +0100, Werner Koch via Gnupg-users escribi?:
>
> > On Fri, 9 Feb 2024 15:36, Matthias Apitz said:
> >
> > > So, can I buy this card here in Europe or even in Germany?
> >
> > floss-shop.de
>
> I've contacted floss-shop.de. They can not provide (i.e. cut) the card
> to Micro-SIM format. And I will not cut it itself because it must fit
> exactly in the internal reader slot behint the battery, or it will not
> come out anyore.
>
I do not know who you talked to but they offer their cards with a
ID000 cut out (25mm x 15mm). You can pop out the card and smoothen the
corners with sandpaper.
That is the exact size you are looking for.

You also could buy a nitrokey starter. this is basically a smartcard reader
with a smartcard in a clam shell. You can just pry the shell open and take
the smartcard out. Their other keys are tamper proofed (embedded in resin).

=H

--
Henning Follmann | hfollmann@itcfollmann.com


_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

El día martes, febrero 13, 2024 a las 03:40:12p. m. +0100, Jakob Bohm via Gnupg-users escribió:

> On 2024-02-13 14:32, Matthias Apitz wrote:
> > El día martes, febrero 13, 2024 a las 11:04:31a. m. +0100, Werner Koch via Gnupg-users escribió:
> >
> > > On Fri, 9 Feb 2024 15:36, Matthias Apitz said:
> > >
> > > > So, can I buy this card here in Europe or even in Germany?
> > > floss-shop.de
> > I've contacted floss-shop.de. They can not provide (i.e. cut) the card
> > to Micro-SIM format. And I will not cut it itself because it must fit
> > exactly in the internal reader slot behint the battery, or it will not
> > come out anyore.
> Because the GPG specific code installed on the card is FLOSS, you might be
> able to
> buy blank cards in the desired form factor and install the code yourself,
> provided
> the parts (code and card) can be legally transported to Cuba despite US
> sanctions.
> In particular,  the Card Operating System or runtime may be of US origin and
> thus
> subject to sanctions.

I live in Europa and travel often to Cuba.

Where could I get a blank card MicroSIM, the code and a manual how to
flash it into the card?

matthias

--
Matthias Apitz, ? guru@unixarea.de, http://www.unixarea.de/ +49-176-38902045
Public GnuPG key: http://www.unixarea.de/key.pub

I am not at war with Russia.
? ?? ???? ? ???????.
Ich bin nicht im Krieg mit Russland.

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

El día martes, febrero 13, 2024 a las 09:57:17a. m. -0500, Henning Follmann escribió:

> On Tue, Feb 13, 2024 at 02:32:04PM +0100, Matthias Apitz wrote:
> > El día martes, febrero 13, 2024 a las 11:04:31a. m. +0100, Werner Koch via Gnupg-users escribió:
> >
> > > On Fri, 9 Feb 2024 15:36, Matthias Apitz said:
> > >
> > > > So, can I buy this card here in Europe or even in Germany?
> > >
> > > floss-shop.de
> >
> > I've contacted floss-shop.de. They can not provide (i.e. cut) the card
> > to Micro-SIM format. And I will not cut it itself because it must fit
> > exactly in the internal reader slot behint the battery, or it will not
> > come out anyore.
> >
> I do not know who you talked to but they offer their cards with a
> ID000 cut out (25mm x 15mm). You can pop out the card and smoothen the
> corners with sandpaper.
> That is the exact size you are looking for.

No. The card sizes are:

Standard SIM: 15 x 25mm.
Micro SIM: 12 x 15mm.
Nano SIM: 8.8 x 12.3mm.

We need here 'Microm SIM'. And I talked to the owner of floss-shop. They
do not offer a way to pop out Micro SIM.

matthias
--
Matthias Apitz, ? guru@unixarea.de, http://www.unixarea.de/ +49-176-38902045
Public GnuPG key: http://www.unixarea.de/key.pub

I am not at war with Russia.
? ?? ???? ? ???????.
Ich bin nicht im Krieg mit Russland.

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

> On 13 Feb 2024, at 17:32, Matthias Apitz <guru@unixarea.de> wrote:
>
> El día martes, febrero 13, 2024 a las 09:57:17a. m. -0500, Henning Follmann escribió:
>
>> On Tue, Feb 13, 2024 at 02:32:04PM +0100, Matthias Apitz wrote:
>>> El día martes, febrero 13, 2024 a las 11:04:31a. m. +0100, Werner Koch via Gnupg-users escribió:
>>>
>>>> On Fri, 9 Feb 2024 15:36, Matthias Apitz said:
>>>>
>>>>> So, can I buy this card here in Europe or even in Germany?
>>>>
>>>> floss-shop.de
>>>
>>> I've contacted floss-shop.de. They can not provide (i.e. cut) the card
>>> to Micro-SIM format. And I will not cut it itself because it must fit
>>> exactly in the internal reader slot behint the battery, or it will not
>>> come out anyore.
>>>
>> I do not know who you talked to but they offer their cards with a
>> ID000 cut out (25mm x 15mm). You can pop out the card and smoothen the
>> corners with sandpaper.
>> That is the exact size you are looking for.
>
> No. The card sizes are:
>
> Standard SIM: 15 x 25mm.
> Micro SIM: 12 x 15mm.
> Nano SIM: 8.8 x 12.3mm.
>
> We need here 'Microm SIM'. And I talked to the owner of floss-shop. They
> do not offer a way to pop out Micro SIM.

In that case - you want this device:

https://www.bol.com/nl/nl/p/mmobiel-universele-3-in-1-standaard-micro-sim-cutter-nano-sim-kaart-knipper-inclusief-3-sim-adapters-1-sim-pin/9200000067066058/
https://www.amazon.com/2024-Card-Cutter-Standard-Micro/dp/B0CJGVX82H

And you do not need to cut 'that' accurate at all (in fact - cutting it with a scalpel or simply use sharp scirros an take care not to bend the chip bit - is very doable).

Dw.

El día martes, febrero 13, 2024 a las 12:47:13 +0100, Klaus Ethgen escribió:

> Hi,
>
> Am Fr den 9. Feb 2024 um 15:36 schrieb Matthias Apitz:
> > Next question: Can I transfer somehow the key from one card to the
> > other to use the same encrypted files foo.gpg from my password store:
> >
> > purism@pureos:~$ find .password-store/ -type f | wc -l
> > 373
>
> Well, pass has its mechanism itself. Just reinit your store with both
> keys and it should reencrypt them.
>
> I did that in the past with subdirs (where you can have different keys).

Hi Klaus,

I do not fully understand the procedure.

Actually the .password-store/ is encrypted with the gpg-key-A on the
phone L5, number 1.

When I now create on the phone number 2 with the other OpenPGP card a
gpg-key-B, and transfer the .password-store/ by SCP to this phone
number 2, and run there:

pass init gpg-key-B

How 'pass' (i.e. gnupg) can decrypt the files of the .password-store/ without having
access to the OpenPGP card in phone 1 to re-encrypt them with gpg-key-B?

Could you or someone please be so kind and clarify this? Thanks in advance.

matthias

--
Matthias Apitz, ? guru@unixarea.de, http://www.unixarea.de/ +49-176-38902045
Public GnuPG key: http://www.unixarea.de/key.pub

I am not at war with Russia. ? ?? ???? ? ???????.
Ich bin nicht im Krieg mit Russland.

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

On Tue, 13 Feb 2024 17:32, Matthias Apitz said:

> We need here 'Microm SIM'. And I talked to the owner of floss-shop. They
> do not offer a way to pop out Micro SIM.

I simply uses scissors to cut them out and those cards work. Granted I
don't use the Librem regulary (if at all), but the card was not that of
a problem.

Well, I had planty of old cards to try ;-)


Salam-Shalom,

Werner

--
The pioneers of a warless world are the youth that
refuse military service. - A. Einstein

Hello Matthias,

Am 13.02.24 um 17:32 schrieb Matthias Apitz:
> We need here 'Microm SIM'. And I talked to the owner of floss-shop. They
> do not offer a way to pop out Micro SIM.

I don't know exactly how the situation about this is in Germany. But
here in Austria many mobile phone shops have a SIM card punch with which
you can punch out a micro-SIM or nano-SIM from a standard-SIM.

Maybe this helps

regards
Juergen
--
/¯\ No |
\ / HTML | Juergen Bruckner
X in | juergen@bruckner.email
/ \ Mail |

On 2024-02-15 18:42, Juergen BRUCKNER via Gnupg-users wrote:
> Hello Matthias,
>
> Am 13.02.24 um 17:32 schrieb Matthias Apitz:
>> We need here 'Microm SIM'. And I talked to the owner of floss-shop. They
>> do not offer a way to pop out Micro SIM.
>
> I don't know exactly how the situation about this is in Germany. But
> here in Austria many mobile phone shops have a SIM card punch with
> which you can punch out a micro-SIM or nano-SIM from a standard-SIM.
>
In some other countries, the mobile providers issues SIMs that are
pre-punched to pop out either of the 3 small sim sizes from a full
credit-card sized card where key information like the PUK code and
serial number are printed.

More generally, there is no guarantee that hardware cards not sold
through mobile phone carriers keep the actual chip/electronics within
the nano-sim area near the middle of the contacts, most notably, NFC
compatible cards will often have the NFC antenna outside that area,
and it's a matter of luck if the contact card functionality works
after cutting on any given hardware model.

Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded


_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Hello Jacob,

Am 17.02.24 um 12:04 schrieb Jakob Bohm via Gnupg-users:
[...]
>> I don't know exactly how the situation about this is in Germany. But
>> here in Austria many mobile phone shops have a SIM card punch with
>> which you can punch out a micro-SIM or nano-SIM from a standard-SIM.
>>
> In some other countries, the mobile providers issues SIMs that are
> pre-punched to pop out either of the 3 small sim sizes from a full
> credit-card sized card where key information like the PUK code and
> serial number are printed.
>
> More generally, there is no guarantee that hardware cards not sold
> through mobile phone carriers keep the actual chip/electronics within
> the nano-sim area near the middle of the contacts, most notably, NFC
> compatible cards will often have the NFC antenna outside that area,
> and it's a matter of luck if the contact card functionality works
> after cutting on any given hardware model.
>

We are not talking about 'normal SIM cards' for use by mobile telephony
but rather about the OpenPGP Smart Card V3.4 in SIM format [1]. This
also doesn't have NFC functionality, so it can be punched fairly safely.
You just have to do it right

best regards
Juergen

[1]
https://www.floss-shop.de/de/security-privacy/smartcards/13/openpgp-smart-card-v3.4


--
/¯\ No |
\ / HTML | Juergen Bruckner
X in | juergen@bruckner.email
/ \ Mail |

On 2024-02-17 12:37, Juergen BRUCKNER via Gnupg-users wrote:
> Hello Jacob,
>
> Am 17.02.24 um 12:04 schrieb Jakob Bohm via Gnupg-users:
> [...]
>>> I don't know exactly how the situation about this is in Germany. But
>>> here in Austria many mobile phone shops have a SIM card punch with
>>> which you can punch out a micro-SIM or nano-SIM from a standard-SIM.
>>>
>> In some other countries, the mobile providers issues SIMs that are
>> pre-punched to pop out either of the 3 small sim sizes from a full
>> credit-card sized card where key information like the PUK code and
>> serial number are printed.
>>
>> More generally, there is no guarantee that hardware cards not sold
>> through mobile phone carriers keep the actual chip/electronics within
>> the nano-sim area near the middle of the contacts, most notably, NFC
>> compatible cards will often have the NFC antenna outside that area,
>> and it's a matter of luck if the contact card functionality works
>> after cutting on any given hardware model.
>>
>
> We are not talking about 'normal SIM cards' for use by mobile
> telephony but rather about the OpenPGP Smart Card V3.4 in SIM format
> [1]. This also doesn't have NFC functionality, so it can be punched
> fairly safely. You just have to do it right
>
Exactly, and there is no easy way of knowing if the cards used by
floss-shop havechip parts outside the nano-sim boundary, which is
smaller than the contact area on ID000 cards (seriously possible),
nor if those cards are internally multi-chip constructs (rare but
possible).

Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded


_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Am 20.02.24 um 17:20 schrieb Jakob Bohm via Gnupg-users:
> On 2024-02-17 12:37, Juergen BRUCKNER via Gnupg-users wrote:
>> Hello Jacob,
>>
>> Am 17.02.24 um 12:04 schrieb Jakob Bohm via Gnupg-users:
>> [...]
>>>> I don't know exactly how the situation about this is in Germany. But
>>>> here in Austria many mobile phone shops have a SIM card punch with
>>>> which you can punch out a micro-SIM or nano-SIM from a standard-SIM.
>>>>
>>> In some other countries, the mobile providers issues SIMs that are
>>> pre-punched to pop out either of the 3 small sim sizes from a full
>>> credit-card sized card where key information like the PUK code and
>>> serial number are printed.
>>>
>>> More generally, there is no guarantee that hardware cards not sold
>>> through mobile phone carriers keep the actual chip/electronics within
>>> the nano-sim area near the middle of the contacts, most notably, NFC
>>> compatible cards will often have the NFC antenna outside that area,
>>> and it's a matter of luck if the contact card functionality works
>>> after cutting on any given hardware model.
>>>
>>
>> We are not talking about 'normal SIM cards' for use by mobile
>> telephony but rather about the OpenPGP Smart Card V3.4 in SIM format
>> [1]. This also doesn't have NFC functionality, so it can be punched
>> fairly safely. You just have to do it right
>>
> Exactly, and there is no easy way of knowing if the cards used by
> floss-shop havechip parts outside the nano-sim boundary, which is
> smaller than the contact area on ID000 cards (seriously possible),
> nor if those cards are internally multi-chip constructs (rare but
> possible).
>
Thats true! Point for you ;)

regards
Juergen

--
/¯\ No |
\ / HTML | Juergen Bruckner
X in | juergen@bruckner.email
/ \ Mail |

Some Javacards are available in at least larger SIM form factors. IIRC
the NXP J3H145 was available SIM-cut from Smartcard Focus at some
point, but it has been a while since I ordered one.

If it's an option for you to install an OpenPGP applet such as
SmartPGP (https://github.com/github-af/SmartPGP) on such card,
Javacards might be an easier avenue than cutting the official card.

I have a couple of NXP cards and SmartPGP appeared to work fine when I
tried it, but I mostly use them with a PIV applet so not sure about
the state of functionality with current (2.4-era) GnuPG versions.

-Valtteri


_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

El día martes, febrero 13, 2024 a las 11:04:31a. m. +0100, Werner Koch via Gnupg-users escribió:

> On Fri, 9 Feb 2024 15:36, Matthias Apitz said:
>
> > So, can I buy this card here in Europe or even in Germany?
>
> floss-shop.de

Only for the record:

Meanwhile I bought the 2nd OpenPGP card in the Purism shop because floss-shop.de
can't cut out the Micro-SIM size.

>
> > If not, I could with a script decrypt all the files in this tree and
> > encrypt them again after setup the card. But, it would be better just
> > copy the files over by SCP, also when passwords get added or updated.
>
> Actually we have an open task for re-encryption:
> https://dev.gnupg.org/T1825
>
> For small messages this is easy but there is no easy solution for large
> data. A detached encryption packet is a theoretical option.


I have here an example file of an entry 'test' in my .password-storage:

purism@pureos:~$ pass test

????????????????????????????????????????????????
? Please unlock the card ?
? ?
? Number: 0005 0000A6FE ?
? Holder: Matthias Apitz ?
? ?
? PIN ________________________________________ ?
? ?
? <OK> <Cancel> ?
????????????????????????????????????????????????

secret


purism@pureos:~$ file .password-store/test.gpg
.password-store/test.gpg: PGP RSA encrypted session key - keyid: 39BDCE02 5E4698B6 RSA (Encrypt or Sign) 2048b .

purism@pureos:~$ gpg -da .password-store/test.gpg


????????????????????????????????????????????????
? Please unlock the card ?
? ?
? Number: 0005 0000A6FE ?
? Holder: Matthias Apitz ?
? ?
? PIN ________________________________________ ?
? ?
? <OK> <Cancel> ?
????????????????????????????????????????????????

gpg: encrypted with 2048-bit RSA key, ID 39BDCE025E4698B6, created 2021-10-30
"Matthias Apitz (GnuPG CCID L5) <guru@unixarea.de>"
secret


Said/showed that, I can't imagine that, when I SCP the file
.password-store/test.gpg to another mobile with another OpenPGP card,
that this system would be able to decrypt the file and reencrypt it
again with the new card.

matthias

--
Matthias Apitz, ? guru@unixarea.de, http://www.unixarea.de/ +49-176-38902045
Public GnuPG key: http://www.unixarea.de/key.pub

I am not at war with Russia. ? ?? ???? ? ???????.
Ich bin nicht im Krieg mit Russland.

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Matthias Apitz wrote:
> [...]
> Said/showed that, I can't imagine that, when I SCP the file
> .password-store/test.gpg to another mobile with another OpenPGP card,
> that this system would be able to decrypt the file and reencrypt it
> again with the new card.

Correct. You must first copy the *new* public key to the *old* system
and re-encrypt the password store to *both* public keys on the *old*
system, then transfer the encrypted blobs to the new system.

If you want to continue to use both cards, you will also need to copy
the *old* public key to the *new* system and arrange for it to also
encrypt the password store to *both* keys. Once that is done, you may
use any method to synchronize the encrypted blobs between the systems
and you will have your passwords on both systems.

While you are here, this is a good time to remind you to regularly check
the list of public keys used with your password store. If Mallory can
sneak *his* key onto that list, he will be able to get your passwords!

-- Jacob


_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

El día lunes, febrero 26, 2024 a las 06:40:26 -0600, Jacob Bachmeyer via Gnupg-users escribió:

> Matthias Apitz wrote:
> > [...]
> > Said/showed that, I can't imagine that, when I SCP the file
> > .password-store/test.gpg to another mobile with another OpenPGP card,
> > that this system would be able to decrypt the file and reencrypt it
> > again with the new card.
>
> Correct. You must first copy the *new* public key to the *old* system and
> re-encrypt the password store to *both* public keys on the *old* system,
> then transfer the encrypted blobs to the new system.
> ...

Thanks for the clarification and clear instruction.

> While you are here, this is a good time to remind you to regularly check the
> list of public keys used with your password store. If Mallory can sneak
> *his* key onto that list, he will be able to get your passwords!

It says:

purism@pureos:~$ gpg --list-keys
/home/purism/.gnupg/pubring.kbx
-------------------------------
pub rsa2048 2021-10-30 [SC]
336EB96892FE9FE7F6...................
uid [ultimate] Matthias Apitz (GnuPG CCID L5) <guru@unixarea.de>
sub rsa2048 2021-10-30 [A]
sub rsa2048 2021-10-30 [E]

What makes me wonder it the last modification date of the file:

purism@pureos:~$ ls -l /home/purism/.gnupg/pubring.kbx
-rw------- 1 purism purism 172324 feb 1 11:13 /home/purism/.gnupg/pubring.kbx

I've never done anything with this and expected it also at date
2021-10-30 (when I initialized the OpenPGP card in the mobile L5).

matthias

--
Matthias Apitz, ? guru@unixarea.de, http://www.unixarea.de/ +49-176-38902045
Public GnuPG key: http://www.unixarea.de/key.pub

I am not at war with Russia. ? ?? ???? ? ???????.
Ich bin nicht im Krieg mit Russland.

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

On Tue, 27 Feb 2024 10:07, Matthias Apitz said:

> I've never done anything with this and expected it also at date
> 2021-10-30 (when I initialized the OpenPGP card in the mobile L5).

The pubring.kbx is used for various things. For example we also store
"ephemeral keys" for X.509 (those we receive via mail) which are not
used due to an incomplete chain. There is a cleanup process running
every few hours to remove them.


Shalom-Salam,

Werner


--
The pioneers of a warless world are the youth that
refuse military service. - A. Einstein

Matthias Apitz wrote:
> El día lunes, febrero 26, 2024 a las 06:40:26 -0600, Jacob Bachmeyer via Gnupg-users escribió:
>
>
>> Matthias Apitz wrote:
>>
>>> [...]
>>> Said/showed that, I can't imagine that, when I SCP the file
>>> .password-store/test.gpg to another mobile with another OpenPGP card,
>>> that this system would be able to decrypt the file and reencrypt it
>>> again with the new card.
>>>
>> Correct. You must first copy the *new* public key to the *old* system and
>> re-encrypt the password store to *both* public keys on the *old* system,
>> then transfer the encrypted blobs to the new system.
>> ...
>>
>
> Thanks for the clarification and clear instruction.
>

You are welcome.

>> While you are here, this is a good time to remind you to regularly check the
>> list of public keys used with your password store. If Mallory can sneak
>> *his* key onto that list, he will be able to get your passwords!
>>
>
> It says:
>
> purism@pureos:~$ gpg --list-keys
> /home/purism/.gnupg/pubring.kbx
> -------------------------------
> pub rsa2048 2021-10-30 [SC]
> 336EB96892FE9FE7F6...................
> uid [ultimate] Matthias Apitz (GnuPG CCID L5) <guru@unixarea.de>
> sub rsa2048 2021-10-30 [A]
> sub rsa2048 2021-10-30 [E]
>
> [...]

Are you sure that *that* is the list of public keys used by pass(1)? It
almost certainly is not, since GPG's public key collection is meant to
collect keys for a variety of uses. For example, sending encrypted
emails or verifying signatures. You probably do not want your password
store encrypted to everyone you correspond with!

Therefore, pass(1) almost certainly has its own list of keys stored
somewhere else. Your regular public key was probably copied to that
list when you initialized the password store. That is the list that you
need to regularly check, lest Mallory be able to sneak his key onto it.
That list is *also* where you need to add your new public key in order
to migrate your password store.

Lastly, I know that you are using a smartcard, but you are storing
long-lived (and presumably valuable) authentication tokens here. Does
the card support RSA4096 or at least RSA3072? If so, I would strongly
recommend migrating to longer keys, as RSA2048 is currently the shortest
not probably already broken by increasing conventional computing power
to throw at factoring. If I understand correctly, this is the reason
that DSA is obsolete: DSA (to support smartcard implementations)
specifies exactly one allowed key length: 1024 bits. While DSA uses
discrete logarithms, the discrete logarithm and factoring problems have
a mathematical equivalence that means a factoring algorithm can be used
to derive a solution to the discrete logarithm problem and /vice
versa/. Accordingly, RSA1024 is now considered sufficiently dubious
that some implementations no longer support it, such as the
go-crypto/openpgp library used by the newer "hockeypuck" keyserver
software, which led to an interesting recent thread on gnupg-devel and
bunch of old keys effectively falling out of the Web of Trust.


-- Jacob


_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

El día martes, febrero 27, 2024 a las 08:52:55 -0600, Jacob Bachmeyer via Gnupg-users escribió:

> > It says:
> >
> > purism@pureos:~$ gpg --list-keys
> > /home/purism/.gnupg/pubring.kbx
> > -------------------------------
> > pub rsa2048 2021-10-30 [SC]
> > 336EB96892FE9FE7F6...................
> > uid [ultimate] Matthias Apitz (GnuPG CCID L5) <guru@unixarea.de>
> > sub rsa2048 2021-10-30 [A]
> > sub rsa2048 2021-10-30 [E]
> >
> > [...]
>
> Are you sure that *that* is the list of public keys used by pass(1)? It
> almost certainly is not, since GPG's public key collection is meant to
> collect keys for a variety of uses. For example, sending encrypted emails
> or verifying signatures. You probably do not want your password store
> encrypted to everyone you correspond with!
>
> Therefore, pass(1) almost certainly has its own list of keys stored
> somewhere else. Your regular public key was probably copied to that list
> when you initialized the password store. That is the list that you need to
> regularly check, lest Mallory be able to sneak his key onto it. That list
> is *also* where you need to add your new public key in order to migrate your
> password store.
>
> ...

It must be *that* list pass(1) is using, because:

purism@pureos:~$ ls -ld .gnu*
drwx------ 5 purism purism 4096 Feb 28 05:59 .gnupg

purism@pureos:~$ env | grep GNU
GNUPGHOME=/home/purism/.gnupg

purism@pureos:~$ file .password-store/test.gpg
.password-store/test.gpg: PGP RSA encrypted session key - keyid: 39BDCE02 5E4698B6 RSA (Encrypt or Sign) 2048b .

purism@pureos:~$ gpg -da .password-store/test.gpg
(it ask for the card's PIN on the L5 display desktop)
gpg: encrypted with 2048-bit RSA key, ID 39BDCE025E4698B6, created 2021-10-30
"Matthias Apitz (GnuPG CCID L5) <guru@unixarea.de>"
secret
purism@pureos:~$ cat .password-store/.gpg-id
CCID L5

I'm attaching the shell script /usr/bin/pass; the code for the "init"
command of pass(1) starts at line 300 and I don't see that any other key
is used then the one in GNUPGHOME.

If I understand this correctly if any other public key would be added to
the file /home/purism/.gnupg/pubring.kbx, pass(1) would only use the key
"CCID L5" to encrypt any new object stored in ~/.password-store and not
the public key of Mallory. Am I wrong?

I will consider your hints about RSA4096 when initializing the new second
card. Thanks for them.

matthias




--
Matthias Apitz, ? guru@unixarea.de, http://www.unixarea.de/ +49-176-38902045
Public GnuPG key: http://www.unixarea.de/key.pub

I am not at war with Russia. ? ?? ???? ? ???????.
Ich bin nicht im Krieg mit Russland.