Mailing List Archive: Get the private portion of subkeys

Get the private portion of subkeys

Mar 28, 2024, 12:26 AM

Post #1 of 6 (72 views)

Hi,

I have a usb smart card containing my subkeys and my master key is
stored offline on a usb disk.

When I list my secret keys while the usb disk is plugged in, I get:

sec ed25519/0xF72C652AE7564ECC 2018-07-09 [C] [expires: 2027-12-21]
Key fingerprint = 8E64 FBE5 45A3 94F5 D35C D202 F72C 652A E756 4ECC
Keygrip = 35A4020C4AFC2279CEE0BC36E2CEE4EFA8C6CFD5
uid [ultimate] Damien Cassou <damien@cassou.me>
uid [ultimate] Damien Cassou <damien.cassou@wolterskluwer.com>
uid [ultimate] Damien Cassou <damien.cassou@foretagsplatsen.se>
ssb> ed25519/0xB68746238E59B548 2018-07-09 [S] [expires: 2026-01-02]
Keygrip = C89E5AABCBF7142DBC26E68FB3121DE12DCBF4FF
ssb> cv25519/0x65CD5E0200C56C17 2018-07-09 [E] [expires: 2026-01-02]
Keygrip = 867EA9F6ADBEBE18ED98253B884F53CBD53C526B
ssb> ed25519/0xF36CF32DF9B09855 2018-07-09 [A] [expires: 2026-01-02]
Keygrip = 553D56865642B05AB3C5B62DC68795691702B960

As you can see, there is a '>' character before each subkey but not
before the master key. Someone on the web has a similar setup but
doesn't have the '>' before his subkeys [1].

Is that a problem? Am I missing something important? It seems this
causes me the troubles mentioned at [1].

Recently, I changed my usb smart card and kept the same keys so I
believe I have everything needed in some form.

My private master key is symlinked in ~/.gnupg/private-keys-v1.d:

$ ls -l ~/.gnupg/private-keys-v1.d/
…
35A4020C4AFC2279CEE0BC36E2CEE4EFA8C6CFD5.key -> /media/mystick/key
…

[1] https://github.com/pinpox/pgp2ssh/issues/6

--
Damien Cassou

"Success is the ability to go from one failure to another without
losing enthusiasm." --Winston Churchill

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Get the private portion of subkeys [ In reply to ]

alexander at kulbartsch

Mar 28, 2024, 2:57 AM

Post #2 of 6 (72 views)

Permalink

Hi Damien!

On 28.03.24 08:26, Damien Cassou via Gnupg-users wrote:
> As you can see, there is a '>' character before each subkey but not
> before the master key. Someone on the web has a similar setup but
> doesn't have the '>' before his subkeys [1].

The ">" indicates that the key is on a smartcard.
(The > is the corner of a card ;)
(Smartcard is synonym to USB tokens like YubiKeys)

> Is that a problem? Am I missing something important? It seems this
> causes me the troubles mentioned at [1].

In [2] it is mentioned, that the key marked with an [A] is needed.
[A] indicates the "authentication" key. This is what you want.

But the private part of your [A] key is only on the smartcard. And the
security idea of the smartcard is, that you can not extract it from there.

In [1] you described your 'gpg --export-secret-keys'. If you do a
`gpg --list-packets ./damien.asc`
on your export, you can see that this still references the card.

So it won't work this way.

But if it is about ssh login into another system you can use the
gpg-agent as a the ssh-agent and get the security with your
smartcard.
You have to add 'enable-ssh-support' to your gpg-agent.conf.
See: man gpg-agent

> [1] https://github.com/pinpox/pgp2ssh/issues/6

[2] https://github.com/pinpox/pgp2ssh

Best regards
Alexander

Re: Get the private portion of subkeys [ In reply to ]

gnupg-users at gnupg

Mar 28, 2024, 3:01 AM

Post #3 of 6 (72 views)

Permalink

On Thu, 28 Mar 2024 08:26, Damien Cassou said:

> Is that a problem? Am I missing something important? It seems this
> causes me the troubles mentioned at [1].

Your subkeys are all stored on a smartcard. The primary key is online.
This is as intended. If you remove the the primary private key
(<keygrip>.key) You should see a '#' mark for the primary key.

> My private master key is symlinked in ~/.gnupg/private-keys-v1.d:

That is intended to work but has not been thoroughly tested.

> [1] https://github.com/pinpox/pgp2ssh/issues/6

That reminds me that we have a function export_secret_ssh_key but it
will always fail with a not-implemented error ;-). Noone of the core
hackers felt a need for it. For example I have not used anything else
than gpg-agent based ssh access since 2005.

Shalom-Salam,

Werner

--
The pioneers of a warless world are the youth that
refuse military service. - A. Einstein

Re: Get the private portion of subkeys [ In reply to ]

gnupg-users at gnupg

Mar 30, 2024, 9:20 AM

Post #4 of 6 (65 views)

Permalink

Thank you both for your answers. I would like to understand why
restoring the backup doesn't restore my subkeys. On a fresh ~/.gnupg, I
did:

$ gpg --list-packets /media/mystick/key
gpg: keybox '/home/cassou/.gnupg/pubring.kbx' created
# off=0 ctb=94 tag=5 hlen=2 plen=134
:secret key packet:
…
# off=136 ctb=b4 tag=13 hlen=2 plen=32
:user ID packet: "Damien Cassou <damien@cassou.me>"
…
# off=974 ctb=9c tag=7 hlen=2 plen=134
:secret sub key packet:
version 4, algo 22, created 1531155780, expires 0
pkey[0]: [80 bits] ed25519 (1.3.6.1.4.1.11591.15.1)
pkey[1]: [263 bits]
…
keyid: F36CF32DF9B09855
…

The last key printed here is the one I would like to import
back. Unfortunately, importing this file doesn't import subkeys:

$ gpg --import-options restore --import /media/mystick/key
gpg: key F72C652AE7564ECC: secret key imported
gpg: Total number processed: 1
gpg: unchanged: 1
gpg: secret keys read: 1
gpg: secret keys imported: 1

$ gpg -K
gpg: /home/cassou/.gnupg/trustdb.gpg: trustdb created
/home/cassou/.gnupg/pubring.kbx
-------------------------------
sec ed25519 2018-07-09 [C] [expired: 2023-07-08]
8E64FBE545A394F5D35CD202F72C652AE7564ECC
uid [ expired] Damien Cassou <damien@cassou.me>

Can someone explain why I don't get my subkeys back please?

Thank you

--
Damien Cassou

"Success is the ability to go from one failure to another without
losing enthusiasm." --Winston Churchill

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Get the private portion of subkeys [ In reply to ]

alexander at kulbartsch

Mar 30, 2024, 12:23 PM

Post #5 of 6 (65 views)

Permalink

Hi Damien!

Upfront some information you might probably already know.
When you "normally" create a new public/private key pair technically
*two* key pairs are created. Cross check with "gpg -K". One secret key
(sec) for signing and certify marked [SC] and another one, a secret sub
key (ssb) for encryption. You can see this when you look into the
.gnupg/private-keys-v1.d folder. There are two new keys.

From your "gpg -K" output I see, that you separated the your certify
and signing key (and also created an authorization key [A]). Your [S],
[E] and [A] private keys are only on the card. Your mounted/linked USB
drive does *only* seem to hold the [C] key. Otherwise it would not need
the card and indicate this with the cards corner ">".

When you now export your key as you did with
gpg --export-secret-keys --armor F72C652AE7564ECC > sec.asc
you could only export your private [C] key. It is impossible to extract
them from the from the smartcard.

When you call "gpg --list-packets sec.asc"
I assume you see something like "gnu-divert-to-card, ..." under your
subkeys, but not under your primary [C] key. (This part you left out
with ….)
Correct?

I hope this helps.
If you have any questions give us some more hints where (the above
explanation) diverges from what you expect.

Best regards
Alexander

On 30.03.24 17:20, Damien Cassou wrote:
> Thank you both for your answers. I would like to understand why
> restoring the backup doesn't restore my subkeys. On a fresh ~/.gnupg, I
> did:
>
> $ gpg --list-packets /media/mystick/key
> gpg: keybox '/home/cassou/.gnupg/pubring.kbx' created
> # off=0 ctb=94 tag=5 hlen=2 plen=134
> :secret key packet:
> …
> # off=136 ctb=b4 tag=13 hlen=2 plen=32
> :user ID packet: "Damien Cassou <damien@cassou.me>"
> …
> # off=974 ctb=9c tag=7 hlen=2 plen=134
> :secret sub key packet:
> version 4, algo 22, created 1531155780, expires 0
> pkey[0]: [80 bits] ed25519 (1.3.6.1.4.1.11591.15.1)
> pkey[1]: [263 bits]
> …
> keyid: F36CF32DF9B09855
> …
>
> The last key printed here is the one I would like to import
> back. Unfortunately, importing this file doesn't import subkeys:
>
> $ gpg --import-options restore --import /media/mystick/key
> gpg: key F72C652AE7564ECC: secret key imported
> gpg: Total number processed: 1
> gpg: unchanged: 1
> gpg: secret keys read: 1
> gpg: secret keys imported: 1
>
> $ gpg -K
> gpg: /home/cassou/.gnupg/trustdb.gpg: trustdb created
> /home/cassou/.gnupg/pubring.kbx
> -------------------------------
> sec ed25519 2018-07-09 [C] [expired: 2023-07-08]
> 8E64FBE545A394F5D35CD202F72C652AE7564ECC
> uid [ expired] Damien Cassou <damien@cassou.me>
>
>
> Can someone explain why I don't get my subkeys back please?
>
> Thank you
>

Re: Get the private portion of subkeys [ In reply to ]

gnupg-users at gnupg

Apr 1, 2024, 7:36 AM

Post #6 of 6 (59 views)

Permalink

Hi Alexander,

thank you for giving me background information. It really helped, this
sentenc was particularly helpful:

Alexander Kulbartsch <alexander@kulbartsch.de> writes:
> When you call "gpg --list-packets sec.asc"
> I assume you see something like "gnu-divert-to-card, ..." under your
> subkeys

When I export today, I see "gnu-divert-to-card" on my subkeys. But if I
check on an old backup, I don't see this. So I conclude that my backup
contains the private subkeys (good news!).

I just found out that if I don't see the subkeys after importing the
backup it's just because they are expired: "show-unusable-subkeys"
reveal them and everything is good.

Thank you so much.

--
Damien Cassou

"Success is the ability to go from one failure to another without
losing enthusiasm." --Winston Churchill

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Mailing List Archive

Attached Files:

Attached Files:

Attached Files: