Quantcast

Extending Expiration dates of gnupg keys with the private key residing on a smart card

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Extending Expiration dates of gnupg keys with the private key residing on a smart card

Johannes Graumann
Hello,

This is a retake of a stackexchange.com question, wheree so far noone
chimed in ... http://stackoverflow.com/q/43296285/2103880


I had setup a working smart card setup, where the local key ring solely
contained public subkeys and secret keys resided on a smart card.

Conservatively I set the expiration date to 1 year.

The setup worked nicely and as the keys approached there expiration
date, I proceeded as follows to attempt to extend their expiration
date:

1) Kill running gpg-agent:
pkill gpg-agent

2) Import offline master key (backup):
gpg --import <KEYID>.master.key

3) Edit expiry of subkeys (pubkey):
gpg --expert --edit-key <KEYID>
- toggle keys 1, 2, 3 (sign, encrypt, authentication)
- expire: 1y
- save

4) Remove secret master keys:
gpg --delete-secret-keys <KEYID>

As a result the keys remain unavailable (expired?) to all means I
intent to use them with (kmail/kgpg/kleopatra, evolution/seahorse,
etc.).

Where did I go wrong and how may I recover?

Thanks for any pointers.

Sincerely, Joh

_______________________________________________
Gnupg-users mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Extending Expiration dates of gnupg keys with the private key residing on a smart card

Peter Lebbing
Hi,

On 10/04/17 10:46, Johannes Graumann wrote:
> 2) Import offline master key (backup):
> gpg --import <KEYID>.master.key

- Which version of GnuPG is this? GnuPG 1.4 will not ever update the
secret part of a key, so you'll have to delete the existing copy first.
Be very careful! You're deleting a copy of your secret key, make sure
you know what you're doing. I believe this also went for 2.0 and only
2.1 can update secret keys, but I'm not sure and can't check from the
passenger seat of the car I'm in :-D.

- Note that you are negating a large part of an offline master key by
bringing it online. Usually, you'd use a different computer to do master
key operations on, a computer that doesn't have an internet connection.
If you're worried about your computer being hacked, note it usually
won't suddenly automatically become un-hacked later, it'll just stay
hacked until reinstalled. But there is no single correct answer to this.


> 3) Edit expiry of subkeys (pubkey):
> gpg --expert --edit-key <KEYID>

You shouldn't need to specify --expert to extend expiries.

> - toggle keys 1, 2, 3 (sign, encrypt, authentication)
> - expire: 1y
> - save
>
> 4) Remove secret master keys:
> gpg --delete-secret-keys <KEYID>

This has just removed all your private keys belonging to this
certificate, primary *and* subkeys.

> As a result the keys remain unavailable (expired?) to all means I
> intent to use them with (kmail/kgpg/kleopatra, evolution/seahorse,
> etc.).

... You /did/ just delete all keys :-).

You'll need to restore your private key from backup, and follow the
instructions you used earlier to create a subkey-only keyring.

By the way, it helps if you post the output of the commands, because we
can't see if they appear to have worked correctly. I mean the console
ones; I wouldn't start with all the effort of taking screenshots and
cropping them and uploading them to the web...

HTH,

Peter.

--
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>


_______________________________________________
Gnupg-users mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnupg-users

signature.asc (499 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Extending Expiration dates of gnupg keys with the private key residing on a smart card

Peter Lebbing
In reply to this post by Johannes Graumann
I saw one detail after I pressed Send. This appears to be a persistent
flaw in my e-mail writing.

On 10/04/17 10:46, Johannes Graumann wrote:
> 3) Edit expiry of subkeys (pubkey):
> gpg --expert --edit-key <KEYID>
> - toggle keys 1, 2, 3 (sign, encrypt, authentication)
> - expire: 1y
> - save

I think keys 1, 2 and 3 are all subkeys; NOT your primary. To extend the
primary, don't issue a "key" command before "expire". Only after that
extend the subkeys.

HTH,

Peter.

--
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>


_______________________________________________
Gnupg-users mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnupg-users

signature.asc (499 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Extending Expiration dates of gnupg keys with the private key residing on a smart card

MFPA-5
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512



On Sunday 30 April 2017 at 7:34:40 PM, in
<mid:[hidden email]>, Peter
Lebbing wrote:-



> I think keys 1, 2 and 3 are all subkeys; NOT your
> primary.

Isn't the primary "key 0"?

- --
Best regards

MFPA                  <mailto:[hidden email]>

It is easy to propose impossible remedies.
-----BEGIN PGP SIGNATURE-----

iNUEARYKAH0WIQQzrO1O6RNO695qhQYXErxGGvd45AUCWQdLyV8UgAAAAAAuAChp
c3N1ZXItZnByQG5vdGF0aW9ucy5vcGVucGdwLmZpZnRoaG9yc2VtYW4ubmV0MzNB
Q0VENEVFOTEzNEVFQkRFNkE4NTA2MTcxMkJDNDYxQUY3NzhFNAAKCRAXErxGGvd4
5LgcAP9By3r7Pjfxx1T+DSNdi7Jir/3ICiHLTe0jnqKPSlN81gD/U3sCF8svA8zh
IWOH+wGj1aSJjrNeK8IgVdULd6AAVQuJAZMEAQEKAH0WIQSzrn7KmoyLMCaloPVr
fHTOsx8l8AUCWQdLyV8UgAAAAAAuAChpc3N1ZXItZnByQG5vdGF0aW9ucy5vcGVu
cGdwLmZpZnRoaG9yc2VtYW4ubmV0QjNBRTdFQ0E5QThDOEIzMDI2QTVBMEY1NkI3
Qzc0Q0VCMzFGMjVGMAAKCRBrfHTOsx8l8DvmB/9xm33Nebmfgxzj1sU8aPuR0feR
9e5+CdGyNDN4TLMN0D/JGCkfUVKfWtK9vbd8vwY3Oi43Wa4P6qS5qjVbJuGMYNrM
AyZvRktFFA5I+E/YmeWZiG0MEC0ayzj8Bjw35n6+saIey6fCShxbNceHwMMJ2xfa
f1RIgjmdf1LNY27dynkv4KFQvJd98KkTMKgkxp85dwK8wdsDjZT/Cdr7xkT1Zisx
hUcaZw3v57FJ/YZFmrprZJpbxrMniOWoh/Gbgeq1wD1IZFVLHSvqOeIh5fvTO9NP
TJHr1cmACcwSaEOioA8P1pd8ek0upWDXTXZZhzq2XPlFjMKLlUE/k9q8wJdk
=7JO0
-----END PGP SIGNATURE-----


_______________________________________________
Gnupg-users mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Extending Expiration dates of gnupg keys with the private key residing on a smart card

Peter Lebbing
On 01/05/17 16:52, MFPA wrote:
> Isn't the primary "key 0"?

I was under the impression "key 0" deselected all subkeys and the man
page agrees with me :-). From the man page:

> key n  Toggle selection of subkey with index n or key ID n.  Use
>        * to select all and 0 to deselect all.

The important difference is that you could do

> key 1
> key 2

and select subkeys one and two. But either

> key 0
> key 1
> key 2

or

> key 1
> key 2
> key 0

will not select the primary as well as two subkeys. You can, however,
use "key 0" to return to extending the expiration of just the primary.

TIL, "*" will select all subkeys. I did not know that.

HTH,

Peter.

--
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>


_______________________________________________
Gnupg-users mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnupg-users

signature.asc (499 bytes) Download Attachment
Loading...