Quantcast

Using a GnuPG CCID card in another computer

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Using a GnuPG CCID card in another computer

Matthias Apitz

Hello,

I have a GnuPG smart card OMNIKEY 6121 Mobile USB and configured its
use in my FreeBSD 12-CURRENT netbook, generated keys and I'm able to use
it to login with SSH into other servers (after moving the pub key to
the server into ~/.ssh/authorized_keys); the only tricky part was to figure
out how to enter the PIN behind 'ssh' --> 'gpg-agent' --> /usr/local/bin/pinentry

So far so good.

Now I wanted the same SIM in another FreeBSD workstation (at work), but when
I do use it there, for example with 'gpg2 --card-status', there is no key in the
card and as well 'gpg2 --export-ssh-key guru' does not know how to
export the key due to missing pub key.

Should I move the full content of ~/.gnupg as well to the 2nd computer?
And if so, why? I was thinking that all the key material (apart of the
backup) is on the SIM and I only need its PIN...

Thanks

        matthias
--
Matthias Apitz, ✉ [hidden email], ⌂ http://www.unixarea.de/  ☎ +49-176-38902045

_______________________________________________
Gnupg-users mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Using a GnuPG CCID card in another computer (follow-up)

Matthias Apitz
El día lunes, mayo 15, 2017 a las 07:25:12p. m. +0200, Matthias Apitz escribió:

>
> Hello,
>
> I have a GnuPG smart card OMNIKEY 6121 Mobile USB and configured its
> use in my FreeBSD 12-CURRENT netbook, generated keys and I'm able to use
> it to login with SSH into other servers (after moving the pub key to
> the server into ~/.ssh/authorized_keys); the only tricky part was to figure
> out how to enter the PIN behind 'ssh' --> 'gpg-agent' --> /usr/local/bin/pinentry
>
> So far so good.
>
> Now I wanted the same SIM in another FreeBSD workstation (at work), but when
> I do use it there, for example with 'gpg2 --card-status', there is no key in the
> card and as well 'gpg2 --export-ssh-key guru' does not know how to
> export the key due to missing pub key.
>
> Should I move the full content of ~/.gnupg as well to the 2nd computer?
> And if so, why? I was thinking that all the key material (apart of the
> backup) is on the SIM and I only need its PIN...

Follow-up.

I have now copied all the files below to the other workstation and now all is
fine there too, i.e. I can export the pub key with 'gpg2 --export-ssh-key guru'
and use it for SSH being asked for the PIN of the card. The files are:

$ ls -lR .gnupg
total 52
-rw-------  1 guru  wheel  2649 12 may.  22:41 dirmngr.conf
-rw-r--r--  1 guru  wheel    19 15 may.  11:41 gpg-agent.conf
-rw-------  1 guru  wheel  5191 12 may.  22:41 gpg.conf
drwx------  2 guru  wheel   512 14 may.  20:30 openpgp-revocs.d
drwx------  2 guru  wheel   512 14 may.  20:29 private-keys-v1.d
-rw-r--r--  1 guru  wheel  3573 14 may.  20:30 pubring.kbx
-rw-------  1 guru  wheel    32 12 may.  22:41 pubring.kbx~
-rw-------  1 guru  wheel   600 15 may.  09:58 random_seed
-rw-r--r--  1 guru  wheel     7 15 may.  15:21 reader_0.status
-rw-------  1 guru  wheel  1865 14 may.  20:29 sk_61F1ECB625C9A6C3.gpg
-rw-r-----  1 guru  wheel   676 15 may.  11:45 sshcontrol
-rw-------  1 guru  wheel  1280 15 may.  09:23 trustdb.gpg

.gnupg/openpgp-revocs.d:
total 4
-rw-------  1 guru  wheel  1799 14 may.  20:30 5E69FBAC1618562CB3CBFBC147CCF7E476FE9D11.rev

.gnupg/private-keys-v1.d:
total 24
-rw-------  1 guru  wheel  1873 14 may.  20:17 147F71A678B411855B4BCCC48FAEC8689B5E1C23.key
-rw-------  1 guru  wheel   615 14 may.  20:29 314DE72F03D41683E06A504769970A1643825B38.key
-rw-------  1 guru  wheel   617 14 may.  20:09 45BDBABA30A3511D507B8A08A28D425F7CD417C6.key
-rw-------  1 guru  wheel   615 14 may.  20:29 7E22A904DB3BE5A98F98AFDEED61DF1364DD949B.key
-rw-------  1 guru  wheel   615 14 may.  20:29 937BA1F6A95F68222EC2C6F9573100E17EE9522E.key
-rw-------  1 guru  wheel   617 14 may.  20:17 B0E0BFC22F116B541848DF6593B418BBB63C0CC0.key

When I generated the keys on the card (gpg2 --cardedit --> admin --> generate)
on May 14, I have had to do this twice because I was logged out from the card due to
to long thinking about the passphrase for the backup of the key to the file
sk_61F1ECB625C9A6C3.gpg; one can see this on the time of the files below
.gnupg/private-keys-v1.d; the 2nd run started around 20:20 and was
successful at 20:29.

The question remains: Why I do have to move the files below .gnupg/ to
the other workstation? And, what are the files below .gnupg/private-keys-v1.d
are exactly?

Thanks

        matthias
--
Matthias Apitz, ✉ [hidden email], ⌂ http://www.unixarea.de/  ☎ +49-176-38902045

_______________________________________________
Gnupg-users mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Using a GnuPG CCID card in another computer (follow-up)

Damien Goutte-Gattat
On 05/16/2017 07:55 AM, Matthias Apitz wrote:
> The question remains: Why I do have to move the files below .gnupg/ to
> the other workstation?

The card only contains the private keys. GnuPG also needs some
informations that are only contained in the public parts, such as the
User IDs associated with the key and the bindings between a primary key
and its subkeys.

So while you no not have to move *all* the files below .gnupg, you at
least need to import your *public* key onto your other workstation.

(That's why the card editor of GnuPG has a "fetch" command. The idea is
that you put your public key in a publicly-accessible location, and make
the "URL" field of your card point to that location. With that, upon
arriving onto a new computer--with an empty or inexisting .gnupg--, you
can get a working setup just by inserting your card, firing up the card
editor, and using the "fetch" command".)


> And, what are the files below .gnupg/private-keys-v1.d are exactly?

They normally contain the private key themselves. When the private keys
are stored on a smartcard, they are "stubs", whose purpose is to inform
GnuPG that the keys are on a smartcard (notably, they contain the serial
number of said smartcard).

GnuPG should normally re-create those stubs automatically if they do not
exist when you run the --card-status command, so you should not have to
copy them over manually.

What is troubling in your experience is that you said there was "no key
in the card" when you first run "gpg2 --card-status" on the new
workstation. I have no explanation for that.

Damien


_______________________________________________
Gnupg-users mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnupg-users

signature.asc (499 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Using a GnuPG CCID card in another computer (follow-up)

Peter Lebbing
In reply to this post by Matthias Apitz
On 16/05/17 07:55, Matthias Apitz wrote:
> The question remains: Why I do have to move the files below .gnupg/ to
> the other workstation?

The card only holds the basic cryptographic material. But a certificate
("public key") holds much more information: your name, the relations
between the cryptographic keys and how they are used, your preferences
with regard to algorithms, how long the key is valid, and certifications
by other users who have signed your key, to name some important ones.

So before you can use the smartcard, you need to import your
certificate/public key. You could publish this to the keyserver network,
or put it on the web. If the latter, you /can/ enter the URL in a data
field on the smartcard, enabling you to use the "fetch" command of
--card-edit.

> And, what are the files below .gnupg/private-keys-v1.d
> are exactly?

Either the real cryptograhic material for a private key, or simply a
note telling GnuPG "that key is on card X". However, I'm surprised by
the size of these files you show. All my "notes saying card X", stubs,
on this laptop are around a mere 360 bytes. I know these files are
S-Expressions, but I haven't checked the exact construction. I would
expect OpenPGP smartcard stubs to generally come down to very comparable
sizes.

You can ask GnuPG to list all the OpenPGP private keys it knows about
along with the keygrip. The keygrip corresponds to the file name in
private-keys-v1.d. It will also indicate when a key is on a card:

> $ gpg2 --with-keygrip -K
> /home/peter/.gnupg/pubring.kbx
> ------------------------------
> sec>  rsa2048 2009-11-12 [C] [expires: 2017-10-19]
>       8FA94E79AD6AB56EE38CE5CBAC46EFE6DE500B3E
>       Keygrip = 13790148EEE34BC5140DD31B6F95EABA8A19E419
>       Card serial no. = 0005 00000274
> uid           [ultimate] Peter Lebbing <[hidden email]>
> ssb>  rsa2048 2009-11-12 [S] [expires: 2017-10-19]
>       Keygrip = 46E61BB13BF429980D89B6B7BDE0F70E55E41A03
> ssb>  rsa2048 2009-11-12 [E] [expires: 2017-10-19]
>       Keygrip = A9C7C73653BEDAF478E4956FCF4C3AFC7CB9A00C
> ssb>  rsa2048 2009-12-05 [A] [expires: 2017-10-19]
>       Keygrip = 2DD5CC89FE601845C8C4F74F9643724A08D878FD
>
> sec   rsa1024 2012-03-17 [SC] [expired: 2017-03-29]
>       825472F37172B95ADC7349BE98B67DE4DCDFDFA4
>       Keygrip = 2F677680CA15F6F7B963AF35822E8EC01FBF840A
> uid           [ expired] Test Teststra <[hidden email]>
> uid           [ expired] Test Teststra (Koning van Wezel) <[hidden email]>
> ssb   rsa1024 2012-03-17 [E] [expired: never     ]
>       Keygrip = 15CB764B81D542CF921978CA89910C69D53F4E2D
> ssb   rsa2048 2016-01-12 [A] [expired: never     ]
>       Keygrip = 3D88DC9D60F791821AF8D537EEAC3C8DF7720D63
> ssb   rsa1024 2017-03-22 [S] [expired: 2017-03-29]
>       Keygrip = B93CA4F1A44FAD92D45DC836DEC653769421E703
A '>' after 'sec' or 'ssb' indicates it is on a card. A '#' indicates
the key is unavailable.

You could do this to check what GnuPG thinks those files represent.

Note it only mentions the card serial number for the primary key, even
though the E and S subkeys are on a different card.

I have to admit I cheated a bit for the above output; I had to specify
"--list-options show-unusable-subkeys" because the test key was expired,
and I removed an awful lot of test keys from the output.

private-keys-v1.d also contains keys for gpgsm, which will not show up
when invoking "gpg2 -K" as above.

HTH,

Peter.

--
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>


_______________________________________________
Gnupg-users mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnupg-users

signature.asc (499 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Using a GnuPG CCID card in another computer (follow-up)

Matthias Apitz
El día martes, mayo 16, 2017 a las 11:12:18a. m. +0200, Peter Lebbing escribió:

> On 16/05/17 07:55, Matthias Apitz wrote:
> > The question remains: Why I do have to move the files below .gnupg/ to
> > the other workstation?
>
> The card only holds the basic cryptographic material. But a certificate
> ("public key") holds much more information: your name, the relations
> between the cryptographic keys and how they are used, your preferences
> with regard to algorithms, how long the key is valid, and certifications
> by other users who have signed your key, to name some important ones.
>
> So before you can use the smartcard, you need to import your
> certificate/public key. You could publish this to the keyserver network,
> or put it on the web. If the latter, you /can/ enter the URL in a data
> field on the smartcard, enabling you to use the "fetch" command of
> --card-edit.

Thanks for the two tips re/ the pub key; I did so and now it works:

I exported the pub key with:

$ gpg2 --export --armor > ccid--export-key-guru.pub

placed it on my webserver and configured its URL with the card's url-command
as

URL of public key : http://www.unixarea.de/ccid--export-key-guru.pub

On the 2nd workstation I moved away the GNUPGHOME:
$ env | grep GNU
GNUPGHOME=/home/guru/.gnupg-ccid
$ mv .gnupg-ccid .gnupg-ccid-saved

gpg2 is unwilling to start due to missing dir and I have had
to create it with mkdir:

$ gpg2 --card-status
gpg: keyblock resource '/home/guru/.gnupg-ccid/pubring.kbx': No such file or directory
gpg: failed to create temporary file '/home/guru/.gnupg-ccid/.#lk0x0000000802616210.r314251-amd64.65213': No such file or directory
gpg: can't connect to the agent: No such file or directory
gpg: OpenPGP card not available: No agent running

$ mkdir /home/guru/.gnupg-ccid
$ chmod 0700 /home/guru/.gnupg-ccid

As you can see the keys are completely missing in the card's status:

$ gpg2 --card-status
gpg: keybox '/home/guru/.gnupg-ccid/pubring.kbx' created
Reader ...........: HID Global OMNIKEY 6121 Smart Card Reader 00 00
Application ID ...: D27600012401020100050000532B0000
Version ..........: 2.1
Manufacturer .....: ZeitControl
Serial number ....: 0000532B
Name of cardholder: Matthias Apitz
Language prefs ...: en
Sex ..............: unspecified
URL of public key : http://www.unixarea.de/ccid--export-key-guru.pub
Login data .......: [not set]
Signature PIN ....: forced
Key attributes ...: rsa4096 rsa4096 rsa4096
Max. PIN lengths .: 32 32 32
PIN retry counter : 3 0 3
Signature counter : 4
Signature key ....: 5E69 FBAC 1618 562C B3CB  FBC1 47CC F7E4 76FE 9D11
      created ....: 2017-05-14 18:20:07
Encryption key....: EB62 00DA 13A1 9E80 679B  1A13 61F1 ECB6 25C9 A6C3
      created ....: 2017-05-14 18:20:07
Authentication key: E51D D2D6 C727 35D6 651D  EA4B 6AA5 C5C4 51A1 CD1C
      created ....: 2017-05-14 18:20:07
General key info..: [none]

but after fetching the pub key, all is fine:

[guru@r314251-amd64 ~]$ gpg2 --card-edit  

Reader ...........: HID Global OMNIKEY 6121 Smart Card Reader 00 00
Application ID ...: D27600012401020100050000532B0000
Version ..........: 2.1
Manufacturer .....: ZeitControl
Serial number ....: 0000532B
Name of cardholder: Matthias Apitz
Language prefs ...: en
Sex ..............: unspecified
URL of public key : http://www.unixarea.de/ccid--export-key-guru.pub
Login data .......: [not set]
Signature PIN ....: forced
Key attributes ...: rsa4096 rsa4096 rsa4096
Max. PIN lengths .: 32 32 32
PIN retry counter : 3 0 3
Signature counter : 4
Signature key ....: 5E69 FBAC 1618 562C B3CB  FBC1 47CC F7E4 76FE 9D11
      created ....: 2017-05-14 18:20:07
Encryption key....: EB62 00DA 13A1 9E80 679B  1A13 61F1 ECB6 25C9 A6C3
      created ....: 2017-05-14 18:20:07
Authentication key: E51D D2D6 C727 35D6 651D  EA4B 6AA5 C5C4 51A1 CD1C
      created ....: 2017-05-14 18:20:07
General key info..: [none]

gpg/card> fetch
gpg: requesting key from 'http://www.unixarea.de/ccid--export-key-guru.pub'
gpg: /home/guru/.gnupg-ccid/trustdb.gpg: trustdb created
gpg: key 47CCF7E476FE9D11: public key "Matthias Apitz (GnuPG CCID) <[hidden email]>" imported
gpg: Total number processed: 1
gpg:               imported: 1


gpg/card> list

Reader ...........: HID Global OMNIKEY 6121 Smart Card Reader 00 00
Application ID ...: D27600012401020100050000532B0000
Version ..........: 2.1
Manufacturer .....: ZeitControl
Serial number ....: 0000532B
Name of cardholder: Matthias Apitz
Language prefs ...: en
Sex ..............: unspecified
URL of public key : http://www.unixarea.de/ccid--export-key-guru.pub
Login data .......: [not set]
Signature PIN ....: forced
Key attributes ...: rsa4096 rsa4096 rsa4096
Max. PIN lengths .: 32 32 32
PIN retry counter : 3 0 3
Signature counter : 4
Signature key ....: 5E69 FBAC 1618 562C B3CB  FBC1 47CC F7E4 76FE 9D11
      created ....: 2017-05-14 18:20:07
Encryption key....: EB62 00DA 13A1 9E80 679B  1A13 61F1 ECB6 25C9 A6C3
      created ....: 2017-05-14 18:20:07
Authentication key: E51D D2D6 C727 35D6 651D  EA4B 6AA5 C5C4 51A1 CD1C
      created ....: 2017-05-14 18:20:07
General key info..: pub  rsa4096/47CCF7E476FE9D11 2017-05-14 Matthias Apitz (GnuPG CCID) <[hidden email]>
sec>  rsa4096/47CCF7E476FE9D11  created: 2017-05-14  expires: never
                                card-no: 0005 0000532B
ssb>  rsa4096/6AA5C5C451A1CD1C  created: 2017-05-14  expires: never
                                card-no: 0005 0000532B
ssb>  rsa4096/61F1ECB625C9A6C3  created: 2017-05-14  expires: never
                                card-no: 0005 0000532B

> > And, what are the files below .gnupg/private-keys-v1.d
> > are exactly?
>
> Either the real cryptograhic material for a private key, or simply a
> note telling GnuPG "that key is on card X". However, I'm surprised by
> the size of these files you show. All my "notes saying card X", stubs,
> on this laptop are around a mere 360 bytes. I know these files are
> S-Expressions, but I haven't checked the exact construction. I would
> expect OpenPGP smartcard stubs to generally come down to very comparable
> sizes.

I run strings for these files and it shows for example:

$ strings -n8 314DE72F03D41683E06A504769970A1643825B38.key
(20:shadowed-private-key(3:rsa(1:n513:
)(8:shadowed5:t1-v1(16:
9:OPENPGP.2))))




>
> You can ask GnuPG to list all the OpenPGP private keys it knows about
> along with the keygrip. The keygrip corresponds to the file name in
> private-keys-v1.d. It will also indicate when a key is on a card:
>
> > $ gpg2 --with-keygrip -K
> > /home/peter/.gnupg/pubring.kbx

I did so and it seems that the keys are on the card:

$ gpg2 --with-keygrip -K
/home/guru/.gnupg-ccid/pubring.kbx
----------------------------------
sec>  rsa4096 2017-05-14 [SC]
      5E69FBAC1618562CB3CBFBC147CCF7E476FE9D11
      Keygrip = 937BA1F6A95F68222EC2C6F9573100E17EE9522E
      Card serial no. = 0005 0000532B
uid           [ultimate] Matthias Apitz (GnuPG CCID) <[hidden email]>
ssb>  rsa4096 2017-05-14 [A]
      Keygrip = 7E22A904DB3BE5A98F98AFDEED61DF1364DD949B
ssb>  rsa4096 2017-05-14 [E]
      Keygrip = 314DE72F03D41683E06A504769970A1643825B38


Thanks for your explanations and help. Maybe the FAQ should be expanded
with this.

        matthias
--
Matthias Apitz, ✉ [hidden email], ⌂ http://www.unixarea.de/  ☎ +49-176-38902045

_______________________________________________
Gnupg-users mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Loading...