From 18cf52dfb7f7cfc2cb4f16a0c3d42e896026fb07 Mon Sep 17 00:00:00 2001 From: drduh Date: Mon, 26 Dec 2022 11:06:25 -0800 Subject: [PATCH 1/6] Note public key recovery article --- README.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/README.md b/README.md index dd8b0d5..1e099d4 100644 --- a/README.md +++ b/README.md @@ -2979,6 +2979,8 @@ Before you unmount your backup, ask yourself if you should make another one just - If you receive the error, `gpg: 0x0000000000000000: skipped: Unusable public key`, `signing failed: Unusable secret key`, or `encryption failed: Unusable public key` the sub-key may be expired and can no longer be used to encrypt nor sign messages. It can still be used to decrypt and authenticate, however. +- If you lost your GPG public key and need to recover it from YubiKey, follow [this guide](https://www.nicksherlock.com/2021/08/recovering-lost-gpg-public-keys-from-your-yubikey/) + - Refer to Yubico article [Troubleshooting Issues with GPG](https://support.yubico.com/hc/en-us/articles/360013714479-Troubleshooting-Issues-with-GPG) for additional guidance. # Alternatives From ad340b5f18d71b3f227cc1d881ee6a7068778dca Mon Sep 17 00:00:00 2001 From: drduh Date: Mon, 26 Dec 2022 11:13:43 -0800 Subject: [PATCH 2/6] mention forcesig flag to prompt pin each time --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 1e099d4..9bfb79f 100644 --- a/README.md +++ b/README.md @@ -2259,7 +2259,7 @@ max-cache-ttl 120 pinentry-program /usr/bin/pinentry-curses ``` -**Important** The `cache-ttl` options do **NOT** apply when using a YubiKey as a smartcard as the PIN is [cached by the smartcard itself](https://dev.gnupg.org/T3362). Therefore, in order to clear the PIN from cache (smartcard equivalent to `default-cache-ttl` and `max-cache-ttl`), you need to unplug the YubiKey. +**Important** The `cache-ttl` options do **NOT** apply when using a YubiKey as a smartcard as the PIN is [cached by the smartcard itself](https://dev.gnupg.org/T3362). Therefore, in order to clear the PIN from cache (smartcard equivalent to `default-cache-ttl` and `max-cache-ttl`), you need to unplug the YubiKey, or set the `forcesig` flag when editing the card to be prompted for the PIN each time. **Tip** Set `pinentry-program /usr/bin/pinentry-gnome3` for a GUI-based prompt. If the _pinentry_ graphical dialog doesn't show and you get this error: `sign_and_send_pubkey: signing failed: agent refused operation`, you may need to install the `dbus-user-session` package and restart the computer for the `dbus` user session to be fully inherited; this is because behind the scenes, `pinentry` complains about `No $DBUS_SESSION_BUS_ADDRESS found`, falls back to `curses` but doesn't find the expected `tty`. From b476dc37b54f0a6b2d1a0d63ffafda816a457a92 Mon Sep 17 00:00:00 2001 From: drduh Date: Mon, 26 Dec 2022 11:20:03 -0800 Subject: [PATCH 3/6] mention KO attacks --- README.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/README.md b/README.md index 9bfb79f..d170c35 100644 --- a/README.md +++ b/README.md @@ -1183,6 +1183,8 @@ Once keys are moved to YubiKey, they cannot be moved again! Create an **encrypte As an additional backup measure, consider using a [paper copy](https://www.jabberwocky.com/software/paperkey/) of the keys. The [Linux Kernel Maintainer PGP Guide](https://www.kernel.org/doc/html/latest/process/maintainer-pgp-guide.html#back-up-your-master-key-for-disaster-recovery) points out that such printouts *are still password-protected*. It recommends to *write the password on the paper*, since it will be unlikely that you remember the original key password that was used when the paper backup was created. Obviously, you need a really good place to keep such a printout. +It is strongly recommended to keep even encrypted OpenPGP private key material offline to deter [key overwriting attacks](https://www.kopenpgp.com/), for example. + **Linux** Attach another external storage device and check its label: From 658d806b6a7862c08bffcd925d5f678aa1be6dd0 Mon Sep 17 00:00:00 2001 From: drduh Date: Mon, 26 Dec 2022 11:22:19 -0800 Subject: [PATCH 4/6] mention wsl2-ssh-pageant alt --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index d170c35..22f7890 100644 --- a/README.md +++ b/README.md @@ -2545,7 +2545,7 @@ Now you can use PuTTY for public key SSH authentication. When the server asks fo The goal here is to make the SSH client inside WSL work together with the Windows agent you are using (gpg-agent.exe in our case). Here is what we are going to achieve: ![WSL agent architecture](media/schema_gpg.png) -**Note** this works only for SSH agent forwarding. Real GPG forwarding (encryption/decryption) is actually not supported. See the [weasel-pageant](https://github.com/vuori/weasel-pageant) readme for further information. +**Note** this works only for SSH agent forwarding. Real GPG forwarding (encryption/decryption) is actually not supported. See [weasel-pageant](https://github.com/vuori/weasel-pageant) for further information or consider using [wsl2-ssh-pageant](https://github.com/BlackReloaded/wsl2-ssh-pageant) which supports both SSH and GPG agent forwarding. #### Use ssh-agent or use S.weasel-pegant From 600900b4fb375e5540c12aa310fed722ceceaa07 Mon Sep 17 00:00:00 2001 From: drduh Date: Mon, 26 Dec 2022 11:24:57 -0800 Subject: [PATCH 5/6] mention gnupg on tpm --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index 22f7890..3874826 100644 --- a/README.md +++ b/README.md @@ -2988,6 +2988,7 @@ Before you unmount your backup, ask yourself if you should make another one just # Alternatives * [`piv-agent`](https://github.com/smlx/piv-agent) is an SSH and GPG agent which you can use with your PIV hardware security device (e.g. a Yubikey). +* [`keytotpm`](https://www.gnupg.org/documentation/manuals/gnupg/OpenPGP-Key-Management.html) is an option to use GnuPG with TPM systems. # Links From 8888e329f64ef65717aa2e7abefaf6ba0052a447 Mon Sep 17 00:00:00 2001 From: drduh Date: Mon, 26 Dec 2022 11:29:56 -0800 Subject: [PATCH 6/6] Fix spacing --- README.md | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index 3874826..31bc0df 100644 --- a/README.md +++ b/README.md @@ -2967,9 +2967,8 @@ Before you unmount your backup, ask yourself if you should make another one just - If you receive the error, `Please insert the card with serial number: *` see [using of multiple keys](#using-multiple-keys). - If you receive the error, `There is no assurance this key belongs to the named user` or `encryption failed: Unusable public key` use `gpg --edit-key` to set `trust` to `5 = I trust ultimately`. - - If, when you try the above `--edit-key` command, you get the error - `Need the secret key to do this.`, you can manually specify trust for the key in - `~/.gnupg/gpg.conf` by using the `trust-key [your key ID]` directive. + +- If, when you try the above `--edit-key` command, you get the error `Need the secret key to do this` - manually specify trust for the key in `~/.gnupg/gpg.conf` by using the `trust-key [key ID]` directive. - If, when using a previously provisioned YubiKey on a new computer with `pass`, you see the following error on `pass insert`: @@ -2981,7 +2980,7 @@ Before you unmount your backup, ask yourself if you should make another one just - If you receive the error, `gpg: 0x0000000000000000: skipped: Unusable public key`, `signing failed: Unusable secret key`, or `encryption failed: Unusable public key` the sub-key may be expired and can no longer be used to encrypt nor sign messages. It can still be used to decrypt and authenticate, however. -- If you lost your GPG public key and need to recover it from YubiKey, follow [this guide](https://www.nicksherlock.com/2021/08/recovering-lost-gpg-public-keys-from-your-yubikey/) +- If you lost your GPG public key, follow [this guide](https://www.nicksherlock.com/2021/08/recovering-lost-gpg-public-keys-from-your-yubikey/) to recover it from YubiKey. - Refer to Yubico article [Troubleshooting Issues with GPG](https://support.yubico.com/hc/en-us/articles/360013714479-Troubleshooting-Issues-with-GPG) for additional guidance.