Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
[SOLVED] how to have gpg secret key in another machine
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
vcmota
Tux's lil' helper
Tux's lil' helper


Joined: 19 Jun 2017
Posts: 131

PostPosted: Sat Mar 24, 2018 1:44 am    Post subject: [SOLVED] how to have gpg secret key in another machine Reply with quote

I have a public gpg key that was created in an computer that have been formatted since. Therefore I do not have its secret key in the new system, although I know and control the secret key. And although I have the revoke certificate generated in the creation of the key, I do not have the secret key in the file format produced when you use "gpg --export-secret-key". There must be a way for me to insert somehow the secret key in my new install since I control it in full, but how? I cant find anywhere such an information. Than you all.

Last edited by vcmota on Sun Mar 25, 2018 12:40 am; edited 1 time in total
Back to top
View user's profile Send private message
NeddySeagoon
Administrator
Administrator


Joined: 05 Jul 2003
Posts: 42560
Location: 56N 3W

PostPosted: Sat Mar 24, 2018 11:01 am    Post subject: Reply with quote

vcmota,

Tell us the format you do have.

If its in a backup file you copy the file back to the correct location.
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.
Back to top
View user's profile Send private message
vcmota
Tux's lil' helper
Tux's lil' helper


Joined: 19 Jun 2017
Posts: 131

PostPosted: Sat Mar 24, 2018 1:00 pm    Post subject: Reply with quote

Thank you NeddySeagoon for your reply. When I created the key in the old install I uploaded the public key to the key servers and generated and saved the revoke certificate in a pen drive. Regarding the secret key I never saved it in any file, but I know it from memory. So this is what I have: 1) public key in the servers and imported into my current gentoo install; 2) revoke certificate in a pen drive; 3) secret key in my memory. If it would be the case I could just write the secret key in a file, but I suspect that won't do it. Is there still a solution? Thank you again.
Back to top
View user's profile Send private message
mike155
l33t
l33t


Joined: 17 Sep 2010
Posts: 988
Location: Frankfurt, Germany

PostPosted: Sat Mar 24, 2018 1:54 pm    Post subject: Reply with quote

Quote:
3) secret key in my memory

vmcota,

a secret key looks like:
Code:
-----BEGIN PGP PRIVATE KEY BLOCK-----

TG8YBFm2VmABDADV3oOm1+SHgQDQolBavwmt0b6tk7p1f79DRwCeoRpk2p0GZRLm
xK74aXLOv2lERsKV71JUkM3se/WsjQFKw9LV7SmCvUTWQd1wjY8mQQf2b4aS71RI
.... more lines ....
UpCN371KG71UjucvHXU/UCy7DwpQnScYQAJEtW+Vdpuh2QNpyoDU4T7GXaJIpiJG
7aOMLUsk1dGcxtxG
=7gRt
-----END PGP PRIVATE KEY BLOCK-----

Do you really remember this in your memory? Or are you talking about the passphrase you used do encrypt the secret key?
Back to top
View user's profile Send private message
NeddySeagoon
Administrator
Administrator


Joined: 05 Jul 2003
Posts: 42560
Location: 56N 3W

PostPosted: Sat Mar 24, 2018 2:35 pm    Post subject: Reply with quote

vcmota,

The secret key and public key are a pair.
The only difference between them is that the secret key is itself encrypted with a password.

Nobody ever looks at the keys themselves and the decrypted secret key is only ever in RAM.
A 4096 bit key is 1024 hex digits long ... is that what you memorised, a string of 1024 hex digits?
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.
Back to top
View user's profile Send private message
John R. Graham
Administrator
Administrator


Joined: 08 Mar 2005
Posts: 10156
Location: Somewhere over Atlanta, Georgia

PostPosted: Sat Mar 24, 2018 3:08 pm    Post subject: Reply with quote

NeddySeagoon wrote:
The only difference between them is that the secret key is itself encrypted with a password.
Well, not the only difference. They are indeed a (cryptographically related) pair but they don't contain all the same information, the private key being a superset of what the public key contains. The additional information in the private key is encrypted as you've noted. Alas,
  • Having the public key is no help whatsoever in recovering the private key.
  • Having the private key passphrase is no help whatsoever in recovering the private key unless you also have that encrypted blob, which is practically unmemorizable, as you and mike155 have noted.
vcmota, unless you have that output from "gpg --export-secret-keys", you're toast.

- John
_________________
I can confirm that I have received between 0 and 499 National Security Letters.
Back to top
View user's profile Send private message
Hu
Moderator
Moderator


Joined: 06 Mar 2007
Posts: 13490

PostPosted: Sat Mar 24, 2018 4:10 pm    Post subject: Reply with quote

To elaborate on JRG's point, as I understand it, the revocation object is a machine-readable declaration of revocation of the key, signed in a way to prove that the signer held the private key being revoked. It does not contain the private key itself, which is why possessing it does not help with your current problem. Its only use is to notify others of the revocation in a way that cannot be forged by people who lack the private key. If it were not signed, anyone could publish a revocation of your key, and you would have no way to prove to others that you were being truthful and the other person was lying.
Back to top
View user's profile Send private message
John R. Graham
Administrator
Administrator


Joined: 08 Mar 2005
Posts: 10156
Location: Somewhere over Atlanta, Georgia

PostPosted: Sat Mar 24, 2018 4:18 pm    Post subject: Reply with quote

100% correct.

- John
_________________
I can confirm that I have received between 0 and 499 National Security Letters.
Back to top
View user's profile Send private message
vcmota
Tux's lil' helper
Tux's lil' helper


Joined: 19 Jun 2017
Posts: 131

PostPosted: Sat Mar 24, 2018 4:42 pm    Post subject: Reply with quote

Thank you all mike155, NeddySeagoon, John Graham and Hu for your kind replies. And, first of all, I apologize for my profound lack of knowledge about gpg. mike155 and NeddySeagoon are correct: what I have memorized is my passphrase, not the secret key. In my ignorance I though that both were the same. So, as John elaborated I guess I lost the capacity to edit that key, since it has been expired and without the secret key I cant modify it. But if you don't mind helping me a little more, I have a few questions:

1) I based most of what I know about gpg from this tutorial, where it is explained that a good practice in the usage of gpg keys is always holding the revoke certificate in case you lose control of your key, as it is my case now. That would project to others that you may be a trustworthy user of gpg keys. Does that also apply to the expiration? If not, am I still able to revoke the key without controlling the secret key as it is my case now?
2) Is there an indicated procedure to deal with your secret key in order to never lose it? I mean, should I export it to a file just like I did with the revoke certificate just after creating a pair and keep it in some place safe or that is not indicated for security reasons?

Thank you all very much again!
Back to top
View user's profile Send private message
mike155
l33t
l33t


Joined: 17 Sep 2010
Posts: 988
Location: Frankfurt, Germany

PostPosted: Sat Mar 24, 2018 9:53 pm    Post subject: Reply with quote

vcmota wrote:
2) Is there an indicated procedure to deal with your secret key in order to never lose it? I mean, should I export it to a file just like I did with the revoke certificate just after creating a pair and keep it in some place safe or that is not indicated for security reasons?

GnuPG stores public and private keys in the subdirectory '~/.gnupg'. Make backups of this directory. That's all.

I guess most people don't backup '~/.gnupg' exclusively, but they make backups of their home directory or even of '/home'. That's how I do it.

DO NOT export your private key(s). There is no need to and it's dangerous, especially if the exported key is unencrypted. As NeddySeagoon wrote above: your secret key should always be encrypted if it is stored on disk or in a backup.
Back to top
View user's profile Send private message
John R. Graham
Administrator
Administrator


Joined: 08 Mar 2005
Posts: 10156
Location: Somewhere over Atlanta, Georgia

PostPosted: Sat Mar 24, 2018 10:48 pm    Post subject: Reply with quote

mike155 wrote:
DO NOT export your private key(s). There is no need to and it's dangerous, especially if the exported key is unencrypted.
As far as I know, GnuPG doesn't even support cleartext export. The main danger of moving keys around (whether by exporting or by copying the key ring) is that the user's key passphrase is so much weaker than the private key itself. You never want to share these keys except to another machine you own. It's particularly dangerous to send them via email, not because they're in the clear but because they're crackable with enough effort.

- John
_________________
I can confirm that I have received between 0 and 499 National Security Letters.
Back to top
View user's profile Send private message
mike155
l33t
l33t


Joined: 17 Sep 2010
Posts: 988
Location: Frankfurt, Germany

PostPosted: Sat Mar 24, 2018 10:56 pm    Post subject: Reply with quote

John R. Graham wrote:
As far as I know, GnuPG doesn't even support cleartext export.

GnuPG supports cleartext export, look here.
Back to top
View user's profile Send private message
John R. Graham
Administrator
Administrator


Joined: 08 Mar 2005
Posts: 10156
Location: Somewhere over Atlanta, Georgia

PostPosted: Sun Mar 25, 2018 12:07 am    Post subject: Reply with quote

I stand corrected. Still, you have to go out of your way to do that. Normally exported keys are approximately as secure as the key ring itself.

- John
_________________
I can confirm that I have received between 0 and 499 National Security Letters.
Back to top
View user's profile Send private message
vcmota
Tux's lil' helper
Tux's lil' helper


Joined: 19 Jun 2017
Posts: 131

PostPosted: Sun Mar 25, 2018 12:18 am    Post subject: Reply with quote

But let me ask: either the private key or the passphrase are stored unencrypted in the ~/.gnupg directory?
Back to top
View user's profile Send private message
mike155
l33t
l33t


Joined: 17 Sep 2010
Posts: 988
Location: Frankfurt, Germany

PostPosted: Sun Mar 25, 2018 12:35 am    Post subject: Reply with quote

Quote:
But let me ask: either the private key or the passphrase are stored unencrypted in the ~/.gnupg directory?

No! The passphrase isn't stored in ~/.gnupg. Your secret key is stored encrypted in ~/.gnupg.

Let's look at an example: If you want to decipher an encrypted email you received, PGP needs your unencrypted secret key. PGP reads your encrypted key from ~/.gnupg and asks you for your passphrase, because your passphrase isn't stored anywhere. After you entered your passphrase, PGP unencrypts your encrypted secret key and deciphers the email using the unencrypted secret key. The unencrypted secret key is stored in memory only and PGP will delete it as soon as possible.


Last edited by mike155 on Sun Mar 25, 2018 12:41 am; edited 1 time in total
Back to top
View user's profile Send private message
vcmota
Tux's lil' helper
Tux's lil' helper


Joined: 19 Jun 2017
Posts: 131

PostPosted: Sun Mar 25, 2018 12:39 am    Post subject: Reply with quote

Thank you all very much, I learned a lot. I am marking the thread as SOLVED. By the way, I successfully revoked the key, the secret key is not necessary for that, the only thing you need is the revoke certificate. Thank you all again!
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum