Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
[Solved] Gpg can’t decrypt: invalid cipher mode
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
cr0wbar
n00b
n00b


Joined: 27 Oct 2021
Posts: 7

PostPosted: Wed Oct 27, 2021 9:46 am    Post subject: [Solved] Gpg can’t decrypt: invalid cipher mode Reply with quote

Can’t use
Code:
pass
in gentoo for some passwords. Decryption fails only since I have started using a new key, new passwords fail to decrypt with a
Code:
invalid cipher mode
error, old password reencrypted using the new key work just fine. Passwords were reencyrpted on a macOS box using gpg 2.3.2, using the the latest version available in gentoo.

Code:

gpg (GnuPG/MacGPG2) 2.2.27
libgcrypt 1.8.7
Copyright (C) 2021 Free Software Foundation, Inc.
License GNU GPL-3.0-or-later <https://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Home: /Users/user/.gnupg
Supported algorithms:
Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA
Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
        CAMELLIA128, CAMELLIA192, CAMELLIA256
Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2


Any ideas on why that might be happening and how to fix it?


Last edited by cr0wbar on Thu Oct 28, 2021 10:43 pm; edited 1 time in total
Back to top
View user's profile Send private message
mike155
Advocate
Advocate


Joined: 17 Sep 2010
Posts: 4438
Location: Frankfurt, Germany

PostPosted: Wed Oct 27, 2021 1:45 pm    Post subject: Reply with quote

Hi cr0wbar,

welcome to the Gentoo forums!

I completely fail to understand your post. A command "pass" doesn't exist on my Gentoo machine. And why do you want to encrypt passwords? Please tell us what you want to achieve and show us the commands you use. Please post the output of "emerge --info app-crypt/gnupg".

Mike
Back to top
View user's profile Send private message
Hu
Moderator
Moderator


Joined: 06 Mar 2007
Posts: 21489

PostPosted: Wed Oct 27, 2021 3:31 pm    Post subject: Reply with quote

This might be from app-admin/pass, which, as I understand it, is a wrapper around using gnupg to maintain encrypted text files, where the decrypted contents are your usernames+passwords for various services. mike155's requests look like a good start to me.
Back to top
View user's profile Send private message
mike155
Advocate
Advocate


Joined: 17 Sep 2010
Posts: 4438
Location: Frankfurt, Germany

PostPosted: Wed Oct 27, 2021 4:03 pm    Post subject: Reply with quote

@Hu: thanks, now it starts to make sense :-)

The homepage explains how it works:
Quote:
Password management should be simple and follow Unix philosophy. With pass, each password lives inside of a gpg encrypted file whose filename is the title of the website or resource that requires the password. These encrypted files may be organized into meaningful folder hierarchies, copied from computer to computer, and, in general, manipulated using standard command line file management utilities.
Back to top
View user's profile Send private message
mike155
Advocate
Advocate


Joined: 17 Sep 2010
Posts: 4438
Location: Frankfurt, Germany

PostPosted: Wed Oct 27, 2021 4:34 pm    Post subject: Reply with quote

  1. Do I understand correctly that "pass show" works for some passwords and that it does not work for some other passwords?

    Please chdir to your password store directory and analyze the encrypted password files with 'file':
    Code:
    # cd ~/.password-store
    # file ./Amazon/amazonemail@email.com.gpg
    ./Amazon/amazonemail@email.com.gpg: PGP RSA encrypted session key - keyid: FC2C3F85 4F5692B7 RSA (Encrypt or Sign) 4096b .

    Is there a difference in the encryption format (in the example above: 'PGP RSA encrypted session key 4096b') between the key files that work and those that don't work?

  2. You wrote that the issue started when you created a new key? Please run
    Code:
    gpg --list-public-keys

    The command will show your keys and also their algorithms ('rsa4096' for example). Is there a difference in the algorithm between your old key and your new key?
Back to top
View user's profile Send private message
cr0wbar
n00b
n00b


Joined: 27 Oct 2021
Posts: 7

PostPosted: Wed Oct 27, 2021 7:13 pm    Post subject: Reply with quote

Apologies, I should have provided more context.
Yeah pass is a gpg wrapper for storing passwords in separate files encrypted with gpg. The idea is that the files where the passwords are stored are hosted on a private repo to keep them synced across different places, and are stored safely because they are encrypted with gpg. It is possible to decrypt and reencrypt all the files where the password are stored with a single command "pass init <new_key_id>", which will decrypt all the files, and reencrypt their content with the new key.

I have a mac, with gnupg 2.3.2 and libgcrypt 1.9.4, where I have reincrypted the passwords, going from a rsa2048 key to a rsa4096 key.
I can decrypt the keys just fine on the mac.

However, on gentoo with gnupg 2.2.32 and libgcrypt 1.8.8 I can decrypt files that were originally encrypted with the rsa2048 key and reencrypted with the new rsa4096 one, but cannot decrypt new files encrypted only with the new rsa4096 key, which is odd. This is the error i get
Code:

gpg: encrypted with 4096-bit RSA key, ID <ID>, created <date>
      "KEY DESC <MAILADDRESS>"
gpg: decryption failed: Invalid cipher mode


I have manually downloaded and installed libgcrypt 1.9.4 and installed in /opt, and ran
Quote:
LD_LIBRARY_PATH=/opt/lib


gpg now has picked up the new version of libgcrypt, which has been confirmed by gpg --version 's output
Code:

gpg (GnuPG) 2.2.32
libgcrypt 1.9.4
Copyright (C) 2021 Free Software Foundation, Inc.
License GNU GPL-3.0-or-later <https://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Home: /home/gdc/.gnupg
Supported algorithms:
Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA
Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
        CAMELLIA128, CAMELLIA192, CAMELLIA256
Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2

and now gpg --decrypt works just fine, which is nice, but probably indicates something is wrong with libgcrypt.
Back to top
View user's profile Send private message
cr0wbar
n00b
n00b


Joined: 27 Oct 2021
Posts: 7

PostPosted: Wed Oct 27, 2021 7:26 pm    Post subject: Reply with quote

solved by adding
Code:

dev-libs/libgcrypt ~amd64


to
Code:

/etc/portage/package.accept_keywords


Not great to have a testing version but it worked just fine :D
Back to top
View user's profile Send private message
Hu
Moderator
Moderator


Joined: 06 Mar 2007
Posts: 21489

PostPosted: Wed Oct 27, 2021 7:31 pm    Post subject: Reply with quote

The newer version of libgcrypt probably offers, and your Mac used, a cipher that does not work in the v1.8.x line.

You could change your accept_keywords entry to be version-locked, so that it enables you to use the testing version that works, but does not bring you ever newer testing versions.
/etc/portage/package.accept_keywords:
~dev-libs/libgcrypt-1.9.4
See man 5 ebuild for the full syntax for atoms you can use here. Eventually, 1.9.4 will become stable and you can remove the entry. With the change I propose, Portage will not offer you 1.9.5 and later until those also become stable.
Back to top
View user's profile Send private message
mike155
Advocate
Advocate


Joined: 17 Sep 2010
Posts: 4438
Location: Frankfurt, Germany

PostPosted: Wed Oct 27, 2021 7:55 pm    Post subject: Reply with quote

cr0wbar wrote:
Not great to have a testing version but it worked just fine :D

It's quite common to have _a few_ packages in package.accept_keywords. :)

Follow the advice of Hu. You can remove libgcrypt from package.accept_keywords as soon as libgcrypt 1.9.4 will be stabilized.
Back to top
View user's profile Send private message
cr0wbar
n00b
n00b


Joined: 27 Oct 2021
Posts: 7

PostPosted: Thu Oct 28, 2021 8:29 am    Post subject: Reply with quote

That’s great advice, I am still learning about gentoo and that really helps. Thank you guys!
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum