I try to make a gpg encryption/decryption on my server, for encryption i make this command line :
gpg --output test.txt.gpg --encrypt test.txt
and then i enter a user ID and my file is created.
But after, when i want to decrypt this file with same commande :
gpg --output result.txt --decrypt test.txt.gpg
result is :
gpg: encrypted with 2048-bit RSA key, ID FF070B4D, created 2017-07-19
"droli mail_adress"
gpg: decryption failed: No secret key
i don't understand why i can encrypt but can't decrypt after ?
$gpg --list-keys
/home/ssie/.gnupg/pubring.gpg
-----------------------------
pub 2048R/09C41BAC 2017-07-19
uid droli mail_adress
sub 2048R/6D2F1BE9 2017-07-19
$gpg --list-secret-keys
/home/ssie/.gnupg/secring.gpg
-----------------------------
sec 2048R/09C41BAC 2017-07-19
uid droli mail_adress sub
ssb 2048R/6D2F1BE9 2017-07-19
Edit after 2 hours :
I think to have find why : there were 2 different keys and 1 secret key for the same user. But now there is another issue : i deleted the wrong key and make the same test again.
the answer after decrypt is :
You need a passphrase to unlock the secret key for user: "droli
mail_adress" 2048-bit RSA key, ID 6D2F1BE9, created 2017-07-19 (main
key ID 09C41BAC)
can't connect to `/home/ssie/.gnupg/S.gpg-agent': Connection refused
gpg-agent[32298]: command get_passphrase failed: Operation cancelled
gpg: cancelled by user gpg: encrypted with 2048-bit RSA key, ID
6D2F1BE9, created 2017-07-19 "telefact " gpg: public key decryption
failed: General error gpg: decryption failed: No secret key
what is this "S.gpg-agent" ? (the file /home/ssie/.gnupg/S.gpg-agent is empty in my case)
$ gpg-agent
--daemon GPG_AGENT_INFO=/tmp/gpg-1K7fOi/S.gpg-agent:18607:1; export GPG_AGENT_INFO;
After launching GPG_AGENT_INFO=/tmp/gpg-1K7fOi/S.gpg-agent:18607:1
and export GPG_AGENT_INFO
there is no ask about the gpg agent.
You need a passphrase to unlock the secret key for user: "droli
mail_adress" 2048-bit RSA key, ID 6D2F1BE9, created 2017-07-19 (main
key ID 09C41BAC)
gpg: cancelled by user
gpg: encrypted with 2048-bit RSA key, ID 6D2F1BE9, created 2017-07-19
"droli mail_adress"
gpg: public key decryption failed: General error
gpg: decryption failed: No secret key
When creating a new key i have the same issue at the end :
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O
You need a Passphrase to protect your secret key.
gpg: cancelled by user
gpg: Key generation canceled.
it's like there is a dyfonctionnement with the passphrase ?
Thanks for help.
The solution is :
chmod o+rw $(tty)
before using su to become that user and it works as it should.
Related
I would like to encrypt / decrypt Data with RSA. So I generated a new Keypair with PGP.
gpg --full-generate-key
gpg (GnuPG) 2.3.7; Copyright (C) 2021 g10 Code GmbH
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Bitte wählen Sie, welche Art von Schlüssel Sie möchten:
(1) RSA und RSA
(2) DSA und Elgamal
(3) DSA (nur signieren)
(4) RSA (nur signieren)
(9) ECC (signieren, verschlüsseln) *standard*
(10) ECC (nur signieren)
(14) Vorhandener Schlüssel auf der Karte
Ihre Auswahl? 1
When I export the key with:
gpg --export-secret-key --armor --output mykey.asc
I get this kind of file:
-----BEGIN PGP PRIVATE KEY BLOCK-----
lQcYBGLoxDcBEACavJOlQvSY9g+bjHgzMSOOnTQ+pgMukFPsUUDIXZZkT/YVcgn7
...
This is a GPG Key, not an RSA Key. Or at least not the pure RSA Key.
For example, if I use openssl to generate the RSA Key, I get for:
openssl genrsa -out private.pem 2048
This key now has the typical RSA Signature at the beginning.
-----BEGIN PRIVATE KEY-----
MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDBWbLfGcMBn4fu
So the Question is, how can I export the pure RSA (public) Key from the GPG Keychain? The Reason I just can't use the OpenSSL Keys is because I want to store the private Key on a SmartCard like an YubiKey. And this I can only do with the GPG Module.
OpenPGP (and GnuPG as implementation of the OpenPGP standard) uses their own key format, which is not raw RSA PKCS#1 key as it is used by the openssl. If you need a raw key you should generate it with openssl.
gpg (GnuPG) implements the so-called "hybrid encryption" where an asymmetric key (eg. RSA public/private key pair) is used to encrypt a symmetric key (eg. AES256) that is used to encrypt your data.
Normally asymmetric key (RSA) is not used directly to encrypt the data (it's very slow if the data is large). But for some reason if you really want to do it, you'll need a low level library like pycryptodome where you have more freedom to pick and choose your key and cipher.
I am trying to insert a new password to pass (passwordstore.org), but I am receiving the following error:
➜ GitHub git:(master) ✗ pass insert platform-name
Enter password for platform-name:
Retype password for platform-name:
gpg: error retrieving 'xxx#gmail.com' via WKD: Syntax error in URI
gpg: xxx#gmail.com: skipped: Syntax error in URI
gpg: [stdin]: encryption failed: Syntax error in URI
Password encryption aborted.
For every Service Fabric application I attempt to run which utilizes one or more SecretsCertificate instances, the application fails to launch in my local Service Fabric cluster with the following error on the Node > Application in the SF Explorer:
Error event: SourceId='System.Hosting', Property='Activation:1.0'.
There was an error during activation.Failed to configure certificate permissions. Error E_FAIL.
Service Fabric also logs a few relevant items in to the Event Viewer > Applications and Services Logs > Microsoft-Service Fabric > Admin section:
CryptAcquireCertificatePrivateKey failed. Error:0x8009200b
Can't get private key filename for certificate. Error: 0x8009200b
All tries to get private key filename failed.
Failed to get the Certificate's private key.
Thumbprint:4XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXC. Error: E_FAIL
Failed to get private key file. x509FindValue: 4XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXC, x509StoreName: My, findType: FindByThumbprint, Error E_FAIL
ACLing private key filename for thumbprint 4XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXC. ErrorCode=E_FAIL
ConfigureCertificateACLs: error=E_FAIL
I have removed and reinstalled the certificate (which is confirmed to work in multiple other developers' local Service Fabric cluster development environments), and set the private key to have explicit full control permissions for the NETWORK SERVICE user on my computer, which didn't help.
I have followed the instructions in this answer which actually prints out the private key details correctly despite SF local cluster not being able to access it.
I have reinstalled Microsoft Service Fabric SDK, and Microsoft Visual Studio 2017 which also didn't resolve this problem.
All attempts to recreate this error in C# and PowerShell have been fruitless, yet the Service Fabric service doesn't seem to be able to access private keys from my cert store.
Edit: Further progress, no solution.
I am able to successfully decrypt data using the PowerShell Invoke-ServiceFabricDecryptText cmdlet, yet the SF Local Cluster still has the same error.
I determined that the file specified in the certificate's metadata (from the previously referenced SO answer) PrivateKey.CspKeyContainerInfo.UniqueKeyContainerName doesn't exist on my disk at the path C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\ or any neighboring paths. Has anyone seen this before?
As discussed in the comments, the issue is related to how the (self-signed) certificate is created. When using Powershell to create your certs make sure to use:
So when I specified -Provider "Microsoft Enhanced Cryptographic
Provider v1.0" for the
New-SelfsignedCertificate command to create a cert, it works.
Source: https://github.com/Azure/service-fabric-issues/issues/235#issuecomment-292667379
An alternative, in case you can't or don't want to use a self-signed certificate, is to "remove" the CNG storage of the private key (which is the part that Service Fabric can't yet handle).
The steps outlined in this article show how to convert a CNG cert to a non-CNG one:
https://blog.davidchristiansen.com/2016/05/521/
Extract your public key and full certificate chain from your PFX file
openssl pkcs12 -in "yourcertificate.pfx" -nokeys -out "yourcertificate.cer"
-passin "pass:password"
Extract the CNG private key
openssl pkcs12 -in "yourcertificate.pfx" -nocerts –out “yourcertificate.pem"
-nodes -passin "pass:password" -passout "pass:password"
Convert the private key to RSA format
openssl rsa -inform PEM -in "yourcertificate.pem" -out "yourcertificate.rsa"
-passin "pass:password" -passout "pass:password"
Merge public keys with RSA private key to a new PFX file
openssl pkcs12 -export -in "yourcertificate.cer" -inkey "yourcertificate.rsa"
-out "yourcertificate-converted.pfx"
-passin "pass:password" -passout "pass:password"
I am using Control-M AFT for decryption. The encrypted source file is pulled from Mainframe and while decrypting the file using GnuPG, it fails with below error
gpg: mdc_packet with invalid encoding
gpg: decryption failed: Invalid packet
When trying to decrypt manually, it gives the same error message but the file is decrypted. But from control-m, file is not decrypted and the job fails
Can you please help me with the following issue:
I have a file.pgp and I want verify the userID/Key that signed it, before decrypt the file.
Now I runs:
Verify the file pgp --verify "C:\Folder\file.pgp":
C:\Folder\file.pgp:verify (3042:suggested output file name file.txt)
C:\Folder\file.pgp:verify (3177:message signed by key ID 0xFRF5234B)
C:\Folder\file.pgp:verify (3038:signing key 0xFRF5234B UserPGP)
C:\Folder\file.pgp:verify (3040:signature created 2017-12-05T14:55:35+01:00)
C:\Folder\file.pgp:verify (3170:signature hash SHA-256)
C:\Folder\file.pgp:verify (3035:good signature) C:\Folder\file.pgp:verify
(0:verify complete)
parse the OUTPUT and check if the signed by key ID is: 0xFRF5234B
If key ID is 0xFRF5234B, decrypt the file:
pgp --decrypt "C:\Folder\file.pgp" --output "C:\Folder\file.xml" --overwrite remove
Question: Is it possible verify the signed UserID/key without parsing the output? Is there, for example, a script as:
pgp verify --signer 0xFRF5234B file.pgp
Thanks!