I'm trying to sign and encrypt a text file via GnuPG encryption from a command line, but I'm getting the following error:
sign+encrypt failed: No secret key
I know very little about GnuPG. Our client gave me two OpenPGP keys with .asc file extensions. He said file 1 is to sign the file and file 2 is to encrypt it.
File1.asc (to sign the file) looked something like this:
-----BEGIN PGP PRIVATE KEY BLOCK-----
Version: PGP 7.0.1
(key code here)
-----END PGP PRIVATE KEY BLOCK-----
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: PGP 7.0.1
(key code here)
-----END PGP PUBLIC KEY BLOCK-----
File2.asc (to encrypt) looked like this:
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: PGP for Personal Privacy 5.0
(key code here)
-----END PGP PUBLIC KEY BLOCK-----
I then tried running GnuPG via command line with something like the following:
gpg -r [file ame of encryption key] -s -u [password client gave for signing] -o DirectoryWhereToOutputFile\sample.pgp -e DirectoryOfSampleFile\SampleFile
What do I need to change to get this to successfully sign and encrypt a file?
GnuPG does not use keys as files, you have to import them before and use their key IDs.
gpg --import [private-key]
gpg --import [public-key]
Then, use the key ID of the public key (the one to encrypt for):
gpg -r [key-id] -s -o [output-file] -e [input-file]
If you don't know the IDs, use gpg --list-keys to obtain a list of all known keys. gpg --list-secret-keys will only show those you have the private key for, thus the one you can use for signing.
In GnuPG, we generate keypair gpg --gen-key
Encrypt using shared/imported public key - gpg --recipient bob --encrypt filename
Decrypt using private key - gpg --decrypt sharedMessage.asc
Refer https://linux.101hacks.com/unix/gpg-command-examples/
Related
I have generated a an ED25519 SSH key pair using
ssh-keygen -t ed25519
The output of the id_ed25519 file is in OpenSSH format:
-----BEGIN OPENSSH PRIVATE KEY-----
...
-----END OPENSSH PRIVATE KEY-----
I would like to convert it to a PEM file format. If it were an RSA key pair, there would be no need for that as an RSA id_rsa key is already in a PEM file format but the ED25519 key pair is an OpenSSH format.
How can I convert this to a PEM file format?
Use
ssh-keygen -p -f path/to/your/key -m pem
to convert your key file to PEM, but be sure to make a backup of the file first.
Taking from https://github.com/pickware/github-action-ssh-agent
I think this would work:
openssl pkey -in ed25519.pem -out ed25519.pub -pubout
It does for a private key generated this way:
openssl genpkey -algorithm ed25519 > ed25519.pem
I haven't tested ssh-keygen's private key format explicitly but I would assume that it is using OpenSSL under the hood. If the private key's base64 starts with "MC", then I would say it probably would be compatible.
I have generate Rsa Key pairs using openssh. I want to encrypt private key with passphrase using openssl.
I tried to encrypt private key using openssl , but unable to do that as it is giving error message.
Used the below command to generate rsa key pair
ssh-keygen -t rsa -b 4096 -P ''-f ./Test-key
used below command to encrypt private key using openssl.
rsa -des3 -in C:\Users\vkode200\Test-key -out C:\Users\vkode200\Test-key-encrypted -passout pass:"${pass}"
I am getting below error message :
15764:error:0906D06C:PEM routines:PEM_read_bio:no start line:crypto\pem\pem_lib.c:686:Expecting: ANY PRIVATE KEY
error in rsa```
Below is the header of my generated private key
```-----BEGIN OPENSSH PRIVATE KEY-----```
I have no clue and i spent lot of time to figure out the issue, but no luck.
You can generate keys in old format by passing -m PEM:
ssh-keygen -t rsa -b 4096 -P '' -f ./Test-key -m PEM
Those should work fine with that openssl command.
If you need them in new format, you can make a copy a convert it in place with:
ssh-keygen -p -P '' -N '' -f ./Test-key -m PEM
I've decrypted a file successfully using:
gpg --encrypt --recipient user#company.com myfile.txt
If I run the command below, I'm prompted for a passphrase, and decryption works:
gpg --output decrypted_myfile.txt -decrypt myfile.txt.gpg
I can't seem to get any form of non-interactive decryption working. The closest I've come is:
gpg --decrypt --batch --passphrase MYPASSPHRASE myfile.txt.gpg
This gives me:
gpg: encrypted with 2048-bit RSA key, ID F6CF3C25, created 2016-03-17
"Company_20210316 (Incoming Files) <user#company.com>"
gpg: public key decryption failed: Bad passphrase
gpg: decryption failed: No secret key
Is there a different way to do it?
Having error like:
gpg: decryption failed: No secret key
simply means that you don't have a private or secret key in your gpg keyring. You may want to check first if:
gpg --list-secret-keys if it has a private key there and if not,
Import it and then trust it.
To trust, use:
gpg --key-edit <yourKey> then "trust" then "5" then "quit"
To get your keyID run:
gpg --edit-key <yourKey> then
On the first line you'll see: "Private key available"
Then two sub-keys on the left of the fist, you'll see similar to:
sec rsa2048/E7E43C5C844E2917
and the part on a right after slash - will be your
E7E43C5C844E2917
So to explicitly export from where it was generated, the key to a file, you need to use that like this:
gpg --export-secret-keys --armor E7E43C5C844E2917>yourSecretKey.asc
This will create a secret key in a file ONLY, unlike if you use keyname in the export call. Then it will contain more than that.
Then to import use:
gpg --import yourSecretKey.asc
Then check your key in the list updated. Add a trust if needed.
Then line to decrypt copied from terminal of my MAC and tested works, w/ no prompt:
gpg --batch --passphrase MyPassphrase -o test.tt7 -d CE.txt.gpg
NOTE that: -d is the same as --decrypt and
-o the same as --output
And the value of the passphrase is the actual value I used in my test to decrypt the above and not the variable. The same created during the time key generated, and actual recommendation is to use a longer set of characters but actually any number is accepted.
Having error like: gpg: decryption failed: No secret key simply means that you don't have a private or secret key in your gpg keyring. You may want to check first if gpg -k (same as gpg --list-keys) has a private key there and import it and then trust it,
To add trust, use "1 to 5":
gpg --key-edit <yourKey>
then trust then 5 then `quit
To get your keyID run:
gpg --edit-key <yourKey>
then first line you'll see: Private key available
then two sub-keys on the left of the fist you'll see
sec rsa2048/E7E43C5C844E2917
and the part on a right after slash - will be your <keyID> E7E43C5C844E2917
so, to explicitly export from where it was generated, the key to a file you need to use that like:
gpg --export-secret-keys --armor E7E43C5C844E2917>yourSecretKey.asc
this will create secret key in a file ONLY, unlike if you use keyname in the export call then it will contain more than that.
Then to import use:
gpg --import E7E43C5C844E2917
then check your key in the list updated. Add trust if needed.
Then line to decrypt copied from terminal of my MAC and tested works, w/ no prompt:
gpg --batch --passphrase MyPassphrase -o test.tt7 -d CE.txt.gpg
NOTE that: -d is the same as --decrypt just like -o is the same as --output
You can try this command:
gpg --output File.txt --batch--passphrase-fd YourPassword --decrypt file.pgp
Is it possible that ssh-keygen & openssl can generate two different public keys from same private key? Command ssh-keygen -y -f ./my.key gives (contents after ssh-rsa in the same line) different public key to the one generated (contents between -----BEGIN PUBLIC KEY----- and -----END PUBLIC KEY-----) with command openssl rsa -in my.key -pubout .
It's the same key but different representations. OpenSSL uses X.509 SubjectPublicKeyInfo in ASN.1, usually (including here) wrapped in PEM; OpenSSH (except 'rsa1' keys for SSHv1 which is broken and you shouldn't use) uses the XDR-like SSH wire format, in base64.
Dupe or neardupe:
Convert pem key to ssh-rsa format
RSA Public Key format
Convert RSA public key to RSA DER
Converting an OpenSSL generated RSA public key to OpenSSH format (PHP)
How to convert RSA key to ssh-rsa
How to store/retrieve RSA public/private key (buried in the middle)
and less obvious cross-stack https://security.stackexchange.com/questions/42268/how-do-i-get-the-rsa-bit-length-with-the-pubkey-and-openssl
I have a .pk file that should contain a private key. I can not find any information about this file format. Is it similar to .pkcs12?
How can I retrieve the private key from this kind of file?
According to fileinfo.com .pk is not a known certificate store file extension. Maybe you could ask from the source of the file why they named it like that.
Check if it's pkcs12 file by trying to output info about the file:
openssl pkcs12 -info -in yourfile.pk
If it's pkcs12 then you can export the private key from it with the following command:
openssl pkcs12 -in yourfile.pk -nocerts -nodes privatekey.pem
Obviously, your file is in PEM format. You can check the file in text editor for -----BEGIN texts to see what's inside. Cand you see BEGIN ENCRYPTED PRIVATE KEY or BEGIN RSA PRIVATE KEY or BEGIN PRIVATE KEY text in the file? Are there also certificate(s) in the same file, i.e. can you see BEGIN RSA PUBLIC KEY or BEGIN PUBLIC KEY once or multiple times?
You can remove a passphrase from RSA private key like this:
openssl rsa -in yourfile.pk -out privatekey.pem