I was trying to implement client side encryption of files backed up to AWS S3 using Duplicity, with keys on my Yubikey Neo created on an air gapped installation. It worked with local PGP keys, but I didn’t get it to decrypt using my PGP key on the Yubikey
TL;DR
Verify that you have the right pin and or it hasn’t been blocked…
Testing
To rule out Duplicity I performed a simple encryption
Encrypt
$ echo "Hello" |gpg2 -e > test.enc
Current recipients:
rsa2048/2ABD**** 2017-07-17
Decrypt
$ gpg2 -d < test.enc
gpg: encrypted with 2048-bit RSA key, ID 2ABD****, created 2017-07-17
gpg: public key decryption failed: Card error
gpg: decryption failed: No secret key
Issuing this command prompted me for my pin. However, the error wasn’t clear on that the pin was wrong or blocked.
Troubleshooting gpg agent
First I killed the existing gpg-agent and started a new one in the console with debug logging:
$ ps aux|gpg-agent
$ kill 12345
$ gpg-agent --daemon --no-detach -v -v --debug-level advanced --homedir ~/.gnupg
which gave me this information:
gpg-agent[20808]: DBG: chan_5 -> INQUIRE PINENTRY_LAUNCHED 25484
gpg-agent[20808]: DBG: chan_5 <- END
gpg-agent[20808]: DBG: chan_6 -> [ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ...(76 byte(s) skipped) ]
gpg-agent[20808]: DBG: chan_6 -> END
gpg-agent[20808]: DBG: chan_6 <- ERR 100663404 Card error
gpg-agent[20808]: smartcard decryption failed: Card error
gpg-agent[20808]: command 'PKDECRYPT' failed: Card error
gpg-agent[20808]: DBG: chan_5 -> ERR 100663404 Card error
gpg-agent[20808]: DBG: chan_5 <- [eof]
gpg-agent[20808]: DBG: chan_6 -> RESTART
gpg-agent[20808]: DBG: chan_6 <- OK
This command 'PKDECRYPT' failed: Card error originally got me wandering of in the wrong direction, but let's keep the story short(er).
I checked if my Yubikey actually have that key 2ABD****:
$ gpg2 --card-status
Reader ...........: Yubico Yubikey NEO OTP U2F CCID 01 00
Application ID ...: ****************
Version ..........: 2.0
Manufacturer .....: Yubico
Serial number ....: 01234567
Name of cardholder: Christer Barreholm
Language prefs ...: sv
Sex ..............: unspecified
URL of public key : **************
Login data .......: christer
Signature PIN ....: forced
Key attributes ...: rsa2048 rsa2048 rsa2048
Max. PIN lengths .: 127 127 127
PIN retry counter : 0 3 3
Signature counter : 1
Signature key ....: **** **** **** **** **** **** **** **** 7E86 ****
created ....: 2017-07-17 12:28:59
Encryption key....: **** **** **** **** **** **** **** **** 2ABD ****
created ....: 2017-07-17 12:29:13
Authentication key: **** **** **** **** **** **** **** **** 55FD ****
created ....: 2017-07-17 12:31:46
General key info..: sub rsa2048/7E866DD0 2017-07-17 Christer Barreholm
sec# rsa4096/A56F**** created: 2017-07-17 expires: 2018-01-16
ssb> rsa2048/7E86**** created: 2017-07-17 expires: 2018-01-16
card-no: 0006 01234567
ssb> rsa2048/2ABD**** created: 2017-07-17 expires: 2018-01-16
card-no: 0006 01234567
ssb> rsa2048/55FD**** created: 2017-07-17 expires: 2018-01-16
card-no: 0006 01234567
The key is there, but then I noticed PIN retry counter: 0 3 3.
$ gpg2 --change-pin
gpg: OpenPGP card no. ******************************* detected
1 - change PIN
2 - unblock PIN
3 - change Admin PIN
4 - set the Reset Code
Q - quit
Your selection? 2
PIN unblocked and new PIN set.
$ gpg2 --card-status
...
PIN retry counter : 3 3 3
...
Looks better.
Another try to decrypt:
$ gpg2 -d < test.enc
gpg: encrypted with 2048-bit RSA key, ID 2ABD****, created 2017-07-17
Hello
Success!
Event longer story
I tried this back in July, but eventually gave up. There were indications that the issue was related to stubbed keys in the keyring.
Below are some of the resources that got me in the wrong direction, but still interesting.
Issues with primary key & subkeys on different smartcards
[Resolved] Trouble with GPG --card-status
YubiKey Guide