Category Archives: Okategoriserade

PGP and Yubikey

I was trying to implement client side encryption of files backed up to AWS S3 using Duplicity, with keys on my Yubikey Neo created on an air gapped installation. It worked with local PGP keys, but I didn’t get it to decrypt using my PGP key on the Yubikey

TL;DR

Verify that you have the right pin and or it hasn’t been blocked…

Testing

To rule out Duplicity I performed a simple encryption

Encrypt
$ echo "Hello" |gpg2 -e > test.enc
Current recipients:
rsa2048/2ABD**** 2017-07-17

Decrypt
$ gpg2 -d < test.enc
gpg: encrypted with 2048-bit RSA key, ID 2ABD****, created 2017-07-17
gpg: public key decryption failed: Card error
gpg: decryption failed: No secret key

Issuing this command prompted me for my pin. However, the error wasn’t clear on that the pin was wrong or blocked.

Troubleshooting gpg agent

First I killed the existing gpg-agent and started a new one in the console with debug logging:

$ ps aux|gpg-agent
$ kill 12345
$ gpg-agent --daemon --no-detach -v -v --debug-level advanced --homedir ~/.gnupg

which gave me this information:

gpg-agent[20808]: DBG: chan_5 -> INQUIRE PINENTRY_LAUNCHED 25484
gpg-agent[20808]: DBG: chan_5 <- END gpg-agent[20808]: DBG: chan_6 -> [ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ...(76 byte(s) skipped) ]
gpg-agent[20808]: DBG: chan_6 -> END
gpg-agent[20808]: DBG: chan_6 <- ERR 100663404 Card error
gpg-agent[20808]: smartcard decryption failed: Card error
gpg-agent[20808]: command 'PKDECRYPT' failed: Card error
gpg-agent[20808]: DBG: chan_5 -> ERR 100663404 Card error
gpg-agent[20808]: DBG: chan_5 <- [eof] gpg-agent[20808]: DBG: chan_6 -> RESTART
gpg-agent[20808]: DBG: chan_6 <- OK

This command 'PKDECRYPT' failed: Card error originally got me wandering of in the wrong direction, but let's keep the story short(er).

I checked if my Yubikey actually have that key 2ABD****:


$ gpg2 --card-status

Reader ...........: Yubico Yubikey NEO OTP U2F CCID 01 00
Application ID ...: ****************
Version ..........: 2.0
Manufacturer .....: Yubico
Serial number ....: 01234567
Name of cardholder: Christer Barreholm
Language prefs ...: sv
Sex ..............: unspecified
URL of public key : **************
Login data .......: christer
Signature PIN ....: forced
Key attributes ...: rsa2048 rsa2048 rsa2048
Max. PIN lengths .: 127 127 127
PIN retry counter : 0 3 3
Signature counter : 1
Signature key ....: **** **** **** **** **** **** **** **** 7E86 ****
created ....: 2017-07-17 12:28:59
Encryption key....: **** **** **** **** **** **** **** **** 2ABD ****
created ....: 2017-07-17 12:29:13
Authentication key: **** **** **** **** **** **** **** **** 55FD ****
created ....: 2017-07-17 12:31:46
General key info..: sub rsa2048/7E866DD0 2017-07-17 Christer Barreholm
sec# rsa4096/A56F**** created: 2017-07-17 expires: 2018-01-16
ssb> rsa2048/7E86**** created: 2017-07-17 expires: 2018-01-16
card-no: 0006 01234567
ssb> rsa2048/2ABD**** created: 2017-07-17 expires: 2018-01-16
card-no: 0006 01234567
ssb> rsa2048/55FD**** created: 2017-07-17 expires: 2018-01-16
card-no: 0006 01234567

The key is there, but then I noticed PIN retry counter: 0 3 3.


$ gpg2 --change-pin
gpg: OpenPGP card no. ******************************* detected

1 - change PIN
2 - unblock PIN
3 - change Admin PIN
4 - set the Reset Code
Q - quit

Your selection? 2
PIN unblocked and new PIN set.


$ gpg2 --card-status
...
PIN retry counter : 3 3 3
...

Looks better.

Another try to decrypt:

$ gpg2 -d < test.enc gpg: encrypted with 2048-bit RSA key, ID 2ABD****, created 2017-07-17 Hello

Success!

Event longer story

I tried this back in July, but eventually gave up. There were indications that the issue was related to stubbed keys in the keyring.
Below are some of the resources that got me in the wrong direction, but still interesting.

Issues with primary key & subkeys on different smartcards
[Resolved] Trouble with GPG --card-status
YubiKey Guide

Ubuntu 12.04 LTS och HWE

Ubuntu 12.04 LTS got something called the Hardware Enablement Stacks (HWE), to support newer hardware. A LTS release is supported for 5 years. There are different versions of the HWE, where only some is supported for the full LTS lifetime. More info here:
HWE End-of-life

To make this story short. I want to remain on 12.04 LTS, so I decided to upgrade the HWE. However, the upgrade failed due to a full /boot, leading to clean-up efforts. Therefor, make sure to check your disk before starting the HWE upgrade:

$ df -h
Filesystem Size Used Avail Use% Mounted on
/dev/mapper/xyz-root 40G 28G 9,7G 75% /
udev 2,0G 4,0K 2,0G 1% /dev
tmpfs 396M 304K 396M 1% /run
none 5,0M 0 5,0M 0% /run/lock
none 2,0G 0 2,0G 0% /run/shm
/dev/vda1 228M 210M 5,9M 98% /boot

That is not enough space.

Run the following to identify old kernels to remove:
$ dpkg -l 'linux-*' | sed '/^ii/!d;/'"$(uname -r | sed "s/\(.*\)-\([^0-9]\+\)/\1/")"'/d;s/^[^ ]* [^ ]* \([^ ]*\).*/\1/;/[0-9]/!d'

I found e.g. that I had a 3.5.0-42 kernel that I could remove:

$ sudo apt-get purge linux-image-3.5.0-42-generic linux-headers-3.5.0-42 linux-headers-3.5.0-42-generic

$ df -h
Filesystem Size Used Avail Use% Mounted on
/dev/mapper/xyz-root 40G 27G 11G 73% /
udev 2,0G 12K 2,0G 1% /dev
tmpfs 396M 308K 396M 1% /run
none 5,0M 0 5,0M 0% /run/lock
none 2,0G 0 2,0G 0% /run/shm
/dev/vda1 228M 151M 65M 70% /boot

Enough space so lets upgrade:

sudo apt-get install linux-generic-lts-trusty linux-image-generic-lts-trusty

Reboot and get the greeting “Your Hardware Enablement Stack (HWE) is supported until April 2017.”