PGP and Yubikey

I was trying to implement client side encryption of files backed up to AWS S3 using Duplicity, with keys on my Yubikey Neo created on an air gapped installation. It worked with local PGP keys, but I didn’t get it to decrypt using my PGP key on the Yubikey

TL;DR

Verify that you have the right pin and or it hasn’t been blocked…

Testing

To rule out Duplicity I performed a simple encryption

Encrypt
$ echo "Hello" |gpg2 -e > test.enc
Current recipients:
rsa2048/2ABD**** 2017-07-17

Decrypt
$ gpg2 -d < test.enc
gpg: encrypted with 2048-bit RSA key, ID 2ABD****, created 2017-07-17
gpg: public key decryption failed: Card error
gpg: decryption failed: No secret key

Issuing this command prompted me for my pin. However, the error wasn’t clear on that the pin was wrong or blocked.

Troubleshooting gpg agent

First I killed the existing gpg-agent and started a new one in the console with debug logging:

$ ps aux|gpg-agent
$ kill 12345
$ gpg-agent --daemon --no-detach -v -v --debug-level advanced --homedir ~/.gnupg

which gave me this information:

gpg-agent[20808]: DBG: chan_5 -> INQUIRE PINENTRY_LAUNCHED 25484
gpg-agent[20808]: DBG: chan_5 <- END gpg-agent[20808]: DBG: chan_6 -> [ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ...(76 byte(s) skipped) ]
gpg-agent[20808]: DBG: chan_6 -> END
gpg-agent[20808]: DBG: chan_6 <- ERR 100663404 Card error
gpg-agent[20808]: smartcard decryption failed: Card error
gpg-agent[20808]: command 'PKDECRYPT' failed: Card error
gpg-agent[20808]: DBG: chan_5 -> ERR 100663404 Card error
gpg-agent[20808]: DBG: chan_5 <- [eof] gpg-agent[20808]: DBG: chan_6 -> RESTART
gpg-agent[20808]: DBG: chan_6 <- OK

This command 'PKDECRYPT' failed: Card error originally got me wandering of in the wrong direction, but let's keep the story short(er).

I checked if my Yubikey actually have that key 2ABD****:


$ gpg2 --card-status

Reader ...........: Yubico Yubikey NEO OTP U2F CCID 01 00
Application ID ...: ****************
Version ..........: 2.0
Manufacturer .....: Yubico
Serial number ....: 01234567
Name of cardholder: Christer Barreholm
Language prefs ...: sv
Sex ..............: unspecified
URL of public key : **************
Login data .......: christer
Signature PIN ....: forced
Key attributes ...: rsa2048 rsa2048 rsa2048
Max. PIN lengths .: 127 127 127
PIN retry counter : 0 3 3
Signature counter : 1
Signature key ....: **** **** **** **** **** **** **** **** 7E86 ****
created ....: 2017-07-17 12:28:59
Encryption key....: **** **** **** **** **** **** **** **** 2ABD ****
created ....: 2017-07-17 12:29:13
Authentication key: **** **** **** **** **** **** **** **** 55FD ****
created ....: 2017-07-17 12:31:46
General key info..: sub rsa2048/7E866DD0 2017-07-17 Christer Barreholm
sec# rsa4096/A56F**** created: 2017-07-17 expires: 2018-01-16
ssb> rsa2048/7E86**** created: 2017-07-17 expires: 2018-01-16
card-no: 0006 01234567
ssb> rsa2048/2ABD**** created: 2017-07-17 expires: 2018-01-16
card-no: 0006 01234567
ssb> rsa2048/55FD**** created: 2017-07-17 expires: 2018-01-16
card-no: 0006 01234567

The key is there, but then I noticed PIN retry counter: 0 3 3.


$ gpg2 --change-pin
gpg: OpenPGP card no. ******************************* detected

1 - change PIN
2 - unblock PIN
3 - change Admin PIN
4 - set the Reset Code
Q - quit

Your selection? 2
PIN unblocked and new PIN set.


$ gpg2 --card-status
...
PIN retry counter : 3 3 3
...

Looks better.

Another try to decrypt:

$ gpg2 -d < test.enc gpg: encrypted with 2048-bit RSA key, ID 2ABD****, created 2017-07-17 Hello

Success!

Event longer story

I tried this back in July, but eventually gave up. There were indications that the issue was related to stubbed keys in the keyring.
Below are some of the resources that got me in the wrong direction, but still interesting.

Issues with primary key & subkeys on different smartcards
[Resolved] Trouble with GPG --card-status
YubiKey Guide

Print Friendly, PDF & Email