{"id":293,"date":"2018-01-03T21:55:02","date_gmt":"2018-01-03T20:55:02","guid":{"rendered":"http:\/\/www.ingby.com\/?p=293"},"modified":"2018-01-03T21:55:02","modified_gmt":"2018-01-03T20:55:02","slug":"pgp-and-yubikey","status":"publish","type":"post","link":"https:\/\/www.ingby.com\/?p=293","title":{"rendered":"PGP and Yubikey"},"content":{"rendered":"<p>I was trying to implement client side encryption of files backed up to <a href=\"https:\/\/icicimov.github.io\/blog\/devops\/Duplicity-encrypted-backups-to-Amazon-S3\/\">AWS S3 using Duplicity<\/a>, with keys on my <a href=\"https:\/\/www.yubico.com\/support\/knowledge-base\/categories\/articles\/use-yubikey-openpgp\/\">Yubikey Neo<\/a> created on an <a href=\"https:\/\/research.kudelskisecurity.com\/2017\/04\/28\/configuring-yubikey-for-gpg-and-u2f\/\">air gapped installation<\/a>. It worked with local PGP keys, but I didn&#8217;t get it to decrypt using my PGP key on the Yubikey<\/p>\n<h2>TL;DR<\/h2>\n<p>Verify that you have the right pin and or it hasn&#8217;t been blocked&#8230;<\/p>\n<h2>Testing<\/h2>\n<p>To rule out Duplicity I performed a simple encryption<\/p>\n<p>Encrypt<br \/>\n<code>$ echo \"Hello\" |gpg2 -e &gt; test.enc<br \/>\nCurrent recipients:<br \/>\nrsa2048\/<strong>2ABD****<\/strong> 2017-07-17<br \/>\n<\/code><\/p>\n<p>Decrypt<br \/>\n<code>$ gpg2 -d &lt; test.enc<br \/>\ngpg: encrypted with 2048-bit RSA key, ID 2ABD****, created 2017-07-17<br \/>\ngpg: public key decryption failed: Card error<br \/>\ngpg: decryption failed: No secret key<\/code><\/p>\n<p>Issuing this command prompted me for my pin. However, the error wasn&#8217;t clear on that the pin was wrong or blocked.<\/p>\n<h2>Troubleshooting gpg agent<\/h2>\n<p>First I killed the existing gpg-agent and started a new one in the console with debug logging:<br \/>\n<code><br \/>\n$ ps aux|gpg-agent<br \/>\n$ kill 12345<br \/>\n$ gpg-agent --daemon --no-detach -v -v --debug-level advanced --homedir ~\/.gnupg<br \/>\n<\/code><\/p>\n<p>which gave me this information:<br \/>\n<code><br \/>\ngpg-agent[20808]: DBG: chan_5 -> INQUIRE PINENTRY_LAUNCHED 25484<br \/>\ngpg-agent[20808]: DBG: chan_5 <- END\ngpg-agent[20808]: DBG: chan_6 -> [ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ...(76 byte(s) skipped) ]<br \/>\ngpg-agent[20808]: DBG: chan_6 -> END<br \/>\ngpg-agent[20808]: DBG: chan_6 <- ERR 100663404 Card error <SCD><br \/>\ngpg-agent[20808]: smartcard decryption failed: Card error<br \/>\ngpg-agent[20808]: command 'PKDECRYPT' failed: Card error <SCD><br \/>\ngpg-agent[20808]: DBG: chan_5 -> ERR 100663404 Card error <SCD><br \/>\ngpg-agent[20808]: DBG: chan_5 <- [eof]\ngpg-agent[20808]: DBG: chan_6 -> RESTART<br \/>\ngpg-agent[20808]: DBG: chan_6 <- OK\n<\/code><\/p>\n<p>This <em>command 'PKDECRYPT' failed: Card error<\/em> originally got me wandering of in the wrong direction, but let's keep the story short(er).<\/p>\n<p>I checked if my Yubikey actually have that key 2ABD****:<\/p>\n<p><code><br \/>\n$ gpg2  --card-status <\/p>\n<p>Reader ...........: Yubico Yubikey NEO OTP U2F CCID 01 00<br \/>\nApplication ID ...: ****************<br \/>\nVersion ..........: 2.0<br \/>\nManufacturer .....: Yubico<br \/>\nSerial number ....: 01234567<br \/>\nName of cardholder: Christer Barreholm<br \/>\nLanguage prefs ...: sv<br \/>\nSex ..............: unspecified<br \/>\nURL of public key : **************<br \/>\nLogin data .......: christer<br \/>\nSignature PIN ....: forced<br \/>\nKey attributes ...: rsa2048 rsa2048 rsa2048<br \/>\nMax. PIN lengths .: 127 127 127<br \/>\n<b>PIN retry counter : 0 3 3<\/b><br \/>\nSignature counter : 1<br \/>\nSignature key ....: **** **** **** **** ****  **** **** **** 7E86 ****<br \/>\n      created ....: 2017-07-17 12:28:59<br \/>\nEncryption key....: **** **** **** **** ****  **** **** **** 2ABD ****<br \/>\n      created ....: 2017-07-17 12:29:13<br \/>\nAuthentication key: **** **** **** **** ****  **** **** **** 55FD ****<br \/>\n      created ....: 2017-07-17 12:31:46<br \/>\nGeneral key info..: sub  rsa2048\/7E866DD0 2017-07-17 Christer Barreholm <christer@barreholm.se><br \/>\nsec#  rsa4096\/A56F****  created: 2017-07-17  expires: 2018-01-16<br \/>\nssb>  rsa2048\/7E86****  created: 2017-07-17  expires: 2018-01-16<br \/>\n                        card-no: 0006 01234567<br \/>\n<b>ssb>  rsa2048\/2ABD****  created: 2017-07-17  expires: 2018-01-16<\/b><br \/>\n                        card-no: 0006 01234567<br \/>\nssb>  rsa2048\/55FD****  created: 2017-07-17  expires: 2018-01-16<br \/>\n                        card-no: 0006 01234567<br \/>\n<\/code><\/p>\n<p>The key is there, but then I noticed PIN retry counter: 0 3 3. <\/p>\n<p><code><br \/>\n$ gpg2 --change-pin<br \/>\ngpg: OpenPGP card no. ******************************* detected<\/p>\n<p>1 - change PIN<br \/>\n2 - unblock PIN<br \/>\n3 - change Admin PIN<br \/>\n4 - set the Reset Code<br \/>\nQ - quit<\/p>\n<p>Your selection? 2<br \/>\nPIN unblocked and new PIN set.<br \/>\n<\/code><\/p>\n<p><code><br \/>\n$ gpg2  --card-status<br \/>\n...<br \/>\nPIN retry counter : 3 3 3<br \/>\n...<br \/>\n<\/code><\/p>\n<p>Looks better.<\/p>\n<p>Another try to decrypt:<br \/>\n<code><br \/>\n$ gpg2 -d < test.enc \ngpg: encrypted with 2048-bit RSA key, ID 2ABD****, created 2017-07-17\nHello\n<\/code><\/p>\n<p>Success!<\/p>\n<h2>Event longer story<\/h2>\n<p>I tried this back in July, but eventually gave up. There were indications that the issue was related to stubbed keys in the keyring.<br \/>\nBelow are some of the resources that got me in the wrong direction, but still interesting.<\/p>\n<p><a href=\"https:\/\/lists.gnupg.org\/pipermail\/gnupg-users\/2013-September\/047419.html\">Issues with primary key & subkeys on different smartcards<\/a><br \/>\n<a href=\"https:\/\/forum.yubico.com\/viewtopic.php?f=35&#038;t=2237\">[Resolved] Trouble with GPG --card-status<\/a><br \/>\n<a href=\"https:\/\/github.com\/drduh\/YubiKey-Guide\">YubiKey Guide<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>I was trying to implement client side encryption of files backed up to AWS S3 using Duplicity, with keys on my Yubikey Neo created on an air gapped installation. It worked with local PGP keys, but I didn&#8217;t get it to decrypt using my PGP key on the Yubikey TL;DR Verify that you have the &hellip; <a href=\"https:\/\/www.ingby.com\/?p=293\" class=\"more-link\">Forts\u00e4tt l\u00e4sa <span class=\"screen-reader-text\">PGP and Yubikey<\/span> <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[28],"tags":[],"_links":{"self":[{"href":"https:\/\/www.ingby.com\/index.php?rest_route=\/wp\/v2\/posts\/293"}],"collection":[{"href":"https:\/\/www.ingby.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.ingby.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.ingby.com\/index.php?rest_route=\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/www.ingby.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=293"}],"version-history":[{"count":3,"href":"https:\/\/www.ingby.com\/index.php?rest_route=\/wp\/v2\/posts\/293\/revisions"}],"predecessor-version":[{"id":296,"href":"https:\/\/www.ingby.com\/index.php?rest_route=\/wp\/v2\/posts\/293\/revisions\/296"}],"wp:attachment":[{"href":"https:\/\/www.ingby.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=293"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.ingby.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=293"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.ingby.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=293"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}