1. 2016-12-22 - Import and remove gpg key with rpm; Tags: Import and remove gpg key with rpm

    Import and remove gpg key with rpm

    Got to check out Elasticsearch Curator. Elastic use the PGP key D88E42B4. Since working with rhel 7 I had to use rpm and yum for installing packages.

    Install or import the public key into the keyring:

    rpm --import https://packages.elastic.co/GPG-KEY-elasticsearch

    After the Proof of Concept I perform a cleanup and remove the key.

    Query installed keys:

    root@omega:~# rpm -q gpg-pubkey

    The last key in the list is the imported one of elastic. Remove it with:

    rpm --erase --allmatches gpg-pubkey-d88e42b4-52371eca
  2. 2016-03-02 - Change key-server URL on GnuPG smartcard; Tags: Change key-server URL on GnuPG smartcard

    Change key-server URL on GnuPG smartcard

    I just setup my new Linux development environment. Try to import my GnuPG keys, and failed due the keyserver didn’t exist anymore. This post demonstrates how to change the keyserver and fetch your public key from it.

    First of all open the smart card for edit.

    tan@pavilion:~$ gpg --card-edit
    Application ID ...: D2760001240102000005000013380000
    Version ..........: 2.0
    Manufacturer .....: ZeitControl
    Serial number ....: 00001338
    Name of cardholder: Tan-Vinh Nguyen
    Language prefs ...: de
    Sex ..............: male
    URL of public key : x-hkp://keys.gnupg.net
    Login data .......: [not set]
    Signature PIN ....: forced
    Key attributes ...: 2048R 1024R 2048R
    Max. PIN lengths .: 32 32 32
    PIN retry counter : 3 3 3
    Signature counter : 12
    Signature key ....: 194E 8306 8A0B E98E F652  A26E 4ABB 594B 5E39 6988
          created ....: 2012-03-30 21:36:12
    Encryption key....: 2C12 F108 5410 0F9E F8C1  091E 8E72 9373 E29C F3C9
          created ....: 2012-03-30 21:36:55
    Authentication key: 1CD7 2E69 425C 29A0 C963  EEEF E337 6331 F981 E710
          created ....: 2012-03-30 21:36:55
    General key info..: [none]

    Using the command prompt with fetch (key), complains no valid OpenPGP data was found.

    gpg/card> fetch
    gpg: requesting key 5E396988 from hkp server keys.gnupg.net
    gpgkeys: key 194E83068A0BE98EF652A26E4ABB594B5E396988 can't be retrieved
    gpg: no valid OpenPGP data found.
    gpg: Total number processed: 0

    Now we are going to change the key server. Therefore we need to enable the admin commands and change the keyserver. We need to confirm the change with the admin code (usually 8 digits long).

    gpg/card> url
    URL to retrieve public key: x-hkp://pgp.mit.edu

    Now we can fetch it and we can leave the gpg command prompt.

    gpg/card> fetch
    gpg: requesting key 5E396988 from hkp server pgp.mit.edu
    gpg: key 5E396988: public key "xxx" imported
    gpg: Total number processed: 1
    gpg:               imported: 1  (RSA: 1)
    gpg/card> quit
  3. 2015-09-28 - Using logs to analyze a software product; Tags: Using logs to analyze a software product

    Using logs to analyze a software product

    Rapid Software Testing by http://satisfice.com was a interesting training I attended to. One of the introduced methods is spot check, or I would call it log analysis. Logs should be used to analyze or check a product. Log files can harbor interesting data :smile:

    This recent example is quite funny or more shocking in sense of security. Above picture shows the passphrase for a private gpg key of Belkin, that is used to sign their firmware. Not only the private key shouldn’t be accessible for the public, also by searching for passphrase, the password is revealed in the logs. Everybody else now can misuse this key, e.g. sign malicious firmware. This is rather an extreme example, but also shows what magic gems can be found in log files. Original post can be found at https://twitter.com/mjg59/status/647251446669283328.

  4. 2015-08-23 - Setup SCR3311 for GnuPG on Linux; Tags: Setup SCR3311 for GnuPG on Linux

    Setup SCR3311 for GnuPG on Linux

    I have never documented how I setup above card reader for GnuPG smart cards. This article will fill the gap. I use my new setup elementary (Ubuntu/Debian) desktop as virtualization with VirtualBox.

    If you are interested in above card reader you can visit the vendor site for the data sheet. I did purchased it years ago from this excellent cryptoshop in Austria.

    VirtualBox Configuration

    You may skip this part, if you are running a real Linux OS. For VirtualBox it is mandatory to add the device to the USB device filter for the guest system to work properly before you the start the VM.

    VirtualBox USB filter


    Check card reader with lsusb

    tan@cinhtau:~$ lsusb
    Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
    Bus 002 Device 002: ID 04e6:511d SCM Microsystems, Inc. SCR3311 Smart Card Reader
    Bus 002 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub

    We install these packages for the card reader

    sudo apt-get install libccid pcscd gnupg-pkcs11-scd gnupg2

    Device information

    As you can see in the lsusb command the vendor id is 04e6 and the product id is 511d. You may also obtain these information from /var/log/syslog or dmesg output:

    Aug 23 13:07:42 cinhtau kernel: [ 3096.072836] usb 1-2: new full-speed USB device number 3 using ohci-pci
    Aug 23 13:07:43 cinhtau kernel: [ 3096.336816] usb 1-2: New USB device found, idVendor=04e6, idProduct=511d
    Aug 23 13:07:43 cinhtau kernel: [ 3096.336820] usb 1-2: New USB device strings: Mfr=1, Product=2, SerialNumber=5
    Aug 23 13:07:43 cinhtau kernel: [ 3096.336823] usb 1-2: Product: SCR3311 USB Smart Card Reader
    Aug 23 13:07:43 cinhtau kernel: [ 3096.336825] usb 1-2: Manufacturer: SCM Microsystems Inc.
    Aug 23 13:07:43 cinhtau kernel: [ 3096.336828] usb 1-2: SerialNumber: xxx

    If you are paranoid, you may look into USB ids to check if the id is correct.

    User permission

    Insert your smart card into the card reader. If we check the card status (sensitive data removed) as root user, the command works. As normal user you are not able the access the card reader.

    tan@cinhtau:~$ sudo gpg --card-status
    gpg: WARNING: unsafe ownership on configuration file `/home/tan/.gnupg/gpg.conf'
    gpg: detected reader `SCM Microsystems Inc. SCR 3311 [CCID Interface] (21121045203047) 00 00'

    As always you should not run GnuPG as root user. The Linux OS has to be configured to allow that. We create the group for the smart card access.

    root@cinhtau:~# addgroup scard
    Adding group `scard' (GID 1001) ...
    root@cinhtau:~# addgroup tan scard
    Adding user `tan' to group `scard' ...
    Adding user tan to group scard

    You can check as your user, if you were added to the group with the groups command.

    tan@cinhtau:~$ groups
    tan adm cdrom sudo dip plugdev lpadmin sambashare vboxsf scard

    Next step is to tell udev that normal users are allowed to use the card reader. From the Free Software Foundation Europe (FSFE) you can download the udev rules.

    Basically you place this script file in /etc/udev/scripts:

    if [ "${ACTION}" = "add" ] && [ -f "${DEVICE}" ]
        chmod o-rwx "${DEVICE}"
        chgrp "${GROUP}" "${DEVICE}"
        chmod g+rw "${DEVICE}"

    Don’t forget to set the execute permission for that script!

    chmod a+x /etc/udev/scripts/gnupg-ccid

    Next are the gnupg-ccid.rules. I choose /etc/udev/rules.d/78-gnupg-ccid.rules as filename.

    # GPG SmartCard Reader Support
    ACTION=="add", SUBSYSTEM=="usb", ENV{PRODUCT}=="04e6/511d/*", RUN+="/etc/udev/scripts/gnupg-ccid", MODE="660", GROUP="scard"

    The values were taken from the lsusb output. Replace it with the data of your card reader. You have to reboot for the udev change to be applied. After the reboot you should be able to run gpg --card-status without any problems.

    tan@cinhtau:~$ gpg --card-status
    gpg: detected reader `SCM Microsystems Inc. SCR 3311 [CCID Interface] (21121045203047) 00 00'
    Application ID ...: D2760001240102000005000013380000
    Version ..........: 2.0
    Manufacturer .....: ZeitControl

    If you still have problems, it is most likely that the gpg and gnome-keyring uses the gpg-agent functionality. See the debugging section for a solution.


    This setup assumes you have an existing gnupg smart card. We import our public key into the gnupg keyring: Output truncated:

    tan@cinhtau:~$ gpg --card-edit
    gpg: detected reader `SCM Microsystems Inc. SCR 3311 [CCID Interface] (21121045203047) 00 00'
    gpg/card> fetch
    gpg: requesting key xxxxxxx from hkp server keys.gnupg.net
    gpg: /home/tan/.gnupg/trustdb.gpg: trustdb created
    gpg: Total number processed: 1
    gpg:               imported: 1  (RSA: 1)
    gpg/card> quit


    We have to test if our secret key on the smart card is detected.

    gpg --card-status
    gpg --list-secret

    The output should be a keyring with your listed private keys.


    We use the smart card to decrypt a gpg encrypted ssh private key.

    tan@cinhtau:~/Downloads$ gpg -d id_rsa.asc > id_rsa
    gpg: detected reader `SCM Microsystems Inc. SCR 3311 [CCID Interface] (21121045203047) 00 00'
    Please enter the PIN
    gpg: encrypted with RSA key, ID xxx
    gpg: encrypted with 1024-bit RSA key, ID xxx, created 2012-03-30
          "Tan-Vinh Nguyen <xxx>"


    This section is a summary of recipes to pinpoint the problem.

    Smart Card Daemon

    Check if PC/SC Smart Card Daemon is running (foreground and debug option) to work properly with gnupg.

    sudo pcscd -f -d

    GnuPG card driver

    Run gpg as super user in debug mode:

    sudo gpg --debug 2048 --debug-ccid-driver -v --card-status

    Gnome Keyring

    Check the gnome-keyring-daemon is interfering and stop it with kill (use your pid):

    tan@cinhtau:~$ ps -Af | grep keyring
    tan       1506     1  0 15:22 ?        00:00:00 /usr/bin/gnome-keyring-daemon --start --components=gpg
    tan@cinhtau:~$ kill -2 1506

    The Gnome (2) keyring daemon is still used for certain application e.g. Mozilla Firefox or automated logins. Elementary starts automatically the daemon. You might kill it everytime or disable the gpg-agent. The gpg agent is in ~/.gnupg/gpg.conf per default activated. If you comment use-agent out, there will be no collision anymore.


    See also the official GnuPG HowTo.

  5. 2015-08-05 - Use gpg smart card; Tags: Use gpg smart card

    Use gpg smart card

    Import public key from keyserver

    gpg --keyserver pgp.mit.edu --recv 655685AC

    Import from smartcard

    bk201@edge:~$ gpg --card-edit
    gpg: detected reader `German Privacy Foundation Crypto Stick v1.2 00 00'
    # more card stuff
    URL of public key : x-hkp://pgp.mit.edu <1>
    gpg/card> fetch
    gpg: requesting key 655685AC from hkp server pgp.mit.edu
    # import message
    gpg/card> quit

    1: if keyserver is set, public key can be fetched automatically

    Check private key

    To verify if the private key from the smartcard is usable use the --list-secret option.

    bk201@edge:~$ gpg --list-secret
    # nothing here
    bk201@edge:~$ gpg --card-status
    # smartcard accessed
    bk201@edge:~$ gpg --list-secret
    sec>  2048R/655685AC 2011-02-04
          Card serial no. = 0005 0000088E
    uid                  Tan-Vinh Nguyen ...
    ssb>  1024R/3072C7C4 2011-02-04
    ssb>  2048R/766C78D0 2011-02-04
  6. 2015-07-03 - Create SSH keys with PuTTYgen; Tags: Create SSH keys with PuTTYgen

    Create SSH keys with PuTTYgen

    If you are “forced” to use Windows, Putty provides with PuTTYgen the possibility to create SSH keys. It can also convert existing keys from OpenSSH. The keys will be available to the Putty ssh agent - pageant.

    To max security you can also use your gpg authentication key from your smartcard over SSH. You will need the patched pageant from Dr. Peter Koch.

  7. 2015-06-22 - Import public gpg key from keyserver; Tags: Import public gpg key from keyserver

    Import public gpg key from keyserver

    In case you want me to send me a secure message with gnupg (gpg), just import my key with following command from a current keyserver.

    gpg --keyserver x-hkp://pgpkey.org --recv-keys 655685AC

    Above command works only if you have gnupg installed on any OS.

  8. 2015-06-17 - Encrypt.to - Secure Contact Form; Tags: Encrypt.to - Secure Contact Form

    Encrypt.to - Secure Contact Form

    Encrypt.to is a good way to provide (initial) contact with an encrypted email. Just enter the email address of the recipient and if the lookup for a (public) gpg key is successful, you are free to send. There are various service levels from free to enterprise. Quite handy if you have no email client with gpg support or gpg itself around. :smile:

  9. 2013-02-09 - GPF Crypto Stick OpenSSH Authentication; Tags: GPF Crypto Stick OpenSSH Authentication

    GPF Crypto Stick OpenSSH Authentication

    For the SSH Authentication the gpgsm package is needed, because we need “scdaemon” = smartcard-daemon

    sudo apt-get install gpgsm

    gpg-agent is needed because it is the only possibility to use a authentication subkey directly from the smartcard

    sudo apt-get install gnupg-agent

    deactivate gnome-keyring-daemon ssh-agent dropin-replacement, we want only gpg-agent

    gconftool-2 --type bool --set /apps/gnome-keyring/daemon-components/ssh false

    configure gpg to use agent (only for smartcard)

    echo "use-agent" >> ~/.gnupg/gpg.conf

    enable ssh-agent drop in replacement support for gpg-agent

    echo "enable-ssh-support" >> ~/.gnupg/gpg-agent.conf

    secure gnupg homedir

    chmod -R go-rwx ~/.gnupg

    update authorized keys file replace “766C78D0” with your authentication subkey-id from before add key to remote host (it’s the first key under the public key or the other public key)

    gpgkey2ssh 766C78D0 | ssh root@krios "cat - >> ~/.ssh/authorized_keys"

    My authentication key from GnuPG smart card

    gpgkey2ssh F981E710 | ssh root@persephone "cat - >> ~/.ssh/authorized_keys"