I’m not knowledgeable enough about crypto to explain that, I’m just using what those experts who have designed those cards tell me to do and use it.
If you desperately want to go against the mainstream, you can do so that’s the cool thing about open source, but then expect to stumble over all those roadblocks, trying to use something in a way that it seems to not be be meant to be used.
Don’t think there are many people here that can help you with that endeavor.
I understand.
That’s why it blows my mind that’s the main way to do things, with subkeys.
Surely most people are like me, have a job, have relationships and things to do outside the computer.
Keeping track of dozens of keys and they way they connect to each other is just way too much.
I will just put it out there:
If someone is willing to come on a Discord call with me and help me sort this out. I offer 10 USD in Bitcoin on the Lightning network (you can have the BTC on chain if you want but you pay the fee and right now fee is more the 10 USD ¯\ _(ツ) _/¯ ). I will update this comment when offer is no longer available.
EDIT: Yeah, I gave up. Offer no longer available. I setup things with subkeys, etc.
It does not: a .gnupg
directory with a pubring.kbx
for your public key and private-keys-v1.d
directory are required.
If that’s the case, what is the purpose/what’s on the OpenPGP Card?
Any way, I gave up. I found a computer without the Intel Management Engine and I will do things properly (with subkeys, etc), I’m not happy about it, but whatever.
Thank you for all the help <3
the actual sub keys are on the card but all the configuration necessary to use them and the public key still need to be on the device you are using it on.
That’s why you always see the warning about backing up the keys bevor moving them to the card because the are removed from the storage of the device you created them on.
And they can not be recovered from the gpg card again. That move is one way only.
TRACKED, WEP.
Guys, I’m freaking out a bit, not gonna lie.
I followed the instructions Manuel provided.
Everything looked good. At the end I checked with gpg -K
and all keys said ssb
. As it explains in the guide here, if it says ssb
that means that they keys have been moved on the card. I was happy.
Later, I copied the .gnupg
directory to my computer.
I check to see if I can decrypt a file on the computer, and is asking me to put the card in. Good, that’s how it should be.
But then, out of curiosity I tried to export the private key, you know…
gpg --output private.pgp --armor --export-secret-key username@email
And well, uhm, it worked . How is that possible? The command outputted a file with what I think is my private key, maybe master key, maybe a subkey, i don’t know but it should not be possible.
I think: “Maybe I am a dum-dum and I forgot to follow the step where it says to delete the secret keys.”
So, I go back to my phone and type: gpg --delete-secret-key $KEYID
It returns:
gpg: key "$KEYID" not found
gpg: $KEYID: delete key failed: Not found
P.S. Obviously instead of “$KEYID” I put my actualy key id, I even tried gpg --delete-secret-key username@email
but it still says it did not find a key.
What is going on here?
The .gnupg
directory contains another directory called private-keys-v1.d
where your private keys are stored. When you export your private keys, it uses that directory, not your OpenPGP card.
Moving the keys to the card is a destructive action, it should have deleted the keys that wore in .gnupg
And I confirmed that when moving the .gnupg
in my computer and trying to decrypt, is asking me to insert the card.
It moves the subkeys, not the master key.
Fair, but then why doesn’t it let me delete the key with gpg --delete-secret-key $KEYID
?
EDIT: I just checked the private-keys-v1.d
it has 3 files inside corresponding to my 3 subkeys. Which is odd already, but I hope is not the actual private keys, and that they are on the card.
EDIT 2: Looking inside files it says Key: (shadowed-private-key (rsa (n
etc etc. So I think that’s good. It only holds what it needs to get the actual keys from the card.
I do not know, but you should try deleting using your uid
instead.
gpg --list-secret-keys
The uid
should be your (user)name.
Then, use this command:
gpg --delete-secret-key uid
Replace uid
with your (user)name. If it is separated by a space, use a "string"
instead.
What do you mean use a "string"
? My uid is [ultimate] Mircea Arva <arvamircea@gmail.com
I tried gpg --delete-secret-key Mircea\ Arva
but still tells me it did not find such key. I tried with email, same result o.O
The correct syntax is:
gpg --delete-secret-key "Mircea Arva"
Ensure you have a backup of your secret key first before executing the above command.
Maybe some daemon cached something? Have you rebooted?
No luck… still it tells me it can’t find such key.
Maybe, what ever it exported was not my actual master private key or any private subkey? Is hard to check my master private key is offline.
But one would expect an error, not gpg just exporting whatever and pretending is a private key.
Yep, multiple times…
What does gpg --list-secret-keys
display?
Sorry for the log delay, I had an internet outage…
Here is a screenshot, I hope there isn’t any sensitive information.
The command I run that you see the end of at the top was: gpg --armor --export-secret-key arvamircea@gmail.com
It displays the same as gpg -K
you can see the output in the screenshot.