OpenPGP Smart Card decription / private key not found
Open, NormalPublic

Description

I configured successfully a OpenPGP smart card, it can be verified by Kleopatra and by gpg --card-status via powershell. My aim is to keep the private key only on the smart card and keep it away from the computer. Therefore, all keyrings with private keys were deleted in Kleopatra. Only public keys are now stored there. If the smart card is inserted, Kleopatra recognizes the card and all parameter, including keys can be seen. Screenshots can be of course submitted.

Then I wrote a text in the Kleoatra notepad and tried to encrypt it. No keyring was found in Kleopatra, but my public Key could be selected for decription for someone else. I selected that and encryption happened.

However, as I tried to decrypt the file for test purpose, again no private key was found, although the card is recognized. gpg --card-status shows: "General key info..: pub rsa4096/B5ACA4148AFF0103 2019-03-14". Therefore, I believe the private key is on the card. A set of 7 screenshots can be provided by e-mail.

Details

Version
3.1.7.
JW-D created this task.Apr 7 2019, 2:25 PM
JW-D added a comment.Apr 8 2019, 8:02 AM

Well, I can narrow the root case. A Yubikey 5 was successfull installed and can be used. Then I started to test the OpenPGP card. I recognized, that by pressing F5 in Kleopatara a change between YubiKey and Smart Card happens. However, if I test it via command line, Yubikey does not change, although it is dismounted and the smart card is inserted. Probably therefore, the private key cannot be found. It should be mentioned that I have a computer with integrated smart card reader. First I configured the card, then the Yubikey. I started to test the Yubikey first. Therefore, I believe it is a mess in detection of smart card / Yubikey if used parallel.

aheinecke triaged this task as Normal priority.Apr 8 2019, 8:21 AM
aheinecke added a project: kleopatra.
aheinecke added a subscriber: aheinecke.

For Kleopatra there is a "TODO" to better handle multiple smartcard readers. E.g. that you can have mutliple tabs in the smartcard management view.

If you can't select your key for "encrypt to myself" in Kleopatra though that means that Kleopatra does not think that the secret key is available. In the Keylist of Kleopatra do the Keys show up under "My Certificates" and are bold?

In GnuPG 2.3. there has been a lot of improvement recently regarding yubikey support so it may be better already once that is released.

JW-D added a comment.Apr 8 2019, 9:44 AM

Kleopatra recognizes the smart card, shows the correct version number and keys in the "smart card - management" window. In the Keylist I can´t find the key. Currently GnuPG 2.2.15 is installed. Do you know then version 2.3. will be released?

2.3 Release plan is around this summer. There will be a public beta sooner.

JW-D added a comment.Apr 8 2019, 12:12 PM

After re-start, the smart card will be recognized in proper way and it works. I assume it has something to do with using Yubikey and smart cards with different keys alternatively. The Yubikey was not found originally, so I modified the following:

log-file c:\..........\scdaemon.log
debug-all

gpgconf --kill scdaemon
gpg --card-status

and Yubikey was detected. I assume if a smart card is used after a Yubikey, the procedure has to be done manually again or the computer has to be re-started. As work around ok, but in future the program should recognize changes between Yubikey and smart card it automatically.

I'm interested if this works as you imagine with 2.3 I'm pretty sure werner worked on a problem like that.

So I've compiled the current 2.3 state. It's safe to use, I use it on Linux regularly but on windows it's very untested so please backup your %APPDATA%\gnupg directory anyway before you try it.

After you tried it out you can just reinstall Gpg4win to get back to the stable version again if you like.

Download is: https://heinecke.or.at/div/gnupg-w32-2.3.0-beta728_20190408.exe

Signed with my official GnuPG release key ( https://gnupg.org/signature_key.html ): https://heinecke.or.at/div/gnupg-w32-2.3.0-beta728_20190408.exe.sig

JW-D added a comment.Apr 8 2019, 3:52 PM

I´ll give it a try for sure! Probaly next weekend, so my feedback will be sent next week. Please, keep the file open. THANKS

JW-D added a comment.Apr 13 2019, 5:02 PM

By installation from version 2.3 an error occurred, I´ll send you a screenshot by e-mail. However, I have some comments to the current version which may also help: I have three keys, two on smart cards and one on a Yubikey. So long as only smart cards are used, it is no problem to change between the cards and they work fine. Problems occur, if a Yubikey comes in. (i) Not always a Yubikey is recognized by pressing F5. (ii) It the Yubikey is recognized and next a key from a smart card is needed, a computer restart is required.
I tried also command: gpgconf --kill gpg-agent
It was possible to change from smart card to Yubikey with the command. However, if the Yubikey 5 NFC was recognized, the only way to change back to the smart card was a restart of the computer.

JW-D added a comment.Apr 30 2019, 10:18 AM

So long I change between smart cards, I can do it multiple times. If a Yubikey is recognized and a smart card follows next it will not work. Most recently I face also problems to detect the Yubikey (Message: no such device), but Smart Cards still working fine.

gpg-connect-agent /bye followed by gpgconf --kill gpg-agent did not solve the situation.

JW-D added a comment.May 2 2019, 9:52 AM

Well, I deinstalled gpg 3.1.7 and reinstalled it. For some reason my two gnupg smart cards work fine, but my two Yubikeys cannot be detected anymore (no such device). But in the last weeks, they were deteced, only the switching between Yubikey and Smart Card made some trouble. That they cannot be recognized is new and makes real trouble. If you think it would maybe helpful, I can submit a scdaemon.log file by e-mail.