Page MenuHome GnuPG

The default card key generation keeps an unprotected backup of the encryption key on disk
Closed, ResolvedPublic

Description

When using gpg --card-edit, admin, generate and following the default prompts, the encryption key is created by gpg (technically by gpg-agent), copied to a smartcard and a backup in OpenPGP format stored with a passphrase in a file ~/.gnupg/sk_LONGKEYID.gpg.

The gpg-agent however has created the key in its private-keys-v1.d directory before it was sent to the smartcard and to gpg for creating the backup. Obviously that on-disk copy should be deleted. This used to happen by overwriting it with the stub file (aka shadow key). Due to other fixes this stopped working some time ago - bummer.

The best fix will be never to write the key to the disk but hand it out to gpg to create the backup file.

Event Timeline

werner created this task.
werner created this object in space Restricted Space.
werner created this object with edit policy "Contributor (Project)".

Currently, there is no support for gpg-agent to keep private key not on disk, but only on memory of gpg-agent. Given the situation,
I think that it is good to:

FWIW, I am already working on this.

We tested with Kleopatra:

  • Only gpg4win 4.2 is affected (the current version) but 4.1 is not affected.
  • No vsd version is affected.

We tested with gpg --card-edit:

  • gnupg 2.2.42 is affected (thus also vsd 3.2.0 and 3.2.1)
  • gnupg 2.4.2 and 2.4.3 are affected

2.2.41 was tested and is not affected. 2.4.0 and 2.4.1 were also tested and are not affected. 2.3.x and < 2.4.41 were not tested.

werner set External Link to https://forum.gnupg.org/t/privater-schlussel-von-smart-card-in-kleopatra-gespeichert/3858.Jan 19 2024, 12:38 PM
werner mentioned this in Unknown Object (Event).Jan 22 2024, 9:05 AM
werner changed the task status from Open to Testing.Jan 22 2024, 4:53 PM
werner moved this task from Backlog to QA on the gnupg24 board.

We need to fix 2.2.42 too. This because we backported the responsible patch.

Fixed in 2.4.4 and 2.2.43 - see above for affected versions.

werner moved this task from QA to gnupg-2.4.4 on the gnupg24 board.
werner edited projects, added gnupg24 (gnupg-2.4.4); removed gnupg24.
werner moved this task from WiP to gnupg-2.2.43 on the gnupg22 board.
werner edited projects, added gnupg22 (gnupg-2.2.43); removed gnupg22.
werner shifted this object from the Restricted Space space to the S1 Public space.Jan 25 2024, 11:56 AM

Also fixed in the fortgcoming 2.2.43