I'm currently trying to find some interoperability between gpg and signify.
One attempt at this was exporting a subkey that's Ed25519 from gpg and using that as the public and private key for signify.
My thought process was: since both use Ed25519, I could just export the numerical values for the keys and then create a key for the program in the format it needs.
The issue I'm running into is that signify doesn't accept the key I generate. Compared to the keys that signify's only keygen generates, they're also always slightly longer (e.g. 73 vs 53 chars of b64).
Example for a public key:
generated from gpg: mDMEYOfb1RYJKwYBBAHaRw8BAQdAm33lkUfHyH81l6vQuRasADUlyAnYNZ+xhAE9GqLlzpU=
generated from signify: RWRR4+XlAu/mPfcQ+50448/te//AT2Ym6S5rxmxP0H07m5Eny9XFMxDX
I've tried
gpg --export <keyID> | gpgsplit with both a newly generated Ed25519 key and an Ed25519 subkey of an existing and then base64'd the public and private keys. This yields an 'invalid base64' error when running signify -I -p pubkey with the result.
I've also tried
using pgpdump (gpg --export <keyID> | wsl pgpdump -i -l -m -p), but that doesn't output any useful information.
I'm using
https://github.com/nurse/signify via Debian WSL compiled with BSD libs linked
Kleopatra / GnuPG for Windows
https://github.com/kazu-yamamoto/pgpdump via Debian WSL
Related
I want to encrypt a file using a passphrase, which I did using gpg --gen-key to create a key (I used the default options) in the command line, and I also go this to work in an "automated" way without user interaction.
But, I'd like to specify the passphrase stored in a separate file. This is what I'm running now:
gpg --batch --gen-key "D:\Staging\FileContainingKeySettings.txt"
And what's in the file called "FileContainingKeySettings.txt" is this:
%echo Generating a default key
Key-Type: default
Subkey-Type: default
Name-Real: PBJ
Name-Comment: test
Name-Email: PBJ#pbj.com
Expire-Date: 0
Passphrase:blah
%commit
%echo done
So that works and generates the key.
Then I call this:
gpg --batch --yes -r PBJ --output D:\Staging\newEncryptedFile.txt --encrypt
D:\Staging\textfiletobeencrypted.csv
And this works too.
So now I have 1 problem and 1 question. The problem is that I need to specify the passphrase to reference a file that looks like this (but much longer):
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: BCPG v1.47
[encoding]
-----END PGP PUBLIC KEY BLOCK-----
instead of using the password where I wrote "blah"^, and I haven't found a way to do this online or from any other team members around me. How can I do that?
Question: I also notice now that the file I was sent containing the encryption key reads at the top
" -----BEGIN PGP PUBLIC KEY BLOCK-----"
...which says it uses PGP (but I am using gpg). I know that gpg and pgp are different and read about them, but can I even do what I'm trying to do using gpg to encrypt a file with a key that was apparently generated with pgp?
(in Windows)
UPDATE: Now I may have gotten this working, although I still have to validate by having the other person decrypt the message (it works fine when I decrypt it). Silly I didn't think of this code change earlier when I've actually tried this before...I simply changed my cmd call from this part:
gpg --batch --gen-key "D:\Staging\FileContainingKeySettings.txt"
to this instead, specifying the passphrase file location here instead:
gpg --batch --passphrase "D:\Staging\FileWithActualKey.txt --gen-key
"D:\Staging\FileContainingKeySettings.txt"
and I took the password line out of the file "FileContainingKeySettings" altogether. I haven't tested this by having the other person decrypt it yet on their end...I hope it worked. At least I didn't get error. But now when I run this line again to actually do encryption, it works:
gpg --batch --yes -r PBJ --output D:\Staging\newEncryptedFile.txt --encrypt
D:\Staging\textfiletobeencrypted.csv
(I am using MAC)
My id_rsa starts with
-----BEGIN OPENSSH PRIVATE KEY-----
but I expect it to starts with
-----BEGIN RSA PRIVATE KEY-----
I have send my id_rsa.pub to server administrator to get the access to server, so I don't want to generate a new key.
Is there any way that I can transfer my id_rsa which is a openssh private key to a RSA private key? (command please.)
If I can transfer, do I also need to transfer id_rsa.pub? (command please.) It seems id_rsa.pub doesn't have a header like id_rsa, so I am not sure if I should also transfer this.
You have an OpenSSH format key and want a PEM format key. It is not intuitive to me, but the suggested way to convert is by changing the password for the key and writing it in a different format at the same time.
The command looks like this:
ssh-keygen -p -N "" -m pem -f /path/to/key
It will change the file in place, so make a backup of your current key just in case. -N "" will set the passphrase as none. I haven't tested this with a passphrase.
The public key should be fine as is.
For full explanation of the above command, see the -m option here: https://man.openbsd.org/ssh-keygen#m
Here's what worked for me for an in-place conversion of a key with a passphrase:
ssh-keygen -p -P "old passphrase" -N "new passphrase" -m pem -f path/to/key
Install and open puttygen
Click on "Load an existing private key file"
Click on menu item "Conversions" -> "Export OpenSSH key"
Save file
You can achieve this easily if you can get your hands on a linux system. I am using ubuntu 18.04 and did the following:
update packages: sudo apt update
install putty: sudo apt install putty
install puttygen: sudo apt install putty-tools
convert the private key to the intermediate format SSHv2: puttygen yourkey -O private-sshcom -o newkey
convert it back to RSA/PEM: ssh-keygen -i -f newkey > newkey_in_right_format
And you are good to go
Some of the answers above didn't work and I actually ran into yet another problem when trying to create a RSA private key from the OpenSSH private key using ssh-keygen command: unsupported cipher 3des-cbc. A helpful gist for that problem can be found here: https://gist.github.com/twelve17/0449491d86158960fdb630160799ff23.
The following command worked for me to create a valid and working RSA private key from a (Putty on Windows generated) OpenSSH key using:
$ sudo apt install putty-tools
$ puttygen existing_key.ppk -o id_rsa -O private-openssh
# enter passphrase if needed
The gpg software supports symmetric encryption out of the box. That means, it works with a password. But apart from protecting the content it is also important to ensure the Authentication of a message. The idea is to create a hashsum of the file itself together with the password used for encryption. According to [1] a popular “Message Authentication Code” is HMAC. After entering:
gpg --hmac --armor --symmetric --passphrase pwd1 file.txt
gpg: Invalid option "--hmac"
an error message occurs that the switch is not known by the software. How can i use the MAC authentication the right way?
You can't. The reason for the error message is that type of signature is not available with GPG. You'd be better off simply signing and encrypting the file with the standard GPG method. Even if you wanted to use symmetric encryption only, then the recipient would still need to use GPG to decrypt the file. The correct command would be:
gpg -o filename.txt.asc -sear $recipient_key filename.txt
This assumes you also always encrypt to your own key, otherwise the command would be:
gpg -o filename.txt.asc -sear $recipient_key -r $your_key filename.txt
If they don't have a key, you could still sign and encrypt to your own key only and then extract the session key so you could provide that for them to decrypt the file with it:
gpg -o filename.txt --show-session-key -d filename.txt.asc
Then the recipient would be able to decrypt with:
gpg -o filename.txt --override-session-key $session_key -d filename.txt.asc
If you really must use symmetric encryption only, however, you can do it in two setps.
First sign the file:
gpg -o filename.txt.asc -sa filename.txt
Then symmetrically encrypt that file:
gpg -o newfilename.asc -a -c filename.txt.asc
The recipient would then need to run the decryption command twice; first on the symmetrically encrypted file and then a second time on the file it decrypts.
The normal --verify option is only used for checking clearsigned files or files with detached signatures.
I have generated 3 pairs of public and private keys using gpg. I would like to sign a file with one of this 3 public keys and then verify which of this 3 keys was used to sign the file.
How can I accomplish this?
I tried to sign the file with gpg --sign --default-key person1#gmail.com data.txt but do not know if its the right direction. Besides, what about veryfing?
gpg -d data.txt.gpg
Will decrypt the file (default -o is data.txt) and tell you which key signed it. If for some reason having a decrypted copy of the file on disk is a problem you might try
gpg -d -o /dev/null data.txt.gpg
It'll still tell you whether the signature was valid and what key signed it.
To specify which key to use when signing:
gpg --sign -u <key-id> somefile.txt
I have generated my keys using PuttyGen but need to be able to specify exactly the email address used with the following command but this doesn't work as I get an 'is not recognized as an internal or external command error'
ssh-keygen -t rsa -C "joebloggs#mycompany.com"
Can anyone assist in running this command on Windows 10?
You can use PuTTYgen to generate a key with those settings.
For the key type -t rsa you have to select SSH-2 RSA
and for the email / comment -C "joebloggs#mycompany.com" you have to set the Key comment field to joebloggs#mycompany.com
After clicking Generate your can get your public key from the Public key for pasting into OpenSSH authorized_keys file field (this is the same as id_rsa.pub when generated with ssh-keygen)
If you also need the private key to be saved in OpenSSH format just go to Conversions > Export OpenSSH key (this is the same as id_rsa when generated with ssh-keygen)