FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Gentoo > Gentoo User

 
 
LinkBack Thread Tools
 
Old 09-09-2008, 04:09 PM
Grant
 
Default {OT} GPG: pub & sec keys required to decrypt?

I've been encrypting and decrypting email on the same remote server.
I was under the impression that this was a security risk because it
meant having the public and private keys on the same machine. I tried
importing the public key to my local system and decrypting via
enigmail but I got "Error - secret key needed to decrypt message". I
imported the private key locally and now it decrypts fine, but I have
both keys on the same system again.

My understanding of GPG is weak. Can someone point out my misconception(s)?

- Grant
 
Old 09-09-2008, 04:18 PM
"Boris Fersing"
 
Default {OT} GPG: pub & sec keys required to decrypt?

On Tue, Sep 9, 2008 at 18:09, Grant <emailgrant@gmail.com> wrote:
> I've been encrypting and decrypting email on the same remote server.
> I was under the impression that this was a security risk because it
> meant having the public and private keys on the same machine. I tried
> importing the public key to my local system and decrypting via
> enigmail but I got "Error - secret key needed to decrypt message". I
> imported the private key locally and now it decrypts fine, but I have
> both keys on the same system again.
>
> My understanding of GPG is weak. Can someone point out my misconception(s)?
>
Hi,

you need the recipient's public key to encrypt the message. This
message will be decrypted with the recipient's private key.

So if you encrypt something for yourself, you'll need your public key
to encrypt and your public key to decrypt.

Regards,

Boris.

> - Grant
>
>



--
$ ruby -e'puts " .:@BFegiklnorst".unpack("x4ax7aaX6ax5aX15ax4aax6aa X7ax2
aX5aX8axaX3ax8aX4ax6aX3aX6ax3ax3aX9ax4ax2aX9axaX6a x3aX2ax4
ax3aX4aXaX12ax10aaX7a").join'
 
Old 09-09-2008, 04:40 PM
Sascha Hlusiak
 
Default {OT} GPG: pub & sec keys required to decrypt?

So if you encrypt something for yourself, you'll need your public key
to encrypt and your public key to decrypt.

Little correction, you need the PRIVATE key to decrypt. Everybody has
the public key but since you don't want everybody to be able to decrypt,
it's done with the private key. But you want everybody to encrypt things
to you, so the public key is used for encryption.


Regards,
Sascha
 
Old 09-09-2008, 04:44 PM
Grant
 
Default {OT} GPG: pub & sec keys required to decrypt?

>> I've been encrypting and decrypting email on the same remote server.
>> I was under the impression that this was a security risk because it
>> meant having the public and private keys on the same machine. I tried
>> importing the public key to my local system and decrypting via
>> enigmail but I got "Error - secret key needed to decrypt message". I
>> imported the private key locally and now it decrypts fine, but I have
>> both keys on the same system again.
>>
>> My understanding of GPG is weak. Can someone point out my misconception(s)?
>>
> Hi,
>
> you need the recipient's public key to encrypt the message. This
> message will be decrypted with the recipient's private key.
>
> So if you encrypt something for yourself, you'll need your public key
> to encrypt and your public key to decrypt.
>
> Regards,
>
> Boris.

It looks like I've imported a pub/sec keypair now. Should I remove
the public key for security? Maybe I misunderstood from the beginning
and having both keys on the same system isn't a security issue?

- Grant
 
Old 09-09-2008, 04:49 PM
"Boris Fersing"
 
Default {OT} GPG: pub & sec keys required to decrypt?

On Tue, Sep 9, 2008 at 18:40, Sascha Hlusiak <saschahlusiak@arcor.de> wrote:
>
>> So if you encrypt something for yourself, you'll need your public key
>> to encrypt and your public key to decrypt.
>>
>
> Little correction, you need the PRIVATE key to decrypt. Everybody has the
> public key but since you don't want everybody to be able to decrypt, it's
> done with the private key. But you want everybody to encrypt things to you,
> so the public key is used for encryption.

Oh sorry, yes I meant private...


>
> Regards,
> Sascha
>
>
>



--
$ ruby -e'puts " .:@BFegiklnorst".unpack("x4ax7aaX6ax5aX15ax4aax6aa X7ax2
aX5aX8axaX3ax8aX4ax6aX3aX6ax3ax3aX9ax4ax2aX9axaX6a x3aX2ax4
ax3aX4aXaX12ax10aaX7a").join'
 
Old 09-09-2008, 04:50 PM
Matt Harrison
 
Default {OT} GPG: pub & sec keys required to decrypt?

> It looks like I've imported a pub/sec keypair now. Should I remove
> the public key for security? Maybe I misunderstood from the beginning
> and having both keys on the same system isn't a security issue?
>
> - Grant
>

It is still a security issue, but only as much as any other data on your
machine. Physical access to the box, or being remotely hacked will
always be a security risk.

And yes, if someone does break in and copy your pub/sec keypair, they
will have full ability to masquerade as you in signed and encrypted emails.

You have to weigh it up for yourself really. Many, many keep pub/sec
keypairs for their email on more than one machine. Of course it would be
a lot of work for someone to compromise your system for your gpg keys,
so your email would have to be of value to them.

Just my $0.02

Matt
 
Old 09-09-2008, 04:58 PM
"Boris Fersing"
 
Default {OT} GPG: pub & sec keys required to decrypt?

On Tue, Sep 9, 2008 at 18:50, Matt Harrison
<iwasinnamuknow@genestate.com> wrote:
>> It looks like I've imported a pub/sec keypair now. Should I remove
>> the public key for security? Maybe I misunderstood from the beginning
>> and having both keys on the same system isn't a security issue?
>>
>> - Grant
>>
>
> It is still a security issue, but only as much as any other data on your
> machine. Physical access to the box, or being remotely hacked will
> always be a security risk.
>
> And yes, if someone does break in and copy your pub/sec keypair, they
> will have full ability to masquerade as you in signed and encrypted emails.
>
> You have to weigh it up for yourself really. Many, many keep pub/sec
> keypairs for their email on more than one machine. Of course it would be
> a lot of work for someone to compromise your system for your gpg keys,
> so your email would have to be of value to them.

It's always possible to generate a revocations certificate and store
it in a safe place (CD, usb key etc.)

http://www.gnupg.org/gph/en/manual/c14.html

regards,

Boris.
>
> Just my $0.02
>
> Matt
>
>



--
$ ruby -e'puts " .:@BFegiklnorst".unpack("x4ax7aaX6ax5aX15ax4aax6aa X7ax2
aX5aX8axaX3ax8aX4ax6aX3aX6ax3ax3aX9ax4ax2aX9axaX6a x3aX2ax4
ax3aX4aXaX12ax10aaX7a").join'
 
Old 09-09-2008, 05:24 PM
Grant
 
Default {OT} GPG: pub & sec keys required to decrypt?

>> It looks like I've imported a pub/sec keypair now. Should I remove
>> the public key for security? Maybe I misunderstood from the beginning
>> and having both keys on the same system isn't a security issue?
>>
>> - Grant
>>
>
> It is still a security issue, but only as much as any other data on your
> machine. Physical access to the box, or being remotely hacked will
> always be a security risk.
>
> And yes, if someone does break in and copy your pub/sec keypair, they
> will have full ability to masquerade as you in signed and encrypted emails.
>
> You have to weigh it up for yourself really. Many, many keep pub/sec
> keypairs for their email on more than one machine. Of course it would be
> a lot of work for someone to compromise your system for your gpg keys,
> so your email would have to be of value to them.

Can I configure this so that I don't have the two keys on the same
system? I'd like encrypt with my remote system and decrypt with my
local system. Is that possible? It seems like importing my private
key also imports the public key.

- Grant
 
Old 09-09-2008, 05:36 PM
Mike Edenfield
 
Default {OT} GPG: pub & sec keys required to decrypt?

Grant wrote:


My understanding of GPG is weak. Can someone point out my misconception(s)?


Speaking from a purely practical standpoint, keeping your private and
public keys completely separate is extremely inconvenient with (IMO) a
negligible security benefit.


However, there is arguably a much bigger security issue with keeping
your private key on a remote server, particularly one you have no
control over. Pulling your keypair locally and doing any decryption
operations locally is a much easier, and more practical, improvement.


If you keep the two halves of your keypair physically separate, then an
attacker would need to get two distinct pieces of information in order
to break any encryption using your keys. For extremely high security
purposes, this may be a worthy benefit. For something like email, your
public key should be considered common knowledge anyway. If an attacker
can gain control of your private key, the extra burden of getting your
public key is insignificant.


Put another way: a file containing both your public and private key
contains essentially the same amount of secure information as a file
containing only your private key. So long as your private key is kept
secure, with or without your public key, your risks should be minimal.


--K
 
Old 09-09-2008, 05:45 PM
Mike Edenfield
 
Default {OT} GPG: pub & sec keys required to decrypt?

Grant wrote:


Can I configure this so that I don't have the two keys on the same
system? I'd like encrypt with my remote system and decrypt with my
local system. Is that possible? It seems like importing my private
key also imports the public key.


I'm a bit confused as to what you're trying to do. If you are
encrypting mail to other people, you should be using *their* public key,
not your own. The only case where you need your public key is to
encrypt mail to *yourself*; otherwise you don't need either of your keys
on the remote system.


As far as keeping your public key away from your secret key, I believe
it is possible to export just one or the other via gpg then import just
that key. But a quick glance through the GnuPG FAQ points out this
nugget of information:


"All OpenPGP secret keys have a copy of the public key inside them, and
in a worst-case scenario, you can create yourself a new public key using
the secret key.


A tool to convert a secret key into a public one has been included (it's
actually a new option for gpgsplit) and is available with GnuPG versions
1.2.1 or later (or can be found in CVS)."


So there's really no point in keeping the two separate.

--Mike
 

Thread Tools




All times are GMT. The time now is 06:06 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org