Hi,
I cannot decrypt emails anymore.
The error message is pretty clear about that, however I don't understand
how to fix this issue.
Some additional information:
I exported the PGP keys to a secure card (Yubikey 5), but this is
broken and not usable anymore.
Is it possible to decrypt messages w/o this secure card?
Please advise how to fix this issue.
THX
Last edit: Thomas Schneider 2020-08-10
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Hi Thomas, first: Did you export an existing key to the card or create one on-card? If you exported an existing key, du you have a copy/backup of your keyring? Second: Does the card report to be valid using gnupg command line (gpg --card-status)? Are you able to sign a message use CLI (echo test | gpg --clearsign | cat)? (The last command may not work 1:1 on Windows, use test files there.) Olav
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Hi Olav,
I created the key on my desktop PC, in this case Arch Linux, and exported the keys to secure card.
In addition I created a backup of any key (private, sub, ...).
Yes, the secure card is reported to be valid.
This means I was able to customize the card and enter attributes like name, URL, etc.
Regards
Thomas
Last edit: Thomas Schneider 2020-08-10
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
I'm on arch, too, Did you try "echo test | gpg --clearsign | cat"?! If this does not pop up a passphrase entry dialog, you're probably just lacking that. But that whould be the same for non card-based keys, so probably that's not the cause. Anyway, can you sign?
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Honestly I cannot answer this because I created the keys in May and didn't perform any test for sign and decrypt.
However I used the encryption successully with Thunderbird+Enigmail when sending and receiving emails. I just can't remember if there was a pop-up for a passphrase or not.
But I would focus on the current issue: Enigmail complains about missing private key, but the key properties confirm that a key pair is existing.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Enigmail kind of cannot complain itself, because it just doesn't handle the keys in crypto operations at all. It just tells GnuPG to do the job. GnuPG throws that error, and Engimail reports it. That's why I urge to debug without Enigmail. If you can't sign on CLI, it's not an Enigmail issue but with underlying components.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
To mitigate this issue I have deleted my key from Enigmail.
The I started to reimport the private key (from my backup) to GnuPG using this command and there was no error:
In Enigmail I can verify this and display the key properties showing type "key pair".
However the issue is not solved.
What's also weired is that the subkeys are marked as "Stub".
It is true that I have exported the subkeys to a secure key (Yubikey 5), however the keys don't exist on the secure key anymore and I think "Stub" should be removed from subkeys.
So you deleted public AND secret key, yes? You'd also have to reset the card since it's rebuild from the card otherwise. Re-importing allows you to take notes on all steps, but should yield the same (non-working) result. Mind that merging secret keys at least some years ago wasn't possible, so make sure you really clean start.
Since you have a backup, I'd do this to investigate:
create a new non-card test key, verify that operations work: sign/verify, encrypt/decrypt
create a new on-card test key, try if you can sign on CLI, only then try with Enigmail
'
It most probably is not an enigmail issue and you should ask Yubikey and GnuPG forums/lists for help. It would be helpful for other Enigmail users if you could post your findings/solution here, too.
Last edit: Olav Seyfarth 2020-08-10
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Update:
I have generated a new key pair and revoked my old key.
There are no issues with Enigmail as of now, I just can't decrypt the emails with the old key.
Last edit: Thomas Schneider 2020-08-13
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Hi,
I cannot decrypt emails anymore.
The error message is pretty clear about that, however I don't understand
how to fix this issue.
Some additional information:
I exported the PGP keys to a secure card (Yubikey 5), but this is
broken and not usable anymore.
Is it possible to decrypt messages w/o this secure card?
Please advise how to fix this issue.
THX
Last edit: Thomas Schneider 2020-08-10
Hi Thomas, first: Did you export an existing key to the card or create one on-card? If you exported an existing key, du you have a copy/backup of your keyring? Second: Does the card report to be valid using gnupg command line (gpg --card-status)? Are you able to sign a message use CLI (echo test | gpg --clearsign | cat)? (The last command may not work 1:1 on Windows, use test files there.) Olav
Hi Olav,
I created the key on my desktop PC, in this case Arch Linux, and exported the keys to secure card.
In addition I created a backup of any key (private, sub, ...).
Yes, the secure card is reported to be valid.
This means I was able to customize the card and enter attributes like name, URL, etc.
Regards
Thomas
Last edit: Thomas Schneider 2020-08-10
Good to have backups, so you can restart :)
I'm on arch, too, Did you try "echo test | gpg --clearsign | cat"?! If this does not pop up a passphrase entry dialog, you're probably just lacking that. But that whould be the same for non card-based keys, so probably that's not the cause. Anyway, can you sign?
There's no pop-up asking for a passphrase.
But there definitely was one before you exported your key to the card? So on that system, you were able to sign and decrypt, yes?
Honestly I cannot answer this because I created the keys in May and didn't perform any test for sign and decrypt.
However I used the encryption successully with Thunderbird+Enigmail when sending and receiving emails. I just can't remember if there was a pop-up for a passphrase or not.
But I would focus on the current issue: Enigmail complains about missing private key, but the key properties confirm that a key pair is existing.
Enigmail kind of cannot complain itself, because it just doesn't handle the keys in crypto operations at all. It just tells GnuPG to do the job. GnuPG throws that error, and Engimail reports it. That's why I urge to debug without Enigmail. If you can't sign on CLI, it's not an Enigmail issue but with underlying components.
To mitigate this issue I have deleted my key from Enigmail.
The I started to reimport the private key (from my backup) to GnuPG using this command and there was no error:
In Enigmail I can verify this and display the key properties showing type "key pair".
However the issue is not solved.
What's also weired is that the subkeys are marked as "Stub".
It is true that I have exported the subkeys to a secure key (Yubikey 5), however the keys don't exist on the secure key anymore and I think "Stub" should be removed from subkeys.
So you deleted public AND secret key, yes? You'd also have to reset the card since it's rebuild from the card otherwise. Re-importing allows you to take notes on all steps, but should yield the same (non-working) result. Mind that merging secret keys at least some years ago wasn't possible, so make sure you really clean start.
Since you have a backup, I'd do this to investigate:
'
It most probably is not an enigmail issue and you should ask Yubikey and GnuPG forums/lists for help. It would be helpful for other Enigmail users if you could post your findings/solution here, too.
Last edit: Olav Seyfarth 2020-08-10
Update:
I have generated a new key pair and revoked my old key.
There are no issues with Enigmail as of now, I just can't decrypt the emails with the old key.
Last edit: Thomas Schneider 2020-08-13
Did you mean "I just can't decrypt the emails with the old key."? At least that's what you wrote in your initial post.
This is correct.
I have adjusted my previous posting.