| View previous topic :: View next topic |
| Author |
Message |
cr0wbar
n00b
Joined: 27 Oct 2021
Posts: 7
|
 Posted: Wed Oct 27, 2021 9:46 am Post subject: [Solved] Gpg can’t decrypt: invalid cipher mode |
 |
|
Can’t use in gentoo for some passwords. Decryption fails only since I have started using a new key, new passwords fail to decrypt with a | Code: | | invalid cipher mode |
error, old password reencrypted using the new key work just fine. Passwords were reencyrpted on a macOS box using gpg 2.3.2, using the the latest version available in gentoo.
| Code: |
gpg (GnuPG/MacGPG2) 2.2.27
libgcrypt 1.8.7
Copyright (C) 2021 Free Software Foundation, Inc.
License GNU GPL-3.0-or-later <https://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Home: /Users/user/.gnupg
Supported algorithms:
Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA
Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
CAMELLIA128, CAMELLIA192, CAMELLIA256
Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2
|
Any ideas on why that might be happening and how to fix it?
Last edited by cr0wbar on Thu Oct 28, 2021 10:43 pm; edited 1 time in total |
|
| Back to top |
|
 |
mike155
Advocate
Joined: 17 Sep 2010
Posts: 4438
Location: Frankfurt, Germany
|
| Posted: Wed Oct 27, 2021 1:45 pm Post subject: |
|
|
Hi cr0wbar,
welcome to the Gentoo forums!
I completely fail to understand your post. A command "pass" doesn't exist on my Gentoo machine. And why do you want to encrypt passwords? Please tell us what you want to achieve and show us the commands you use. Please post the output of "emerge --info app-crypt/gnupg".
Mike |
|
| Back to top |
|
|
Hu
Administrator
Joined: 06 Mar 2007
Posts: 23193
|
| Posted: Wed Oct 27, 2021 3:31 pm Post subject: |
|
|
| This might be from app-admin/pass, which, as I understand it, is a wrapper around using gnupg to maintain encrypted text files, where the decrypted contents are your usernames+passwords for various services. mike155's requests look like a good start to me. |
|
| Back to top |
|
|
mike155
Advocate
Joined: 17 Sep 2010
Posts: 4438
Location: Frankfurt, Germany
|
| Posted: Wed Oct 27, 2021 4:03 pm Post subject: |
|
|
@Hu: thanks, now it starts to make sense 
The homepage explains how it works:
| Quote: | | Password management should be simple and follow Unix philosophy. With pass, each password lives inside of a gpg encrypted file whose filename is the title of the website or resource that requires the password. These encrypted files may be organized into meaningful folder hierarchies, copied from computer to computer, and, in general, manipulated using standard command line file management utilities. |
|
|
| Back to top |
|
|
mike155
Advocate
Joined: 17 Sep 2010
Posts: 4438
Location: Frankfurt, Germany
|
| Posted: Wed Oct 27, 2021 4:34 pm Post subject: |
|
|
- Do I understand correctly that "pass show" works for some passwords and that it does not work for some other passwords?
Please chdir to your password store directory and analyze the encrypted password files with 'file':
| Code: | # cd ~/.password-store
# file ./Amazon/amazonemail@email.com.gpg
./Amazon/amazonemail@email.com.gpg: PGP RSA encrypted session key - keyid: FC2C3F85 4F5692B7 RSA (Encrypt or Sign) 4096b . |
Is there a difference in the encryption format (in the example above: 'PGP RSA encrypted session key 4096b') between the key files that work and those that don't work?
You wrote that the issue started when you created a new key? Please run
| Code: | | gpg --list-public-keys |
The command will show your keys and also their algorithms ('rsa4096' for example). Is there a difference in the algorithm between your old key and your new key?
|
|
| Back to top |
|
|
cr0wbar
n00b
Joined: 27 Oct 2021
Posts: 7
|
| Posted: Wed Oct 27, 2021 7:13 pm Post subject: |
|
|
Apologies, I should have provided more context.
Yeah pass is a gpg wrapper for storing passwords in separate files encrypted with gpg. The idea is that the files where the passwords are stored are hosted on a private repo to keep them synced across different places, and are stored safely because they are encrypted with gpg. It is possible to decrypt and reencrypt all the files where the password are stored with a single command "pass init <new_key_id>", which will decrypt all the files, and reencrypt their content with the new key.
I have a mac, with gnupg 2.3.2 and libgcrypt 1.9.4, where I have reincrypted the passwords, going from a rsa2048 key to a rsa4096 key.
I can decrypt the keys just fine on the mac.
However, on gentoo with gnupg 2.2.32 and libgcrypt 1.8.8 I can decrypt files that were originally encrypted with the rsa2048 key and reencrypted with the new rsa4096 one, but cannot decrypt new files encrypted only with the new rsa4096 key, which is odd. This is the error i get
| Code: |
gpg: encrypted with 4096-bit RSA key, ID <ID>, created <date>
"KEY DESC <MAILADDRESS>"
gpg: decryption failed: Invalid cipher mode
|
I have manually downloaded and installed libgcrypt 1.9.4 and installed in /opt, and ran | Quote: | | LD_LIBRARY_PATH=/opt/lib |
gpg now has picked up the new version of libgcrypt, which has been confirmed by gpg --version 's output
| Code: |
gpg (GnuPG) 2.2.32
libgcrypt 1.9.4
Copyright (C) 2021 Free Software Foundation, Inc.
License GNU GPL-3.0-or-later <https://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Home: /home/gdc/.gnupg
Supported algorithms:
Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA
Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
CAMELLIA128, CAMELLIA192, CAMELLIA256
Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2
|
and now gpg --decrypt works just fine, which is nice, but probably indicates something is wrong with libgcrypt. |
|
| Back to top |
|
|
cr0wbar
n00b
Joined: 27 Oct 2021
Posts: 7
|
| Posted: Wed Oct 27, 2021 7:26 pm Post subject: |
|
|
solved by adding
| Code: |
dev-libs/libgcrypt ~amd64
|
to
| Code: |
/etc/portage/package.accept_keywords
|
Not great to have a testing version but it worked just fine  |
|
| Back to top |
|
|
Hu
Administrator
Joined: 06 Mar 2007
Posts: 23193
|
| Posted: Wed Oct 27, 2021 7:31 pm Post subject: |
|
|
The newer version of libgcrypt probably offers, and your Mac used, a cipher that does not work in the v1.8.x line.
You could change your accept_keywords entry to be version-locked, so that it enables you to use the testing version that works, but does not bring you ever newer testing versions. | /etc/portage/package.accept_keywords: | | ~dev-libs/libgcrypt-1.9.4 |
See man 5 ebuild for the full syntax for atoms you can use here. Eventually, 1.9.4 will become stable and you can remove the entry. With the change I propose, Portage will not offer you 1.9.5 and later until those also become stable. |
|
| Back to top |
|
|
mike155
Advocate
Joined: 17 Sep 2010
Posts: 4438
Location: Frankfurt, Germany
|
| Posted: Wed Oct 27, 2021 7:55 pm Post subject: |
|
|
| cr0wbar wrote: | | Not great to have a testing version but it worked just fine |
It's quite common to have _a few_ packages in package.accept_keywords.
Follow the advice of Hu. You can remove libgcrypt from package.accept_keywords as soon as libgcrypt 1.9.4 will be stabilized. |
|
| Back to top |
|
|
cr0wbar
n00b
Joined: 27 Oct 2021
Posts: 7
|
| Posted: Thu Oct 28, 2021 8:29 am Post subject: |
|
|
| That’s great advice, I am still learning about gentoo and that really helps. Thank you guys! |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Networking & Security
