You are not logged in.

#1 2021-12-12 13:29:09

christopherisnow
Member
Registered: 2018-05-19
Posts: 55

Pass & GPG migration confusion [SOLVED]

Wondering how to correct an improper migration of Pass & GPG from an old BL installation to a fresh one.

I recently reinstalled Lithium and wasn't aware of this procedure for exporting GPG keys.

So I copied my .gnupg and .password-store folders over from my /home backup, ran `pass init`, and entered my old password. Pass recognizes the store and outputs my passwords, but I get this error:

gpg: WARNING: unsafe permissions on homedir '/home/user/.gnupg'

To avoid future issues I'd like to sort this now. Any tips? Hopefully I don't have to restore a backup of the old / and export the keys from there?

Last edited by christopherisnow (2021-12-17 14:01:07)

Offline

#2 2021-12-13 04:58:47

johnraff
nullglob
From: Nagoya, Japan
Registered: 2015-09-09
Posts: 8,615
Website

Re: Pass & GPG migration confusion [SOLVED]

Check your .gnupg in the backup and make sure permissions on, and on the files inside, ~/.gnupg match. They are - should be - rather restrictive.

For example, for me:

john@lithium:~$ ls -l -a ~/ | grep .gnupg
drwx------  4 john john   4096 Oct 18 15:27 .gnupg
john@lithium:~$ ls -l .gnupg
total 88
drwx------ 2 john john  4096 Nov  8  2018 crls.d
drwx------ 2 john john  4096 Oct 18 15:31 private-keys-v1.d
-rw-r--r-- 1 john john 11055 Oct 18 15:19 pubring.kbx
-rw-r--r-- 1 john john 10995 Dec 17  2020 pubring.kbx~
-rw------- 1 john john   600 Nov 24 14:41 random_seed
-rw-r--r-- 1 john john 49152 Oct 18  2019 tofu.db
-rw------- 1 john john  1280 Oct 18 15:27 trustdb.gpg

...elevator in the Brain Hotel, broken down but just as well...
( a boring Japan blog (currently paused), idle Twitterings and GitStuff )

Introduction to the Bunsenlabs Lithium Desktop

Online

#3 2021-12-14 14:38:45

christopherisnow
Member
Registered: 2018-05-19
Posts: 55

Re: Pass & GPG migration confusion [SOLVED]

Here is the output from the backup:

$ ls -l .gnupg

-rwxrwxrwx 1 christopher christopher     24 Feb 18  2021 gpg-agent.conf
drwxrwxrwx 1 christopher christopher 131072 Feb 17  2021 openpgp-revocs.d
drwxrwxrwx 1 christopher christopher 131072 Feb 17  2021 private-keys-v1.d
-rwxrwxrwx 1 christopher christopher   1978 Feb 17  2021 pubring.kbx
-rwxrwxrwx 1 christopher christopher     32 Feb 17  2021 pubring.kbx~
-rwxrwxrwx 1 christopher christopher    600 Dec  3 12:00 random_seed
-rwxrwxrwx 1 christopher christopher   1280 Feb 17  2021 trustdb.gpg

What to do?

Offline

#4 2021-12-15 07:52:16

Naik
Member
From: the edge of insanity
Registered: 2015-10-03
Posts: 315

Re: Pass & GPG migration confusion [SOLVED]

Hey there!
You ma go ahead and change file/folder permissions in terminal:

chmod 700 ~/.gnupg
cd ~/.gnupg
chmod 700 ./crls.d
chmod 700 ./private-keys-v1.d 
chmod 644 ./pubring.kbx
[...]

For further understanding of the permission numbers please read here.
Please note that I just assumed that @Jhonraffs permissions are right (because I have no reason to doubt this), but in fact I don't know what is assumed "safe" here. But as Johnraff allready said, they are rather restrictiv and thus should be fine.

naik --greetz


"Kaum macht [Mensch]* es richtig, funktioniert es sofort!"
BL-Kitchen on GitHub

Offline

#5 2021-12-15 08:21:38

johnraff
nullglob
From: Nagoya, Japan
Registered: 2015-09-09
Posts: 8,615
Website

Re: Pass & GPG migration confusion [SOLVED]

As @Naik said, with the addition (inside .gnupg) of

chmod 600 ./random_seed
chmod 600 ./trustdb.gpg

Then you also need the check the permissions on the contents of those two sub-directories. If they're like the others you posted, then your private keys (inside private-keys-v1.d), at least, will definitely need their permissions reduced to 600.

After that you should have a think about why your backup had the wrong permissions. It reduces the validity of your backup quite a bit.


...elevator in the Brain Hotel, broken down but just as well...
( a boring Japan blog (currently paused), idle Twitterings and GitStuff )

Introduction to the Bunsenlabs Lithium Desktop

Online

#6 2021-12-15 10:41:00

christopherisnow
Member
Registered: 2018-05-19
Posts: 55

Re: Pass & GPG migration confusion [SOLVED]

Thank you both, the error is now gone. I never changed my gpg permissions on the last BL installation. Just ran `init`, set up keys and a password and never had any problems. No idea how the permissions ended up as above.

Should one (always) set up gpg permissions manually?

What is the correct way to back up pass/gpg, actually, if not simply to copy their directories?

Offline

#7 2021-12-15 14:40:15

twoion
一期一会
Registered: 2015-08-10
Posts: 3,436

Re: Pass & GPG migration confusion [SOLVED]

christopherisnow wrote:

Thank you both, the error is now gone. I never changed my gpg permissions on the last BL installation. Just ran `init`, set up keys and a password and never had any problems. No idea how the permissions ended up as above.

Should one (always) set up gpg permissions manually?

What is the correct way to back up pass/gpg, actually, if not simply to copy their directories?

The problem with the concept of the home directory where by default (unless you jail any applications running as your user using tools like firejail or selinux or apparmor, limiting what they can see and do even if they run under your user account's permissions) is that every process can put a file there.

gnupg sets up its ~/.gnupg directory with permission 700 on directories and 600 on files and sockets. Now, if any process puts an extra file there, gnupg will work just fine but because any file there now has permissions with let's say 750 or 640 and suchlike, it'll start complaining. Same goes if a tool changes permissions on one of gnupg files.

As for backing ~/.gnupg up, tools that preserve numeric ownership and file permissions work best. If you back up using cp, use cp --archive which means preserve links, ownership, modes and timestamps as they are. Otherwise, the so-called umask which governs the default mode of files created by a specific process have takes effect with often unpredictable consequences, as umask settings can be inherited but also enforced by system configuration. cp has "--archive", tar has "--numeric-owner --acls --xattrs -p" (see man page for meaning), and rsync has "--archive -HAX" parameters. In my experience, GNU tar and rsync have best capabilities to control preservation of files to the extent that they can be safely used to clone your root file system to a new disk, pull the old disk out and immediately boot from the cloned disk without errors on the rootfs (probably not without adjusting the bootloader config, but even that can be avoided by using an appropriate setup).

Offline

#8 2021-12-15 15:13:18

christopherisnow
Member
Registered: 2018-05-19
Posts: 55

Re: Pass & GPG migration confusion [SOLVED]

As for backing ~/.gnupg up, tools that preserve numeric ownership and file permissions work best.

I always backup with rsync, but I think I used cp to put .gpg on my new /home directory (just copied a few essential config files at first before restoring the bulk of my data with rsync). Perhaps this was the cause of the problem.

To finish this up... is the failsafe way to back up .gpg:

1. make a tarball,
2. backup the .gpg folder as is (and restore with) with rsync, or
3. simply export and import the keys as described here

?

Offline

#9 2021-12-16 07:28:08

Naik
Member
From: the edge of insanity
Registered: 2015-10-03
Posts: 315

Re: Pass & GPG migration confusion [SOLVED]

Hey!
I use rsync (without the use of tar) for all my backups and never had any trouble, but when there is a methode provided by gnupg itself for this scenario, I will eventually go to use this one. Thanks for sharing the link!

naik --greetz


"Kaum macht [Mensch]* es richtig, funktioniert es sofort!"
BL-Kitchen on GitHub

Offline

Board footer

Powered by FluxBB