Alias or simlink in /.gnupg is not followed, and gpg keychain creates files in \MACOSXROOT\Users\<username>\.gnupg\ regardless. What am I doing wrong?

Jim's Avatar

Jim

21 Apr, 2015 04:59 AM

GPG Keychain 1.2b6

following: http://support.gpgtools.org/discussions/problems/21694-trying-to-sa... I used the terminal to navigate to the root of my user account <mac hdd>\Users<username>\ and I run command:
ln -s /Volumes//gnupg ~/.gnupg

Next I run GPG Keychain.

I look into <mac hdd>\Users<username>.gnupg\ and voila! A whole new set of key files and database is created. The .gnupg simlink is not followed. I must have done something incorrectly.

What did you expect instead

Simlink would be followed and it would read from my external usb drive at /Volumes//gnupg

Describe steps leading to the problem.

See above. I also tried copying the simlink to my user root folder. That didn’t work either.

Like I said above, I think it's something simple I'm missing.

  1. Support Staff 1 Posted by Mento on 29 Apr, 2015 10:54 AM

    Mento's Avatar

    Hi Jim,

    which format does the volume have, you put the gnupg directory on? It should be HFS+.
    Did you (re)move ~/.gnupg before running ln?
    What's the output of the following command? Run this after ln and before you do anything else. Edit it's output and remove all sensitive data, you don't want to show.

    ls -al ~/.gnupg
    

    Regards, Mento

  2. Support Staff 2 Posted by Steve on 04 Jun, 2015 04:05 PM

    Steve's Avatar

    Closing, since no further user feedback was received. Should your problem persist, feel free to re-open this discussion any time.

    All the best, steve

  3. Steve closed this discussion on 04 Jun, 2015 04:05 PM.

  4. Mento re-opened this discussion on 12 Nov, 2015 12:37 PM

  5. Support Staff 3 Posted by Mento on 12 Nov, 2015 12:37 PM

    Mento's Avatar

    Message from Jim:

    I have set up an external drive as OS X extended, HFS+ isn't shown in the El Capitan interface anymore if I recall.

    I believe I ran the commands correctly from my user $home:

    jimt:~ jim$ ls -s //Volumes/MyStuff/ring/GnuPG ~/.gnupg
    //Volumes/MyStuff/ring/GnuPG: total 0
    0 secring.gpg
    
    /Users/jim/.gnupg: total 1048
    8 GnuPG 8 gpg.conf 8 random_seed 0 RevCerts 0 private-keys-v1.d 8 trustdb.gpg 0 S.gpg-agent 504 pubring.gpg 8 gpg-agent.conf 504 pubring.gpg~ jimt:~ jim$ pwd
    /Users/jim jimt:~ jim$ ls -la
    total 176
    drwxr-xr-x@ 39 jim staff 1326 7 Nov 20:10 .
    drwxr-xr-x 7 root admin 238 25 Oct 12:13 ..
    -r-------- 1 jim staff 7 13 Mar 2015 .CFUserTextEncoding -rw----r--@ 1 jim staff 38916 7 Nov 20:12 .DS_Store drwx---r-x@ 3 jim staff 102 18 Apr 2014 .DownloadManager
    drwx------ 2 jim staff 68 7 Nov 20:10 .Trash
    -rw----r--+ 1 jim staff 0 1 Apr 2010 .Xauthority -rw----r--+ 1 jim staff 7841 7 Nov 20:07 .bash_history drwxr-xr-x 8 jim staff 272 7 Nov 20:08 .bash_sessions
    -rw----r--+ 1 jim staff 20100 16 Dec 2011 .crash_report_preview -rw----r--+ 1 jim staff 83 16 Dec 2011 .crash_reportrc drwx---r-x+ 3 jim staff 102 27 Dec 2007 .cups
    drwx---r-x+ 178 jim staff 6052 6 Nov 21:37 .dvdcss
    drwx---r-x+ 9 jim staff 306 1 Apr 2010 .fontconfig
    drwx------ 13 jim staff 442 7 Nov 19:48 .gnupg
    (cut of listing here)
    

    Where should I see the alias?

    Jim

  6. Support Staff 4 Posted by Mento on 12 Nov, 2015 12:46 PM

    Mento's Avatar

    Hi Jim,

    first make sure you have a backup of ~/.gnupg directory.
    Next you have to move every file inside of ~/.gnupg to the new location and then remove the directory ~/.gnupg

    Here is the right command to create the link:

    ln -s /Volumes/MyStuff/ring/GnuPG ~/.gnupg
    

    Regards, Mento

  7. 5 Posted by Jim Taylor on 12 Nov, 2015 08:13 PM

    Jim Taylor's Avatar

    Hello Mento,

    Excellent! Thanks for your reply, I will give it a try and let you know.

    Thank-you for bridging the gap between gnupg and my weak unix (os x unix) terminal skills.

    Jim T

  8. 6 Posted by JIm on 15 Nov, 2015 07:46 AM

    JIm's Avatar

    Hello Mento,

    So I tried it and after moving the files to the USB it works.

    BUT one small problem... I can't eject the USB drive now because OS X says a program is using it.

    What I'm trying to get to is the functionality of pgp 2.6.2 days from the 90's where you would keep your keys off the machine, and only connect the media containing the keys when you needed to encrypt or decrypt. I don't want some background process having it's fingers in the secret sauce all the time and what's more have the secret keys vulnerable to other processes copying and doing something malicious with the keyfiles.

    Can you advise on how I would set up Gnupg for this?

    Thanks again.

    • Jim
  9. 7 Posted by Jim on 23 Nov, 2015 06:10 AM

    Jim's Avatar

    Starting a new discussion because my last reply is really a branch of the issue.

  10. Support Staff 8 Posted by Mento on 23 Nov, 2015 01:08 PM

    Mento's Avatar

    Him Jim,

    do you want to use USB drive on a single computer?
    If thats the case you can only move your secret keys to the USB drive:
    1.) Remove the symlink and move .gnupg back in your home directory.
    2.) Move ~/.gnupg/secring.gpg to the USB drive (e.g. /Volumes/MyStuff/ring/secring.gpg)
    3.) Add the following lines to ~/.gnupg/gpg.conf:

    no-default-keyring
    secret-keyring /Volumes/MyStuff/ring/secring.gpg
    

    Regards, Mento

  11. 9 Posted by Jim Taylor on 25 Nov, 2015 05:16 AM

    Jim Taylor's Avatar

    Hello Mento,

    I want to GPG to look at the USB drive when it needs the keys but the rest the time I don't want any process having its hooks into the USB drive because I want that USB drive disconnected from the system.

    Basically I want my keys not connected to any computer network or any computer most of the time I only want them connected when I'm actually encrypting more decrypting.

    Jim T

  12. Support Staff 10 Posted by Mento on 25 Nov, 2015 10:15 AM

    Mento's Avatar

    Hi Jim,

    so the method, i've mentioned in my last post, is the right for you.
    It keeps your secret key away from your machine.
    You can still verify signatures and encrypt files/mail without the USB drive. Only to decrypt or sing, you have to attach the USB drive.

    Regards, Mento

  13. 11 Posted by Jim Taylor on 25 Nov, 2015 04:33 PM

    Jim Taylor's Avatar

    Hello Mento,

    Thanks again. I will reconfigure and try that.

    Very best regards,

    Jim T

  14. 12 Posted by Jim on 27 Nov, 2015 04:15 AM

    Jim's Avatar

    Hello Mento, Steve,

    I deleted the symbolic link ~.gnupg and re-ran gpg to have it create ~./gnupg/

    Then I added the lines
    no-default-keyring
    secret-keyring /Volumes/MyStuff/ring/secring.gpg

    to the top of gpg.conf

    Then I rebooted and connected the MyStuff volume above. Then I ran gpg: no keys are shown. I tried encrypting a file. No keys are available to select.

    I'm thinking there is some basic step I'm missing. I did a forum search to see if there are other things I need to do when using no-default-keyring but didn't find any topics that seemed related other than https://gpgtools.tenderapp.com/discussions/problems/42770-how-do-i-... but it doesn't say how to open the keys. GPG wants to Import the keys, which I don't want to do.

    I tried importing just the pubring, that shows the public key at two bars of validity. I can't encrypt and sign with my private key though since it's not read.

    How do I get gpg to actually read the secret key file if on Mac boot the USB containing the secring is not present?

    • Jim
  15. Support Staff 13 Posted by Mento on 27 Nov, 2015 01:59 PM

    Mento's Avatar

    Hi Jim,

    your setup should look like this:
    ~/.gnupg/pubring.gpg (All public keys. Move it from USB if needed.)
    ~/.gnupg/gpg.conf
    /Volumes/MyStuff/ring/secring.gpg (Your secret keys.)

    Is this your current setup?

    Regards, Mento

  16. 14 Posted by Jim Taylor on 27 Nov, 2015 02:10 PM

    Jim Taylor's Avatar

    Hello Mento,

    Yes this is my current setup. Could it be a permissions issue? Are there some basic assumptions that maybe I'm not meeting that I should double check?

    Jim T

  17. Support Staff 15 Posted by Mento on 27 Nov, 2015 02:22 PM

    Mento's Avatar

    Please make sure your USB drive is attached, run the following commands and post the output here:

    ls -al ~/.gnupg /Volumes/MyStuff/ring
    cat ~/.gnupg/gpg.conf
    gpg2 -k
    gpg2 -K
    

    Regards, Mento

  18. 16 Posted by Jim Taylor on 28 Nov, 2015 03:51 AM

    Jim Taylor's Avatar

    Hello Mento,

    Thanks for your continued assistance. Here we go:

    jimt:~ jim$ ls -al ~/.gnupg /Volumes/MyStuff/ring
    /Users/jim/.gnupg:
    total 1256
    drwx------  11 jim  staff     374 27 Nov 19:16 .
    drwxr-xr-x@ 40 jim  staff    1360 26 Nov 19:47 ..
    -rw-------@  1 jim  staff    6148 26 Nov 19:43 .DS_Store
    srwxr-xr-x   1 jim  staff       0 26 Nov 19:48 S.gpg-agent
    -rw-------   1 jim  staff      89 26 Nov 19:47 gpg-agent.conf
    -rw-------@  1 jim  staff    9103 26 Nov 20:14 gpg.conf
    drwx------   2 jim  staff      68 26 Nov 19:43 private-keys-v1.d
    -rw-------   1 jim  staff  303368 26 Nov 20:11 pubring.gpg
    -rw-------   1 jim  staff  303368 26 Nov 20:11 pubring.gpg~
    -rw-------   1 jim  staff       0 26 Nov 19:29 secring.gpg
    -rw-------   1 jim  staff    1760 14 Nov 22:38 trustdb.gpg
    
    /Volumes/MyStuff/ring:
    total 24
    drwxr-xr-x   5 jim  staff   170 26 Nov 20:11 .
    drwxrwxr-x  11 jim  staff   442 14 Nov 23:05 ..
    -rw-r--r--@  1 jim  staff  8196 26 Nov 20:11 .DS_Store
    drwx------  19 jim  staff   646 26 Nov 06:47 GnuPG
    -rw-------   1 jim  staff     0 26 Nov 19:41 secring.gpg
    
    
    jimt:~ jim$ cat ~/.gnupg/gpg.conf
    no-default-keyring 
    secret-keyring /Volumes/MyStuff/ring/secring.gpg
    default-recipient-self
    require-cross-certification
    keyserver hkps://hkps.pool.sks-keyservers.net 
    keyserver-options auto-key-retrieve
    auto-key-locate hkps://hkps.pool.sks-keyservers.net
    comment GPGTools - https://gpgtools.org 
    cert-digest-algo SHA512 
    default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed 
    personal-digest-preferences SHA512 SHA384 SHA256 SHA224 
    no-emit-version 
    keyserver-options no-honor-keyserver-url
    
    
    jimt:~ jim$ gpg2 -k
    /Users/jim/.gnupg/pubring.gpg
    -----------------------------
    pub   2048D/00D026C4 2010-08-19 [expires: 2018-08-19]
    uid       [ultimate] GPGTools Team <[email blocked]>
    uid       [ultimate] GPGMail Project Team (Official OpenPGP Key) <[email blocked]>
    uid       [ultimate] GPGTools Project Team (Official OpenPGP Key) <[email blocked]>
    uid       [ultimate] [jpeg image of size 5871]
    sub   2048g/DBCBE671 2010-08-19 [expires: 2018-08-19]
    sub   4096R/0D9E43F5 2014-04-08 [expires: 2024-01-02]
    
    pub   2048R/63FEE659 2003-10-16
    uid       [ unknown] Erinn Clark <[email blocked]>
    uid       [ unknown] Erinn Clark <[email blocked]>
    uid       [ unknown] Erinn Clark <[email blocked]>
    sub   2048R/EB399FD7 2003-10-16
    
    pub   1024D/726C0F6B 1998-01-11
    uid       [ultimate] Jim Taylor <[email blocked]>
    uid       [ultimate] Jim Taylor <_@_.ca>
    uid       [ultimate] Jim Taylor <_@_.com>
    uid       [ultimate] Jim Taylor <_@_.net>
    sub   4096g/27F7102C 1998-01-11
    

    I think that’s it!

  19. Support Staff 17 Posted by Mento on 30 Nov, 2015 11:14 AM

    Mento's Avatar

    Hi Jim,

    i've edited your post, so it's more readable.
    Your secring.gpg is empty (0 bytes).
    You have to restore a working secring.gpg from a backup to /Volumes/MyStuff/ring.

    Regards, Mento

  20. 18 Posted by Jim Taylor on 30 Nov, 2015 02:04 PM

    Jim Taylor's Avatar

    Hello Mento,

    You were correct, somehow I forgot one level of directories. Once corrected it works fine. Now I have my secring on a removable drive that gpg doesn’t keep an active process on after I’m done encrypting or decrypting. Thanks again!

    - Jim

  21. Mento closed this discussion on 01 Dec, 2015 12:28 PM.

Comments are currently closed for this discussion. You can start a new one.

Keyboard shortcuts

Generic

? Show this help
ESC Blurs the current field

Comment Form

r Focus the comment reply box
^ + ↩ Submit the comment

You can use Command ⌘ instead of Control ^ on Mac