BUG #7923: PGP secret key with password decryption not working - Mailing list pgsql-bugs

From keith@omniti.com
Subject BUG #7923: PGP secret key with password decryption not working
Date
Msg-id E1UDNnx-0007HY-3D@wrigleys.postgresql.org
Whole thread Raw
Responses Re: BUG #7923: PGP secret key with password decryption not working
List pgsql-bugs
The following bug has been logged on the website:

Bug reference:      7923
Logged by:          Keith Fiske
Email address:      keith@omniti.com
PostgreSQL version: 9.2.3
Operating system:   Debian/Ubuntu/Solaris
Description:        =


Running into an issue when we tried to add a password to a gpg secret key
used to encrypt data in the database. Things have been working fine with no
password on they key, but that isn't ideal. I was able to recreate this
issue on my local install of postgres, so it's not just an issue on the
server where I first noticed it. Below is the process I went through,
generating a key, moving it to where postgres can read it, encrypting and
then attempting to decrypt the data. I know the password I gave is correct
because I used the same password to remove it from the key and then things
just worked.

Ran into someone else reporting pretty much the same issue but no resolution
other than removing the password.
http://bytes.com/topic/postgresql/answers/943536-corrupt-data-error-decrypt=
ion-postgresql-using-gnupg

gpg --gen-key
gpg (GnuPG) 1.4.11; Copyright (C) 2010 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Please select what kind of key you want:
   (1) RSA and RSA (default)
   (2) DSA and Elgamal
   (3) DSA (sign only)
   (4) RSA (sign only)
Your selection? 1
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048) =

Requested keysize is 2048 bits
Please specify how long the key should be valid.
         0 =3D key does not expire
      <n>  =3D key expires in n days
      <n>w =3D key expires in n weeks
      <n>m =3D key expires in n months
      <n>y =3D key expires in n years
Key is valid for? (0) =

Key does not expire at all
Is this correct? (y/N) y

You need a user ID to identify your key; the software constructs the user
ID
from the Real Name, Comment and Email Address in this form:
    "Heinrich Heine (Der Dichter) <heinrichh@duesseldorf.de>"

Real name: Test Pgcrypto
Email address: test@pgcrypto.com
Comment: =

You selected this USER-ID:
    "Test Pgcrypto <test@pgcrypto.com>"

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O
You need a Passphrase to protect your secret key.

We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
...+++++
+++++
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.

Not enough random bytes available.  Please do some other work to give
the OS a chance to collect more entropy! (Need 8 more bytes)
..+++++
..+++++
gpg: key 734ECABE marked as ultimately trusted
public and secret key created and signed.

gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u
pub   2048R/734ECABE 2013-03-06
      Key fingerprint =3D C25C 7B89 B2B4 674F 551A  2E5F FA95 0DAF 734E CABE
uid                  Test Pgcrypto <test@pgcrypto.com>
sub   2048R/F122A512 2013-03-06

#### Exported public & secrect keys in binary form and copied to
$datadir/keys/

keith=3D# select
pgcrypto.pgp_key_id(pg_read_binary_file('keys/test_pgcrypto_public.key'));
    pgp_key_id    =

------------------
 3E265C23F122A512
(1 row)

keith=3D# select
pgcrypto.pgp_key_id(pg_read_binary_file('keys/test_pgcrypto_secret.key'));
    pgp_key_id    =

------------------
 3E265C23F122A512
(1 row)

keith=3D# create table test_pgcrypto(data_plain text, data bytea);
CREATE TABLE
keith=3D# insert into test_pgcrypto (data_plain, data) values ('1234567890',
pgcrypto.pgp_pub_encrypt('1234567890',
pg_read_binary_file('keys/test_pgcrypto_public.key')));
INSERT 0 1

keith=3D# select pgcrypto.pgp_pub_decrypt(data,
pg_read_binary_file('keys/test_pgcrypto_secret.key')) from test_pgcrypto ;
ERROR:  Need password for secret key
keith=3D# select pgcrypto.pgp_pub_decrypt(data,
pg_read_binary_file('keys/test_pgcrypto_secret.key'), 'stuff') from
test_pgcrypto ;
ERROR:  Corrupt data

$ gpg --list-secret-keys

------------------------------
sec   2048R/734ECABE 2013-03-06
uid                  Test Pgcrypto <test@pgcrypto.com>
ssb   2048R/F122A512 2013-03-06

$ gpg --edit-key F122A512
gpg (GnuPG) 1.4.11; Copyright (C) 2010 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Secret key is available.

pub  2048R/734ECABE  created: 2013-03-06  expires: never       usage: SC  =

                     trust: ultimate      validity: ultimate
sub  2048R/F122A512  created: 2013-03-06  expires: never       usage: E   =

[ultimate] (1). Test Pgcrypto <test@pgcrypto.com>

gpg> passwd
Key is protected.

You need a passphrase to unlock the secret key for
user: "Test Pgcrypto <test@pgcrypto.com>"
2048-bit RSA key, ID 734ECABE, created 2013-03-06

Enter the new passphrase for this secret key.

You don't want a passphrase - this is probably a *bad* idea!

Do you really want to do this? (y/N) y

gpg> save


$ gpg --export-secret-keys F122A512 > test_pgcrypto_secret.key
#### Copied passwordless key to $datadir/keys/

keith=3D# select pgcrypto.pgp_pub_decrypt(data,
pg_read_binary_file('keys/test_pgcrypto_secret.key')) from test_pgcrypto ;
 pgp_pub_decrypt =

-----------------
 1234567890

pgsql-bugs by date:

Previous
From: Tom Lane
Date:
Subject: Re: BUG #7914: pg_dump aborts occasionally
Next
From:
Date:
Subject: Re: Excessive space allocations in Postgresql 9.1.6 system files causing the file system to run out of space.