Renewing my GPG key to fix an old youth error
Okay. Today, I've generated a new GPG key, and that went smooth in less than two hours. I've had a thorn in the side pretty much since I've first setup my Yubikey, and I've solved it today, with so much ease that I can't stop blaming myself for having waited five years to fix it. This is mostly a kick in the ass of my future self to stop delaying that kind of thing for ever.
For those only interested in storing their GPG keys on a Yubikey, please just follow this wonderful guide, it will explain everything far better than me: https://github.com/drduh/YubiKey-Guide
Now here is my miserable story.
I had read, at the time, that it was a good idea to make use of non-standard keys length, you know, for security, since everyone will try to hack you with the normal sizes, like 2048, 3072, 4096. This is security through obscurity, and obviously doesn't bring much hardening to any setup, but as I was, and still am, a pure crypto-newbie, I guess I believed it was such a good idea that I generated a 4000 bits RSA key and dumped it onto my smartcard.
Everything was great and I could ssh to my servers in no time with great success, carrying the same key to any machine
thanks to the SSH agent provided by GPG agent, but after two weeks of bragging about that, someone sent me a GPG
encrypted message, and my wonderful non-standard key couldn't decrypt it.
That sucked.
I was so proud of this setup, I had already put my brand new public SSH key everywhere, and now it seemed I couldn't use it as promised. Digging a bit, I found out that the signing and authenticating keys were working fine, but the encrypting one didn't, and failed with the following:
gpg: public key decryption failed: Hardware problem
gpg: decryption failed: No secret key
That really sucked, and most probably the non-standard key length played something in there.
First, still full of hope, I went to grep that error message in the OpenGPG source code, found it, and quickly
realized this wouldn't be a piece of cake to fix that. Then, half-lazy, half-shameful, I just moved on, and thought to
myself that nobody used GPG anymore anyway, with the rise of Matrix, Signal, and other encrypted chat software. So I
just stopped advertising my GPG key, resigned to use it only for SSH auth, and happily lived my digital life for the
past five years.
But now it's 2023, GPG's still here, and even though I do in fact use Matrix and Signal a lot more than email (including for non-sensitive chat), I thought it was time for me to fix that mistake.
And here we are, it took me less than two hours, including the time to 1) dig up my old laptop with the broken Wifi card, 2) generate everything and send perfectly standard 4096 bits keys to the Yubikey, 3) test that everything works including encryption/decryption, 4) replace my SSH key on all the servers/Github/Gitlab/Gitea/whatever accounts, and 5) be amazed at how seamless the experience is to decrypt stuff using a smartcard, even through Thunderbird!
Fierfek, it almost took me longer to write down that post!