Misp: Generate a GPG encryption key.

Created on 4 Aug 2017  Â·  10Comments  Â·  Source: MISP/MISP

I get a permission denied error when i generate a GPG encryption key using the command line. Below is a copy of what i did on the terminal and the error that i got.

===========================================================================

mapetla@mapetla:/var/www/MISP$ sudo -u www-data mkdir /var/www/MISP/.gnupg
mkdir: cannot create directory ‘/var/www/MISP/.gnupg’: File exists
mapetla@mapetla:/var/www/MISP$ sudo chmod 700 /var/www/MISP/.gnupg
mapetla@mapetla:/var/www/MISP$ sudo -u www-data gpg --homedir /var/www/MISP/.gnupg --gen-key
gpg (GnuPG) 2.1.15; Copyright (C) 2016 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Note: Use "gpg --full-gen-key" for a full featured key generation dialog.

GnuPG needs to construct a user ID to identify your key.

Real name: mapetla
Email address: mapetla.[email protected]
You selected this USER-ID:
"mapetla mapetla.[email protected]"

Change (N)ame, (E)mail, or (O)kay/(Q)uit? o
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
gpg: agent_genkey failed: Permission denied
Key generation failed: Permission denied

Most helpful comment

While the issue is closed, I thought I'd add that the easiest way (and least-dangerous way, and doesn't require root privs to chown the tty) I've found to resolve this is to use a program like tmux or GNU screen which allocates a new ptty for the sued user:

gumnos@localhost$ su - demo
demo@localhost$ gpg --gen-key
â‹®
Key generation failed: Permission denied
demo@localhost$ ls -l `tty`  # note still owned by "gumnos"
crw--w---- 1 gumnos tty 136, 13 Jan  9 11:37 /dev/pts/13
demo@localhost$ tmux
[tmux: demo@localhost]$ ls -l `tty` # now owned by "demo"
crw--w---- 1 demo tty 136, 22 Jan  9 11:38 /dev/pts/22
[tmux: demo@localhost]$ gpg --gen-key  # this works as desired

I forget this every time, do a web search for this information, and end up in this thread or one much like it that advises chowning the tty to the secondary user, generating the key, and then chowning the tty back to the original user (all that chowning also requires root privs). Hopefully by leaving this here, it's useful to others, including my future forgetful self.

All 10 comments

No worries, just start the pgp generation from scratch:

rm -rf /var/www/MISP/.gnupg
sudo -u www-data mkdir /var/www/MISP/.gnupg
sudo chmod 700 /var/www/MISP/.gnupg
sudo -u www-data gpg --homedir /var/www/MISP/.gnupg --gen-key
sudo -u www-data sh -c "gpg --homedir /var/www/MISP/.gnupg --export --armor YOUR-KEYS-EMAIL-HERE > /var/www/MISP/app/webroot/gpg.asc"

I started the pgp from scratch as you have advised , and i still the the same error

mapetla@mapetla:/var/www/MISP$ sudo rm -rf /var/www/MISP/.gnup
mapetla@mapetla:/var/www/MISP$ sudo -u www-data mkdir /var/www/MISP/.gnupg
mapetla@mapetla:/var/www/MISP$ sudo chmod 700 /var/www/MISP/.gnupg
mapetla@mapetla:/var/www/MISP$ sudo -u www-data gpg --homedir /var/www/MISP/.gnupg --gen-key
gpg (GnuPG) 2.1.15; Copyright (C) 2016 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

gpg: keybox '/var/www/MISP/.gnupg/pubring.kbx' created
Note: Use "gpg --full-gen-key" for a full featured key generation dialog.

GnuPG needs to construct a user ID to identify your key.

Real name: mapetla
Email address: mapetla.[email protected]
You selected this USER-ID:
"mapetla mapetla.users@gmail.com"

Change (N)ame, (E)mail, or (O)kay/(Q)uit? o
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
gpg: agent_genkey failed: Permission denied
Key generation failed: Permission denied

Maybe this here? But be careful with messing with your tty!

Hello,

I am having the same problem, also tried the commands provided by iglocska and it did not work, is there any solution? Thanks.

I was having this problem trying to re-issue the key on a working instance. Tried a fresh install, that install had the issue as well.

Edit: this was also corrected by temporarily changing tty ownership to www-data and doing a clean generation (I also installed rng-tools)

I solved this by using the guide and temporarly setting:
chown www-data $(tty)
and then after the generation moving it back

Checking with ls -l $(tty)

Change (N)ame, (E)mail, or (O)kay/(Q)uit? o
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
gpg: agent_genkey failed: Permission denied
Key generation failed: Permission denied

i got the same problem...can some one help me

While the issue is closed, I thought I'd add that the easiest way (and least-dangerous way, and doesn't require root privs to chown the tty) I've found to resolve this is to use a program like tmux or GNU screen which allocates a new ptty for the sued user:

gumnos@localhost$ su - demo
demo@localhost$ gpg --gen-key
â‹®
Key generation failed: Permission denied
demo@localhost$ ls -l `tty`  # note still owned by "gumnos"
crw--w---- 1 gumnos tty 136, 13 Jan  9 11:37 /dev/pts/13
demo@localhost$ tmux
[tmux: demo@localhost]$ ls -l `tty` # now owned by "demo"
crw--w---- 1 demo tty 136, 22 Jan  9 11:38 /dev/pts/22
[tmux: demo@localhost]$ gpg --gen-key  # this works as desired

I forget this every time, do a web search for this information, and end up in this thread or one much like it that advises chowning the tty to the secondary user, generating the key, and then chowning the tty back to the original user (all that chowning also requires root privs). Hopefully by leaving this here, it's useful to others, including my future forgetful self.

Thanks a ton! This really helped.
One thing I'm uncertain of, and excuse me for posting on a closed subject, is that WakandaKing, the original poster, run gpg --gen-key as SU.
That's unnecessary and actually counterproductive, IMO, but please correct me here.
I want a GPG keyring for me, not for the SU (edge cases excluded).
So better to tmux, then run commands as me, not as SU.
So insted of sudo gpg --gen-key, just run gpg --gen-key

While the issue is closed, I thought I'd add that the easiest way (and least-dangerous way, and doesn't require root privs to chown the tty) I've found to resolve this is to use a program like tmux or GNU screen which allocates a _new_ ptty for the sued user:

gumnos@localhost$ su - demo
demo@localhost$ gpg --gen-key
â‹®
Key generation failed: Permission denied
demo@localhost$ ls -l `tty`  # note still owned by "gumnos"
crw--w---- 1 gumnos tty 136, 13 Jan  9 11:37 /dev/pts/13
demo@localhost$ tmux
[tmux: demo@localhost]$ ls -l `tty` # now owned by "demo"
crw--w---- 1 demo tty 136, 22 Jan  9 11:38 /dev/pts/22
[tmux: demo@localhost]$ gpg --gen-key  # this works as desired

I forget this every time, do a web search for this information, and end up in this thread or one much like it that advises chowning the tty to the secondary user, generating the key, and then chowning the tty back to the original user (all that chowning also requires root privs). Hopefully by leaving this here, it's useful to others, including my future forgetful self.

Perfect solution Gumnos, it works!

Was this page helpful?
0 / 5 - 0 ratings

Related issues

RichieB2B picture RichieB2B  Â·  7Comments

WakandaKing picture WakandaKing  Â·  5Comments

Rafiot picture Rafiot  Â·  3Comments

bhuvan2099 picture bhuvan2099  Â·  7Comments

eCrimeLabs picture eCrimeLabs  Â·  4Comments