Generate a GPG encryption key.

[ndhambi]

I get a permission denied error when i generate a GPG encryption key using the command line. Below is a copy of what i did on the terminal and the error that i got.

===========================================================================

mapetla@mapetla:/var/www/MISP$ sudo -u www-data mkdir /var/www/MISP/.gnupg
mkdir: cannot create directory ‘/var/www/MISP/.gnupg’: File exists
mapetla@mapetla:/var/www/MISP$ sudo chmod 700 /var/www/MISP/.gnupg
mapetla@mapetla:/var/www/MISP$ sudo -u www-data gpg --homedir /var/www/MISP/.gnupg --gen-key
gpg (GnuPG) 2.1.15; Copyright (C) 2016 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Note: Use "gpg --full-gen-key" for a full featured key generation dialog.

GnuPG needs to construct a user ID to identify your key.

Real name: mapetla
Email address: mapetla.users@gmail.com
You selected this USER-ID:
"mapetla mapetla.users@gmail.com"

Change (N)ame, (E)mail, or (O)kay/(Q)uit? o
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
gpg: agent_genkey failed: Permission denied
Key generation failed: Permission denied

[iglocska]

No worries, just start the pgp generation from scratch:

rm -rf /var/www/MISP/.gnupg
sudo -u www-data mkdir /var/www/MISP/.gnupg
sudo chmod 700 /var/www/MISP/.gnupg
sudo -u www-data gpg --homedir /var/www/MISP/.gnupg --gen-key
sudo -u www-data sh -c "gpg --homedir /var/www/MISP/.gnupg --export --armor YOUR-KEYS-EMAIL-HERE > /var/www/MISP/app/webroot/gpg.asc"

[ndhambi]

I started the pgp from scratch as you have advised , and i still the the same error

mapetla@mapetla:/var/www/MISP$ sudo rm -rf /var/www/MISP/.gnup
mapetla@mapetla:/var/www/MISP$ sudo -u www-data mkdir /var/www/MISP/.gnupg
mapetla@mapetla:/var/www/MISP$ sudo chmod 700 /var/www/MISP/.gnupg
mapetla@mapetla:/var/www/MISP$ sudo -u www-data gpg --homedir /var/www/MISP/.gnupg --gen-key
gpg (GnuPG) 2.1.15; Copyright (C) 2016 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

gpg: keybox '/var/www/MISP/.gnupg/pubring.kbx' created
Note: Use "gpg --full-gen-key" for a full featured key generation dialog.

GnuPG needs to construct a user ID to identify your key.

Real name: mapetla
Email address: mapetla.users@gmail.com
You selected this USER-ID:
"mapetla mapetla.users@gmail.com"

Change (N)ame, (E)mail, or (O)kay/(Q)uit? o
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
gpg: agent_genkey failed: Permission denied
Key generation failed: Permission denied

[SHSauler]

Maybe this here? But be careful with messing with your tty!

[debernal]

Hello,

I am having the same problem, also tried the commands provided by iglocska and it did not work, is there any solution? Thanks.

[OopsIMadeStool]

I was having this problem trying to re-issue the key on a working instance. Tried a fresh install, that install had the issue as well.

Edit: this was also corrected by temporarily changing tty ownership to www-data and doing a clean generation (I also installed rng-tools)

[eCrimeLabs]

I solved this by using the guide and temporarly setting:
chown www-data $(tty)
and then after the generation moving it back

Checking with ls -l $(tty)

[pardhu247]

Change (N)ame, (E)mail, or (O)kay/(Q)uit? o
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
gpg: agent_genkey failed: Permission denied
Key generation failed: Permission denied

i got the same problem...can some one help me

[Gumnos]

While the issue is closed, I thought I'd add that the easiest way (and least-dangerous way, and doesn't require root privs to chown the tty) I've found to resolve this is to use a program like tmux or GNU screen which allocates a new ptty for the sued user:

gumnos@localhost$ su - demo
demo@localhost$ gpg --gen-key
⋮
Key generation failed: Permission denied
demo@localhost$ ls -l `tty`  # note still owned by "gumnos"
crw--w---- 1 gumnos tty 136, 13 Jan  9 11:37 /dev/pts/13
demo@localhost$ tmux
[tmux: demo@localhost]$ ls -l `tty` # now owned by "demo"
crw--w---- 1 demo tty 136, 22 Jan  9 11:38 /dev/pts/22
[tmux: demo@localhost]$ gpg --gen-key  # this works as desired

I forget this every time, do a web search for this information, and end up in this thread or one much like it that advises chowning the tty to the secondary user, generating the key, and then chowning the tty back to the original user (all that chowning also requires root privs). Hopefully by leaving this here, it's useful to others, including my future forgetful self.

[raphbaph]

Thanks a ton! This really helped.
One thing I'm uncertain of, and excuse me for posting on a closed subject, is that WakandaKing, the original poster, run gpg --gen-key as SU.
That's unnecessary and actually counterproductive, IMO, but please correct me here.
I want a GPG keyring for me, not for the SU (edge cases excluded).
So better to tmux, then run commands as me, not as SU.
So insted of sudo gpg --gen-key, just run gpg --gen-key

[chivakaa]

While the issue is closed, I thought I'd add that the easiest way (and least-dangerous way, and doesn't require root privs to chown the tty) I've found to resolve this is to use a program like tmux or GNU screen which allocates a new ptty for the sued user:

gumnos@localhost$ su - demo
demo@localhost$ gpg --gen-key
⋮
Key generation failed: Permission denied
demo@localhost$ ls -l `tty`  # note still owned by "gumnos"
crw--w---- 1 gumnos tty 136, 13 Jan  9 11:37 /dev/pts/13
demo@localhost$ tmux
[tmux: demo@localhost]$ ls -l `tty` # now owned by "demo"
crw--w---- 1 demo tty 136, 22 Jan  9 11:38 /dev/pts/22
[tmux: demo@localhost]$ gpg --gen-key  # this works as desired

I forget this every time, do a web search for this information, and end up in this thread or one much like it that advises chowning the tty to the secondary user, generating the key, and then chowning the tty back to the original user (all that chowning also requires root privs). Hopefully by leaving this here, it's useful to others, including my future forgetful self.

Perfect solution Gumnos, it works!

[admcudo]

Just to add to the possible means of escape, if you log into the server using ssh as the user that needs to use gpg, the tty is automatically owned by that user and there is no need to chown the tty device.

If you log in as root and then use either sudo or su the tty is still owned by root and the above solutions will be needed.

[fourpastmidnight]

While the issue is closed, I thought I'd add that the easiest way (and least-dangerous way, and doesn't require root privs to chown the tty) I've found to resolve this is to use a program like tmux or GNU screen which allocates a new ptty for the sued user:

gumnos@localhost$ su - demo
demo@localhost$ gpg --gen-key
⋮
Key generation failed: Permission denied
demo@localhost$ ls -l `tty`  # note still owned by "gumnos"
crw--w---- 1 gumnos tty 136, 13 Jan  9 11:37 /dev/pts/13
demo@localhost$ tmux
[tmux: demo@localhost]$ ls -l `tty` # now owned by "demo"
crw--w---- 1 demo tty 136, 22 Jan  9 11:38 /dev/pts/22
[tmux: demo@localhost]$ gpg --gen-key  # this works as desired

I forget this every time, do a web search for this information, and end up in this thread or one much like it that advises chowning the tty to the secondary user, generating the key, and then chowning the tty back to the original user (all that chowning also requires root privs). Hopefully by leaving this here, it's useful to others, including my future forgetful self.

Thanks, this really helped, but not in the way that it was probably intended. I had su - <some-user> to switch to another user. Then tried to generate a GPG key for that user. And I got the error described by this issue. After reading this comment, I realized my mistake--the tty was owned by the user who sued to <other-user>. So the solution was to logout and login as <other user>. Of course, using tmux works, too, if you already have it installed! 😉

[Gumnos]

The root of the issue is tty-ownership. A lot of (IMHO, ill-guided) folks suggest using `chown` to change ownership of the tty to your user, and then `chown` it back when you're done. This feels pretty error-prone to me. Alternatively, you can spawn a new `tty` via a number of means: - use `tmux` or GNU `screen` as the secondary user to create the new `tty` with the proper ownership (beware: if you already are operating within `tmux`/`screen`, you might end up with nested sessions which can be weird to navigate as you have to double up your prefix key to send it on to the internal session) - use `script(1)` as the secondary user to create a new `tty` with the proper ownership (this comes with the downside that it's recording everything you do, so you either want to write your script to `/dev/null` or be very careful about who has access to the output script-file since it might contain the password you entered) - as you discovered, actually log in as that other user. This is more of a challenge if this user was created for administrative reasons without a password or you've disabled SSH login, so you can't actually log in as them. Most of the times I need to GPG as another user, this happens to be the case, so I can't use the "log in as them" method. But yeah, once you understand the root cause and have some tools in your belt to ensure the `tty` has the proper/expected ownership, it's easy to beat it into submission. :-)

…

On 2023-10-30 12:21, Craig E. Shea wrote: > While the issue is closed, I thought I'd add that the easiest way (and least-dangerous way, and doesn't require `root` privs to `chown` the tty) I've found to resolve this is to use a program like `tmux` or GNU `screen` which allocates a _new_ ptty for the `su`ed user: > > ``` > ***@***.***$ su - demo > ***@***.***$ gpg --gen-key > ??? > Key generation failed: Permission denied > ***@***.***$ ls -l `tty` # note still owned by "gumnos" > crw--w---- 1 gumnos tty 136, 13 Jan 9 11:37 /dev/pts/13 > ***@***.***$ tmux > [tmux: ***@***.***$ ls -l `tty` # now owned by "demo" > crw--w---- 1 demo tty 136, 22 Jan 9 11:38 /dev/pts/22 > [tmux: ***@***.***$ gpg --gen-key # this works as desired > ``` > > I forget this every time, do a web search for this information, and end up in this thread or one much like it that advises `chown`ing the tty to the secondary user, generating the key, and then `chown`ing the tty back to the original user (all that `chown`ing also requires root privs). Hopefully by leaving this here, it's useful to others, including my future forgetful self. Thanks, this really helped, but not in the way that it was probably intended. I had `su - <some-user>` to switch to another user. Then tried to generate a GPG key for that user. And I got the error described by this issue. After reading this comment, I realized my mistake--the `tty` was owned by the user who `su`ed to `<other-user>`. So the solution was to logout and login as `<other user>`. Of course, using `tmux` works, too, if you already have it installed! ???? -- Reply to this email directly or view it on GitHub: #2372 (comment) You are receiving this because you commented. Message ID: ***@***.***>