Error decrypting credentials / no secret key

gvm-9

#1

Hello,

System: Linux mint 18.3
Openvas 9 (migrated from Openvas8 in production)

I think my gpg keyring for Openvas is completely broken. In /var/lib/openvas/gnupg I have only one file named pubring.kbx which is only 32 bytes.

In my /var/log/openvas/openvasmd.log file I keep having the following error:

md crypt:WARNING:2019-02-05 12h12.11 CET:12724: error decrypting credential: Decryption failed
md crypt: INFO:2019-02-05 12h12.11 CET:12724: encrypted to keyid FCA1EAE2C4F95A45, algo=1: No secret key

I have no idea what the secret key is as it was automatically generated in Openvas8 during installation. I have kept a backup copy of openvas8 gnupg directory, which contains the following files:

-rw------- 1 root root 0 Feb 5 11:55 .gpg-v21-migrated
drwx------ 2 root root 4096 Feb 5 11:55 private-keys-v1.d/
-rw------- 1 root root 623 Feb 5 11:55 pubring.gpg
-rw------- 1 root root 623 Feb 5 11:55 pubring.gpg~
-rw------- 1 root root 32 Nov 13 15:40 pubring.kbx
-rw------- 1 root root 600 Feb 5 11:55 random_seed
-rw------- 1 root root 1273 Feb 5 11:55 secring.gpg
-rw------- 1 root root 1280 Feb 5 11:55 trustdb.gpg

So I tried to copy those files into my current gnupg directory, but I still have the same error. In the end I fear my openvas scanner cannot use the saved credentials for scanning.

I tried to look elsewhere on the Internet but couldn’t find any explaination on this topic nor how to fix this.

Any clue ?

Thanks !


#2

According to the following documentation this seems to be the “old” place from OpenVAS 7 (which had manager Version 6.0):

To work around your issue you could try the steps described here to reset the encryption keys:


#3

Hi Cfi,

Good spot for gnupg location. I have reinstalled my old gnupg directory in /var/lib/openvas/openvasmd and restarted openvasmd; which popped up the following message in the log:

md main:MESSAGE:2019-02-06 08h26.12 utc:31382: OpenVAS Manager version 7.0.3 (DB revision 184)
base gpgme:MESSAGE:2019-02-06 08h26.12 utc:31383: Setting GnuPG dir to ‘/var/lib/openvas/openvasmd/gnupg’
base gpgme:MESSAGE:2019-02-06 08h26.12 utc:31383: Using OpenPGP engine version ‘2.1.11’
md crypt: INFO:2019-02-06 08h26.12 utc:31383: starting key generation …
md crypt: INFO:2019-02-06 08h26.13 utc:31383: OpenPGP key ‘OpenVAS Credential Encryption’ has been generated

So it seems to be good but I still have the gnupg credential decryption error appearing whenever I access the credentials page.

I would prefer to avoid resetting my encryption keys, as my current scanner serving hundreds of tasks depends on it. I have backed up all my files before migrating to openvas 9, so the original secret key should be available somewhere.

Any idea where it was located on Openvas8 and how to reinstall it in Openvas9 ?

Thanks a lot


#4

Nevermind what I said earlier, I was able finally to recover my main key. However, I still do have the key decryption error, but it concern a new key which crypt a new credential autogenerated during migration. This credential is not used by any tasks. The credential is named:

Credential for Scanner default
(Autogenerated by migration)

This certificate is using a client certificate but cannot be edited.

Any idea what this key is used for ? It seems I cannot import the gpg key of this credential since it has the same name “OpenVAS Credential Encryption” and my main key already use that name.