Error decrypting credentials / no secret key

tatooin · February 5, 2019, 11:16am

Hello,

System: Linux mint 18.3
Openvas 9 (migrated from Openvas8 in production)

I think my gpg keyring for Openvas is completely broken. In /var/lib/openvas/gnupg I have only one file named pubring.kbx which is only 32 bytes.

In my /var/log/openvas/openvasmd.log file I keep having the following error:

md crypt:WARNING:2019-02-05 12h12.11 CET:12724: error decrypting credential: Decryption failed
md crypt: INFO:2019-02-05 12h12.11 CET:12724: encrypted to keyid FCA1EAE2C4F95A45, algo=1: No secret key

I have no idea what the secret key is as it was automatically generated in Openvas8 during installation. I have kept a backup copy of openvas8 gnupg directory, which contains the following files:

-rw------- 1 root root 0 Feb 5 11:55 .gpg-v21-migrated
drwx------ 2 root root 4096 Feb 5 11:55 private-keys-v1.d/
-rw------- 1 root root 623 Feb 5 11:55 pubring.gpg
-rw------- 1 root root 623 Feb 5 11:55 pubring.gpg~
-rw------- 1 root root 32 Nov 13 15:40 pubring.kbx
-rw------- 1 root root 600 Feb 5 11:55 random_seed
-rw------- 1 root root 1273 Feb 5 11:55 secring.gpg
-rw------- 1 root root 1280 Feb 5 11:55 trustdb.gpg

So I tried to copy those files into my current gnupg directory, but I still have the same error. In the end I fear my openvas scanner cannot use the saved credentials for scanning.

I tried to look elsewhere on the Internet but couldn’t find any explaination on this topic nor how to fix this.

Any clue ?

Thanks !

cfi · February 5, 2019, 5:46pm

According to the following documentation this seems to be the “old” place from OpenVAS 7 (which had manager Version 6.0):

github.com

greenbone/gvmd/blob/v7.0.3/INSTALL#L372-L374


      
          While OpenVAS Manager 5.0 initially placed the credential encryption key in
          <install-prefix>/var/lib/openvas/gnupg, OpenVAS Manager 6.0 switched to using
          <install-prefix>/var/lib/openvas/openvasmd/gnupg to make it easier to back up all

To work around your issue you could try the steps described here to reset the encryption keys:

github.com

greenbone/gvmd/blob/v7.0.3/INSTALL#L340-L366


      
          Resetting Credentials Encryption Key
          ------------------------------------
          
          If you lost some part of the encryption key, neither a regular migration nor
          a simple creation might work.
          
          In this case you need to reset the encryption key with the following
          procedure. There is no way to get the encrypted credentials back. You
          will need to enter all of them anew afterwards.
          
          Get the key fingerprint:
          
              $ gpg --homedir <install-prefix>/var/lib/openvas/openvasmd/gnupg --list-secret-keys
          
          Remove the secret key:
          
              $ gpg --homedir=<prefix>/etc/openvas/gnupg --delete-secret-keys KEYID
          
          Remove the key:

This file has been truncated. show original

tatooin · February 6, 2019, 8:53am

Hi Cfi,

Good spot for gnupg location. I have reinstalled my old gnupg directory in /var/lib/openvas/openvasmd and restarted openvasmd; which popped up the following message in the log:

md main:MESSAGE:2019-02-06 08h26.12 utc:31382: OpenVAS Manager version 7.0.3 (DB revision 184)
base gpgme:MESSAGE:2019-02-06 08h26.12 utc:31383: Setting GnuPG dir to ‘/var/lib/openvas/openvasmd/gnupg’
base gpgme:MESSAGE:2019-02-06 08h26.12 utc:31383: Using OpenPGP engine version ‘2.1.11’
md crypt: INFO:2019-02-06 08h26.12 utc:31383: starting key generation …
md crypt: INFO:2019-02-06 08h26.13 utc:31383: OpenPGP key ‘OpenVAS Credential Encryption’ has been generated

So it seems to be good but I still have the gnupg credential decryption error appearing whenever I access the credentials page.

I would prefer to avoid resetting my encryption keys, as my current scanner serving hundreds of tasks depends on it. I have backed up all my files before migrating to openvas 9, so the original secret key should be available somewhere.

Any idea where it was located on Openvas8 and how to reinstall it in Openvas9 ?

Thanks a lot

tatooin · February 6, 2019, 10:13am

Nevermind what I said earlier, I was able finally to recover my main key. However, I still do have the key decryption error, but it concern a new key which crypt a new credential autogenerated during migration. This credential is not used by any tasks. The credential is named:

Credential for Scanner default
(Autogenerated by migration)

This certificate is using a client certificate but cannot be edited.

Any idea what this key is used for ? It seems I cannot import the gpg key of this credential since it has the same name “OpenVAS Credential Encryption” and my main key already use that name.