for Fedora Silverblue and other Linux users who thought this function was broken
For the longest time I thought LibreOffice’s Encrypt with GPG key option for saving files was broken:
Yes, you can easily save the file with encryption, select your GPG public key to encrypt and it all seems to work, but when it came time to open the document, it provided a useless password prompt (and all the passwords that might be relevant to the YubiKey failed). Specifically, it never asked for a password when encrypting the document. Needless to say that sort of workflow is extremely dangerous if you accidentally encrypted an important document and deleted the normal document. So, for months, I thought the function was broken. No internet search yielded an answer.
Well, it turns out, that is not correct: it is possible to encrypt documents with GPG keys stored on the YubiKey and decrypt them. The hint for solving this puzzle was in the password prompt: the public key is stored on the computer and can encrypt documents. The secret key is stored on the YubiKey, never the computer, and needs to be accessed by LibreOffice! Once access to the YubiKey is opened up for LibreOffice, it automatically accesses the YubiKey and decrypts the document without a password prompt (or any prompt–it works just like it is loading an unencrypted document).
Steps to decrypt a GPG encrypted document with YubiKey under Fedora Silverblue:
- make sure the YubiKey is recognised (
gpg --card-status); - make sure the YubiKey can encrypt and decrypt on the command line and via
Kleopatra; - using
flatsealmake sure LibreOffice has Smart Cards and GPG-Agent directories enabled:
Steps 1 and 2 are scripted in my python script kleopatra.py as mentioned in a previous entry (kleopatra for Fedora Silverblue). I would suggest using this python program because each time you reboot or disconnect the YubiKey, you have to manually undertake three different steps under Fedora Silverblue (which gets tedious). As the previous post mentions, this is not necessary under Windows but linux grabs the YubiKey during the boot process and does not release it.
Once ‘python kleopatra.py' is run, the third step only needs to be set once in flatseal to ensure LibreOffice can connect with the YubiKey and access the secret key. The encrypted file should open without a password prompt in LibreOffice once these three steps are set.
To verify that the file is in fact encrypted, try opening the same file with the YubiKey disconnected. LibreOffice should prompt you with a password prompt and will not open the file.
Also verify that the file can be decrypted using your backup YubiKey (using the ‘python kleopatra.py‘ and flatseal settings above, ideally on another computer). Although this gets in the weeds a bit, when setting up kleopatra.py on another computer, the test.gpg file will have to be encrypted with the backup YubiKey as otherwise it will prompt you to insert the primary YubiKey (you cannot copy the original test.gpg file to a new computer–you have to create test.gpg using the backup YubiKey).
The goal is to ensure you can decrypt the same file in LibreOffice using either YubiKey (in case one is lost or damaged). If you disconnect the YubiKey in Fedora Silverblue, you will have to re-engage it using ‘python kleopatra.py' to ensure Fedora Silverblue can access the YubiKey. Only after everything is verified to work reliably can you then delete the unencrypted file (even then you should have a backup–just in case).
Needless to say, I could not find these instructions in the LibreOffice documentation, via internet search or via ChatGPT. Also, the assumption that LibreOffice makes that the secret GPG key would be stored on the computer is horrifying (as is the experience of encrypting a file only to be unable to decrypt it). The secret GPG key should never be stored on the computer (except encrypted behind a password manager). The primary use case assumption in this day and age by LibreOffice should be that the user is going to access the secret GPG key on a YubiKey, not on the computer.
I hope these series of blog entries on using the YubiKey (duplication, use under Fedora Silverblue, etc., are helpful). Let me know if you found them useful!
Felix qui nihil debet 