topic Re: automated gpg script with no passphrase in Operating System - HP-UX

automated gpg script with no passphrase

Michael Steele_2 — Thu, 13 Nov 2008 13:54:54 GMT

Hola Mates:

Well the subject line says it all. I'm seeking a way to with this gpg command syntax to omit the gpg passphrase during encryption. Here's what I've been given:

gpg -esa -r file

Here's the basic import command of the key

gpg --import

I'm am looking for an option that goes with gpg --import to bypass the passphrase option in gpg --edit-key.

I've been through the gpg manual from the gnupg.org website and it is not intuitively obvious to me.

Anybody ever build an automated gpg script used in ftp transmissions?

Re: automated gpg script with no passphrase

Steven E. Protter — Thu, 13 Nov 2008 14:03:16 GMT

Shalom,

This won't work?

http://www.nabble.com/Automate-decryption-td19223767.html

SEP

Re: automated gpg script with no passphrase

Michael Steele_2 — Thu, 13 Nov 2008 14:28:34 GMT

Why yes, I believe this is what I'm looking for.

"...Running without a passphrase just involves removing the passphrase
from the key altogether:

gpg --edit-key (thekeyid)
passwd
(just hit enter for the new passphrase)
save ..."

Let me test this out and I'll get back to you.

Re: automated gpg script with no passphrase

Matti_Kurkela — Thu, 13 Nov 2008 15:01:54 GMT

If the GPG secret key has been encrypted with a passphrase, the passphrase must be input to use the key.

(Note: data encryption uses only public key, which is never protected with a passphrase. But if you also sign the data, your own secret key is also needed. This is what the passphrase is for.)

So you must either:
a) remove the passphrase from the secret key, or
b) feed the passphrase to GPG non-interactively

You already got some instructions for a). I will offer you some advice for b).

From the GPG man page:
-----------
--passphrase-fd
Read the passphrase from file descriptor . Only the first line will be read from file descriptor . If you use 0 for , the passphrase will be read from stdin. This can only be used if only one passphrase is supplied.

--passphrase-file
Read the passphrase from file . Only the first line will be read from file . This can only be used if only one passphrase is supplied. Obviously, a passphrase stored in a file is of questionable security if other users can read this file. Donâ t use this option if you can avoid it.

--passphrase
Use as the passphrase. This can only be used if only one passphrase is supplied. Obviously, this is of very questionable security on a multi-user system. Donâ t use this option if you can avoid it.
-----------
So, using "--passphrase-fd 0" will allow you to pipe the passphrase to GPG. That will make it necessary to protect whatever the passphrase is piped from, and/or the script that does the piping. Remember that command line arguments can be visible to all users in the ps listing.

The option "--passphrase-file" requires to protect only one file that contains the passphrase. I guess this might be the easiest for you, if you can put appropriate protections (usually, chmod 600 or even 400) on the file.

MK

Re: automated gpg script with no passphrase

Michael Steele_2 — Mon, 17 Nov 2008 14:51:29 GMT

MK

I am using gpg version 1.2.4. And there are no arguements for --passphrase or â passphrase-file for this version.

Can you tell me what version has these arguemenets?

â â ¦gpg â versionâ ¦â

SEP

Hereâ s where Iâ m at. After first successfully building new public and secret keys using first the â ..gpg â import KEY_1â ¦â command and then the â â ¦gpg â edit-key KEY_2â ¦â , and after having entered a passphrase, I am now at the point where I can not recreate the procedure minus the passphrase. Maybe you can guide me from here based upon these gpg â debug messages from my script.

FILENAME=FILE00096
+ gpg --debug-all -esa -r KEY112013 /home/dataxfer/BOA_positive/CA/outgoing/DEST
00096
gpg: reading options from `/home/dataxfer/.gnupg/gpg.conf'
gpg: DBG: fd_cache_open (/home/dataxfer/.gnupg/secring.gpg) not cached
gpg: DBG: iobuf-1.0: open `/home/dataxfer/.gnupg/secring.gpg' fd=3
gpg: DBG: iobuf-1.0: underflow: req=8192
gpg: DBG: iobuf-1.0: underflow: got=1239 rc=0
gpg: DBG: parse_packet(iob=1): type=5 length=443 (search.keyring.c.963)
.
.
gpg: DBG: /home/dataxfer/.gnupg/secring.gpg: close fd 3
gpg: DBG: fd_cache_close (/home/dataxfer/.gnupg/secring.gpg) new slot created
gpg: DBG: iobuf-1.0: underflow: eof
gpg: DBG: iobuf-1.0: close `'
gpg: no default secret key: secret key not available
gpg: /home/dataxfer/BOA_positive/CA/outgoing/BOA00096: sign+encrypt failed: secr
et key not available

Re: automated gpg script with no passphrase

Steven Schweda — Mon, 17 Nov 2008 18:58:21 GMT

> I am using gpg version 1.2.4.

Yow. How old is that?

> Can you tell me what version has these
> arguemenets?

The current version, 1.4.9, has them.

http://gnupg.org/

> Maybe you can guide me from here based upon
> these gpg Ã¢Â Â debug messages [...]

I'd guide to to a current version, which
probably offers a bunch of bug fixes as well
as features.

Re: automated gpg script with no passphrase

Michael Steele_2 — Wed, 19 Nov 2008 17:19:02 GMT

Well, here the end of the story.

SEP post something you deserve a big 10 points.

Additional problems were encountered with extra keys added into the keyring. Two displayed errors when deleted.

Thanks All!

Re: automated gpg script with no passphrase

Michael Steele_2 — Tue, 25 Nov 2008 01:23:45 GMT