question about gpg2 and passphrase

gnupg at raf.org gnupg at raf.org
Thu Dec 3 04:07:06 CET 2015 

Andrey Utkin wrote:

> On 02.12.2015 22:12, Smith, Cathy wrote:
> > I need to be able to decrypt a file using gpg2 in batch.  I have a
> > customer who requires us to provide a public  key that is  RSA 2048 bit.
> >  I have RHEL6 available which provides gpg 2.0.14 to create the key
> > pair.  However,  I’ve not been able to use gpg2 in batch to provide the
> > passphrase to decrypt a file.  It wants an interactive prompt for the
> > passphrase.  I’ve tried some things that I’ve read on-line without any
> > success.    Is there a way to configure gpg2 to accept a passphrase in
> > batch?
> 
> Hi,
> Have you tried generating a key with empty passphrase?

Hi,

Warning: I am not an expert. I only just found out how to do this myself.

If it needs to always work with no intervention and it's safe to leave the
key unencrypted on disk permanently (unlikely) then having an empty
passphrase is definitely the easy option but if you can't leave the key
unencrypted on disk and decryption only needs to occur at certain known
times, and it's OK to have someone supply the passphrase in advance, then
the following approach might be more appropriate.

You can run gpg-agent explicitly as a daemon and use the
--allow-preset-passphrase option and then use gpg-preset-passphrase to load
a passphrase into it.

The gpg-agent command will probably also need the --write-env-file option to
store the gpg-agent socket details on disk so other, unrelated processes can
connect to the gpg-agent.

Here's an example gpg-agent command:

  $ gpg-agent \
  >   --homedir /PATH/TO/.gnupg \
  >   --write-env-file /PATH/TO/.gpg-agent-info \
  >   --allow-preset-passphrase \
  >   --max-cache-ttl 7200 \
  >   --daemon -- \
  >   bash --login

To load the passphrase from within the bash process started above
(the double --fingerprint is important because it shows the key we need):

  $ gpg_cache_id="`gpg --homedir /PATH/TO/.gnupg --fingerprint --fingerprint USER at DOMAIN | grep 'Key fingerprint' | tail -1 | sed -e 's/^[^=]\+=//' -e 's/ //g'`"
  $ systemd-ask-password 'Enter GPG passphrase:' | /usr/lib/gnupg2/gpg-preset-passphrase --preset "$gpg_cache_id"

To load the passphrase from an unrelated process, you would first need to do
the following to connect to the gpg-agent before loading the passphrase into
gpg-agent as described above:

  $ . /PATH/TO/.gpg-agent-info
  $ export GPG_AGENT_INFO

The process that needs to perform the decryption would also need to do the
above if it is from a process that is unrelated to the bash process started
by gpg-agent. e.g.:

  $ . /PATH/TO/.gpg-agent-info
  $ export GPG_AGENT_INFO
  # unset GPG_TTY # This is probably unnecessary
  $ gpg --batch --quiet --no-greeting --no-tty --use-agent \
  >   --homedir /PATH/TO/.gnupg --decrypt < ENCRYPTEDFILE > DECRYPTEDFILE

Note that the passphrase will stay resident in gpg-agent until gpg-agent
terminates, or until it is explicitly forgotten with:

  /usr/lib/gnupg2/gpg-preset-passphrase --forget "$gpg_cache_id"

or until the max-cache-ttl expires, whichever comes first. By default, this
is 7200 seconds (i.e. two hours) but it can be increased or decreased on the
gpg-agent command line.

It's probably a very bad idea to increase it too much and leave the
passphrase available permanently. If that were OK, you might as well use an
unencrypted key with no passphrase. But if it were OK, there'd be a
gpg-agent option to remove the TTL limit altogether, but there is no such
option.

Notes:
The gpg commands above (--fingerprint and --decrypt) should still work
if they were changed to gpg2. That's probably more sensible since gpg-agent
is a gpg2 thing but gpg works too so I use that.

If you don't have systemd-ask-password, you could use ssh-askpass but
it requires X11. It only takes a few lines of Perl to implement your own
askpass program if needed.

Also, don't set $DISPLAY to be empty before running gpg-preset-passphrase.
If you need to disable X11, unset DISPLAY instead or gpg-preset-passphrase
will give an error:

  gpg-preset-passphrase: problem setting the gpg-agent options
  gpg-preset-passphrase: caching passphrase failed: Invalid response

Also, the gpg-agent command can be run inside a screen or tmux session so
that you can detach from it and reattach to it again later to terminate it.

Also, I don't know about RHEL6. The above works on debian-8 and ubuntu-14.04.3
which have gpg2 2.0.26 and 2.0.22, respectively. Hopefully, it will all
work on RHEL6 with gpg2 2.0.14 as well.

Good luck,
raf

More information about the Gnupg-users mailing list