Detecting a misremembered passphrase in gpg-agent
ael
witwall3 at disroot.org
Thu Jun 13 12:57:24 CEST 2024
Further thoughts on detecting a mistaken passphrase entry when
encrypting. I have looked at both
man gpg-agent and info
and I could not immediately see anything to help, but I quickly became
lost in the overwhelming volume of the entries :-)
So perhaps there is something there that I have missed.
The user case is not the "usual" use of gpg for communicating with 2nd
parties. Rather I am using symmetric encryption on local files and
usually using a common (long) passphrase on a common set of those
files. The plain text file is deleted after encryption for
security. So if I make a mistake in entering the passphrase I have lost
access.
pinentry asks me to repeat the passphrase and that is obviously the
main defence against getting things wrong. However, I am quite capable
of misremembering a component of a passphrase that I have not used for a
long time, or even using the wrong passphrase in an absent-minded
moment.
Having to repeat a long passphrase is quite laborious, and the
suggestion below would solve that.
My simple suggestion is that there be an option, perhaps even a tick-box
on the entry window, that displays a checksum/fingerprint/hash of the
entered passphrase. That hash can then be checked perhaps manually,
perhaps directly against the known hash of the passphrase. If it is
checked manually, it needs to be quite short. If the hash matches, there
is no need to re-enter the passphrase. It also guards against
re-entering a misremembered phrase.
Something like this would be a huge improvement for my use case.
Probably useful more generally. Of course, you would still need double
entry when initially setting up a passphrase which does not yet have a
hash.
ael
More information about the Gnupg-users
mailing list