Newbie question - how to include the pass phrase in the command

Ping Kam
Tue Jun 10 20:46:03 2003


Thanks for your reply.  With help from Steve Butler via private email, I got
the recipient's key trusted and solved most of the problem.

The dump option is very interesting.  Unfortunately, there is no explanation
and example so I can't figure out how to use those options.

Ping Kam

----- Original Message -----
From: "Johan Wevers" <>
To: "GnuPG users" <>
Sent: Monday, June 09, 2003 5:48 PM
Subject: Re: Newbie question - how to include the pass phrase in the command

> Ping Kam wrote:
> > First, I am not sure if the secret key is encrypted.  Is there a way to
> > out?
> Yes, if you want to use it and gpg asks for a password, it is encrypted.
> you sign something you need your secret key so it needs to be decrypted if
> it's encrypted. To encrypt, you need the recipient's public key, and
> keys are not encrypted. They need not be.
> > And how to encrypt the secret key?
> gpg --edit-key <keyID>
> then use the commands "passwd", "save", "quit".
> > Second, which secret key?  Our secret key, the recipient key, or both?
> You have only access to your own secret key. Wether the recipient has a
> password on his secret key is irrelevant for your setup. You don't have
> access that key anyway (unless there's something wrong).
> > Third, it seems like pass phrase is required only if I want to encrypt
> > sign the file.  It is not required to encrypt the file with signing.
> No, to encrypt you only need unencrypted public keys.
> >> Not that I don't agree that
> >> passing it via a file descriptor is safer,
> > I really doubt this.  Don't you think passing the pass phrase via
> > is safer than to reading it from a separate file?
> No. But the current situation leeds to people removing the password from
> secret key completely because they don't know how to use file descriptors
> VB, which is an even more unsafe situation.
> > The problem I have is that I can't find any
> > documentation about this fd option.  It is not in the list of help.
> Try gpg --dump-options. It will show you really all options, even those
> are not in the standard help.
> > But I think it will be safer if the pass phrase is provided via
> > instead of from a hardcoded non-standard place.
> On a single-user box like a windows machine, yes. On a multi-user Unix
> machine, some users can view the complete commandlines of all commands,
> which would give away the password. My POV is that the coder of an
> application that uses gpg should decide which threat it the greatest,
> since he knows his target box the best, but the gpg developers seem to
> disagree.
> --
> ir. J.C.A. Wevers         //  Physics and science fiction site:
>   //
> PGP/GPG public keys at
> _______________________________________________
> Gnupg-users mailing list