WINDOWS - Adding passphrase to gpg via command line

Peter Lebbing peter at digitalbrains.com
Tue May 12 11:59:34 CEST 2015 

Hi,

(Could you please not top-post and trim your quotes)

> Thanks, but our requirement is that the key is secured with a 
> passphrase.

Often, this is not useful on a server. When someone gains access to the
processes that do the decryption and/or signing, they already have
access to the decrypted key material by virtue of the key being unlocked
and ready to use.

Another reason to encrypt a file (in this case the private key) is so it
doesn't end up in backups in unencrypted form. For GnuPG keys, it might
simply be sensible to arrange for backups to not include that file, and
handle the backing up of secret key material separately. This is
relatively little overhead because a secret key doesn't change often anyway.

> Any other ideas into what is wrong with my coding?

Well, you quote an old thread from this mailing list. Later on
in the thread, Werner chimes in[1] about gpg-preset-passphrase and its
usage, however it seems you are using it wrong. You said you did:

> gpg-preset-passphrase.exe --preset "mypassphrase"

That seems to miss the most crucial part of the whole command: the
keygrip of the key. Also your described behaviour of "it just sits there
in cmd on the next line doing nothing" doesn't seem like it is working.

So perhaps you should reread [1].

By the way, you should probably have gpg-preset-passphrase interactively
query you for the password, because including it in the command line
defeats part of the use of encryption (anyone logged in to the server
can observe the passphrase). And if it's in a startup script like that,
it wholly defeats the purpose of encryption and is a generous helping of
snake oil.

I was surprised to read that the person in that thread actually managed
to pipe in the password like that without anything like --passphrase-fd.
I wouldn't expect that to work, and it seems like a lucky hit, for some
definition of lucky. It also seems to serve no purpose at all. Not only
is the passphrase visible for anyone logged in at the moment the command
is issued, also it's part of the script and thus the data on disk. It
seems to be there just to comply with some ill-defined "keys need to be
encrypted" requirement, following the requirement to the letter rather
than to the spirit.

HTH,

Peter.

[1] http://www.gossamer-threads.com/lists/gnupg/users/59416#59416

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>

More information about the Gnupg-users mailing list