AW: AW: WINDOWS - Adding passphrase to gpg via command line

Mike Kaufmann m.kaufmann at infotech.li
Thu Jun 16 08:46:09 CEST 2016


Hi

I've used http://www.asciitohex.com/ to convert my passphrase in hexstring. Therefore I think, that's not the reason.

What I'm not sure:
Is the value I use for the first parameter correct? In gpg-help the parameter is described as <string_or_keygrip>. 
In https://lists.gnupg.org/pipermail/gnupg-users/2010-January/037876.html I've seen, that the fingerprint should be used instead of keygrip.
What is correct: keygrip or fingerprint? Is there a way with gpg commands to find out the value for this parameter?

We have planed to save the passphrase in a database on Server A. On Server B a Webservice can be called from our client app, that reads the passphrase out of database on Server A and calls the gpg-commands on Server B with the passphrase parameter. 
So the passphrase is not stored plainly on disc on the same server as the key. Or does gpg-agent do this, when using preset-passphrase?

Regards, Mike

-----Ursprüngliche Nachricht-----
Von: Peter Lebbing [mailto:peter at digitalbrains.com] 
Gesendet: Mittwoch, 15. Juni 2016 14:35
An: Mike Kaufmann <m.kaufmann at infotech.li>
Cc: gnupg-users at gnupg.org
Betreff: Re: AW: WINDOWS - Adding passphrase to gpg via command line

Hi,

> Any further ideas? I am despairing slowly but surely...

When I purposely enter the wrong passphrase, the PRESET_PASSPHRASE command succeeds, but subsequently the pinentry will pop up to prompt for the correct passphrase when I try to do anything with the key.

So you might have a mistake in the passphrase?

You could create a test key and set its passphrase to be test, and explicitly use the hexified version of the word test to try if it works then, since we obviously can't tell you if you've made a mistake with hexifying your real passphrase :-).

By the way, depending on your situation, it might not be worse to use your key without a passphrase. Your key is encrypted when stored on disk so that an attacker getting hold of the file doesn't yet have your key.
However, when you use gpg-preset-passphrase in a way that stores the passphrase argument plainly on disk as well, the attacker can simply read that file as well and decrypt your key. In such situations, the encryption serves no purpose (other than to make you despair slowly but surely). But in other situations, it can be more secure to use a passphrase, so it all depends.

HTH,

Peter.

--
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>


More information about the Gnupg-users mailing list