WINDOWS - Adding passphrase to gpg via command line

Peter Lebbing peter at
Thu Jun 16 13:41:11 CEST 2016


On 16/06/16 08:46, Mike Kaufmann wrote:
> I've used to convert my passphrase in
> hexstring. Therefore I think, that's not the reason.

Does it end in bytes 0D or 0A? Those are CR/LF ASCII bytes, and should
not be included.

> What I'm not sure: Is the value I use for the first parameter
> correct?

By the looks of it, you could check this through:

> $ gpg-connect-agent
> > havekey 3D88DC9D60F791821AF8D537EEAC3C8DF7720D63
> OK
> > havekey 44696420796F7520736565206D79206B6579733F
> ERR 67108881 No secret key <GPG Agent>

preset_passphrase will take anything thrown at it without complaint, as
long as it's syntactically valid. Whether the information was useful
will only become apparent when it is needed.

Also, are you unlocking the correct (sub)key?

Let's take a look at a test key:

> $ gpg2 --with-keygrip -K DCDFDFA4 sec   rsa1024/DCDFDFA4 2012-03-17
> [SC] [expires: 2016-06-17] Keygrip =
> 2F677680CA15F6F7B963AF35822E8EC01FBF840A uid         err Test
> Teststra <test at work.invalid> uid         err Test Teststra (Koning
> van Wezel) <test at example.invalid> ssb   rsa1024/77A3395A 2012-03-17
> [E] Keygrip = 15CB764B81D542CF921978CA89910C69D53F4E2D ssb
> rsa2048/38EF7410 2016-01-12 [A] Keygrip =
> 3D88DC9D60F791821AF8D537EEAC3C8DF7720D63

If I wanted to unlock the key for signatures or certifying, I would
unlock the first keygrip. Note that if you have a separate signing
subkey, you'd most likely use that for signatures.

If I wanted to decrypt stuff, I would unlock the second keygrip.
Finally, if I wanted to use the key for SSH authentication, I would
unlock the third and final keygrip. If I wanted to unlock the whole
private key, I'd unlock all three.

> What is correct: keygrip or fingerprint?

Keygrips work, so I'd stick to that.

> Is there a way with gpg commands to find out the value for this

You mean, like, what the program gpg-preset-passphrase uses? It might,
but before I spend time on that, please see if you've already figured it
out with the previous part of this message.

> We have planed to save the passphrase in a database on Server A. On
> Server B a Webservice can be called from our client app, that reads
> the passphrase out of database on Server A and calls the gpg-commands
> on Server B with the passphrase parameter. So the passphrase is not
> stored plainly on disc on the same server as the key.

I don't feel qualified to comment on the usefulness of this arrangement,
so I won't. This says something about me, not about your setup.

> Or does gpg-agent do this, when using preset-passphrase?

No, gpg-agent will not write to disk, and tries to prevent the operating
system from doing so, if it is supported on your OS.



PS: Could you perhaps use inline-quoting and strip your quotes?
Alternatively, sometimes it's not unreasonable to just remove all the
quoted text. But the dangling original message below your reply is an
unwanted style here at gnupg-users.

I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <>

More information about the Gnupg-users mailing list