AW: Extraction of decryption session key without copying complete encrypted file

Peter Lebbing peter at
Fri Aug 25 18:57:34 CEST 2017

On 25/08/17 18:40, Fiedler Roman wrote:
> Idea:
> 1) Extract all GPG preambles of files to be decrypted to a single file 
> (working)
> 2) Batch decrypt all preambles from the input file on the trusted equipment 
> (not working in batch mode)
> 3) Decrypt all storage elements with the list of session keys (working)

It doesn't sound like you need agent forwarding at all. I would expect
that you can decrypt with a session key without an agent, since the
agent is only consulted to get the session key, but you already have it.

Step 2 is not working, but it is all on the system with the private key,
with a locally running agent. Dit you either gpg-preset-passphrase or
remove the passphrase from the key? If the agent needs to prompt the
user with a pinentry, but there is no human since it is batch operation,
it will error out. So it needs to know the passphrase already or the
passphrase needs to be removed.

I think agent forwarding is an alternative to your idea, not a way to
implement it. With agent forwarding, the remote system without the
private key would ask the forwarded agent to decrypt the
public-key-encrypted-session-key for it and obtain the session key that
way and that would avoid all the extra steps. Provided it worked :-).



I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <>

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20170825/488bf1cb/attachment.sig>

More information about the Gnupg-users mailing list