How to avoid Passphrase prompt

Peter Lebbing peter at digitalbrains.com
Fri Feb 2 12:23:37 CET 2018


On 01/02/18 05:03, Aneesh Varghese wrote:
> Hi Peter,
> We need passphrase, but passphrase should be enter via code not from windows popup prompt.

Hah, now I understand! :-)

There are two methods: gpg-preset-passphrase and pinentry loopback.

gpg-preset-passphrase:

GNUPGHOME/gpg-agent.conf:
--8<---------------cut here---------------start------------->8---
allow-preset-passphrase
max-cache-ttl 2147483647
--8<---------------cut here---------------end--------------->8---

gpg --with-keygrip -K
--8<---------------cut here---------------start------------->8---
sec   rsa1024 2012-03-17 [SC] [expires: 2018-02-07]
      825472F37172B95ADC7349BE98B67DE4DCDFDFA4
      Keygrip = 2F677680CA15F6F7B963AF35822E8EC01FBF840A
uid           [  full  ] Test Teststra (Koning van Wezel) <test at example.invalid>
uid           [  full  ] Test Teststra <test at work.invalid>
ssb   rsa1024 2012-03-17 [E]
      Keygrip = 15CB764B81D542CF921978CA89910C69D53F4E2D
ssb   rsa2048 2016-01-12 [A]
      Keygrip = 3D88DC9D60F791821AF8D537EEAC3C8DF7720D63
--8<---------------cut here---------------end--------------->8---

Note keygrip for [E] subkey.

Do this every time after starting the server/starting gpg-agent, to unlock 
the key:

gpg-preset-passphrase --preset 15CB764B81D542CF921978CA89910C69D53F4E2D

(Type in the password. Currently no pinentry support.)

Done!

Second method: pinentry loopback.

This method has a problem. Your code supplies the passphrase. Where is 
the passphrase stored? If it is simply stored on the hard disk, the 
passphrase is probably useless. An attacker can just read the 
passphrase. What are you protecting against?

It is simple, though:

echo passphrase | gpg --batch --pinentry-mode loopback --passphrase-fd 0 -d test.gpg

(Use code to pass the passphrase on some FD, don't actually use echo).

All this was tried out on Linux. I don't have Windows, or the necessary 
knowledge. I think it should work on Windows.

HTH,

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20180202/407263df/attachment.sig>


More information about the Gnupg-users mailing list