How to avoid Passphrase prompt

Aneesh Varghese aneesh at idspage.com
Fri Feb 2 12:32:46 CET 2018


Thanks Peter...

Thanks & Regards

Aneesh Varghese

________________________________________
From: Peter Lebbing <peter at digitalbrains.com>
Sent: Friday, February 2, 2018 4:53 PM
To: Aneesh Varghese; gnupg-users at gnupg.org
Subject: Re: How to avoid Passphrase prompt

On 01/02/18 05:03, Aneesh Varghese wrote:
> Hi Peter,
> We need passphrase, but passphrase should be enter via code not from windows popup prompt.

Hah, now I understand! :-)

There are two methods: gpg-preset-passphrase and pinentry loopback.

gpg-preset-passphrase:

GNUPGHOME/gpg-agent.conf:
--8<---------------cut here---------------start------------->8---
allow-preset-passphrase
max-cache-ttl 2147483647
--8<---------------cut here---------------end--------------->8---

gpg --with-keygrip -K
--8<---------------cut here---------------start------------->8---
sec   rsa1024 2012-03-17 [SC] [expires: 2018-02-07]
      825472F37172B95ADC7349BE98B67DE4DCDFDFA4
      Keygrip = 2F677680CA15F6F7B963AF35822E8EC01FBF840A
uid           [  full  ] Test Teststra (Koning van Wezel) <test at example.invalid>
uid           [  full  ] Test Teststra <test at work.invalid>
ssb   rsa1024 2012-03-17 [E]
      Keygrip = 15CB764B81D542CF921978CA89910C69D53F4E2D
ssb   rsa2048 2016-01-12 [A]
      Keygrip = 3D88DC9D60F791821AF8D537EEAC3C8DF7720D63
--8<---------------cut here---------------end--------------->8---

Note keygrip for [E] subkey.

Do this every time after starting the server/starting gpg-agent, to unlock
the key:

gpg-preset-passphrase --preset 15CB764B81D542CF921978CA89910C69D53F4E2D

(Type in the password. Currently no pinentry support.)

Done!

Second method: pinentry loopback.

This method has a problem. Your code supplies the passphrase. Where is
the passphrase stored? If it is simply stored on the hard disk, the
passphrase is probably useless. An attacker can just read the
passphrase. What are you protecting against?

It is simple, though:

echo passphrase | gpg --batch --pinentry-mode loopback --passphrase-fd 0 -d test.gpg

(Use code to pass the passphrase on some FD, don't actually use echo).

All this was tried out on Linux. I don't have Windows, or the necessary
knowledge. I think it should work on Windows.

HTH,

Peter.

--
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>




More information about the Gnupg-users mailing list