gpg-preset-passphrase installation and usage

gnupg at raf.org gnupg at raf.org
Tue Apr 16 06:53:00 CEST 2019 

Walia, Gaurav (333G) via Gnupg-users wrote:

> Ok.  Did some googling came up with the following.  Could someone confirm that I’m doing this correctly?
> 
> Objective: To save passphrase in cache to an unattended machine so that it doesn’t time out the credentials.  Specifically, using https://github.com/docker/docker-credential-helpers, with setup https://github.com/docker/docker-credential-helpers/issues/102#issuecomment-388634452.
> 
> Steps:
> use gpg-preset-passphrase
> Current Setup
> 
>   *   ~/.gnupg/gpg-agent.conf
>      *   pinentry-program /usr/bin/pinentry-curses
>      *   max-cache-ttl 60480000
>      *   default-cache-ttl 60480000
>      *   allow-preset-passphrase
> 
>   *   gpg --version
>      *   gpg (GnuPG) 2.0.22
>      *   libgcrypt 1.5.3
>      *   Copyright (C) 2013 Free Software Foundation, Inc.
>      *   License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
>      *   This is free software: you are free to change and redistribute it.
>      *   There is NO WARRANTY, to the extent permitted by law.
>      *
>      *   Home: ~/.gnupg
>      *   Supported algorithms:
>      *   Pubkey: RSA, ?, ?, ELG, DSA
>      *   Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
>      *           CAMELLIA128, CAMELLIA192, CAMELLIA256
>      *   Hash: MD5, SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
>      *   Compression: Uncompressed, ZIP, ZLIB, BZIP2
>   *   gpg2 --fingerprint --fingerprint name at domain.com
>      *   pub   2048R/12312312 2019-03-23
>      *         Key fingerprint = 4567 4567 4567 4567 4567  4567 4567 4567 4567 4567
>      *   uid                  Name <name at domain.com>
>      *   sub   2048R/11121314 2019-03-23
>      *         Key fingerprint = 8910 8910 8910 8910 8910  8910 8910 8910 8910 8910
> 
> Updated Setup using gpg-preset-passphrase only
> 
>   *   ~/.gnupg/gpg-agent.conf
>      *   We should be able to remove the first 3 line items since we are only using gpg-preset-passphrase
>      *   Final file contents
>         *   allow-preset-passphrase
>   *   Reload gpa-agent.conf file
>      *   gpg-connect-agent reloadagent /bye
>   *   Setup gpg-preset-passphrase
>      *   gpg-preset-passphrase --preset 8910891089108910891089108910891089108910
>   *   Now when you login to that key and enter the passphrase It should cache it until you issue the following command to remove it.
>      *   gpg-preset-passphrase —forget 8910891089108910891089108910891089108910
> 
> Question:
> 
>   1.  Is the updated setup correct in my assumption for the setup?
> 
> Thank you in advance for taking the time to help, it is greatly appreciated.
> 
> Gaurav

hi,

the best thing to do is test it. :-)
but it looks promising.

however, be warned that 2.0.22 is old and things have
changed a lot since then. especially on systems with
systemd, and especially when the subsequent uses of gpg
are from a different systemd user session to the one
that preset the passphrase.

when i used 2.0.x, i ran gpg-agent in --daemon mode with
the --write-env-file option so that the subsequent uses
of gpg knew where to find gpg-agent (since they weren't
child processes with access to the environment variables).
that option disappears in later versions.

also, in later versions you'll need to change:

  gpg2 --fingerprint --fingerprint name at domain.com

to:

  gpg2 --fingerprint --with-keygrip name at domain.com

cheers,
raf

More information about the Gnupg-users mailing list