Automatically changing/removing key passphrase
Bjarni Runar Einarsson
bre at pagekite.net
Wed Oct 23 10:27:21 CEST 2019
-----BEGIN PGP SIGNED MESSAGE-----
Hello GnuPG users!
Background: I'm working a bit on Mailpile's Autocrypt support
these days. Mailpile creates OpenPGP keys for its users, which
are protected by a strong passphrase, but generally manages those
passphrases on the user's behalf to guarantee a seamless user
experience. I don't want my users to be locked in to Mailpile,
and I wanted to implement the Autocrypt Setup Message (ASM) spec
so users had a standardized, semi-automated way to migrate their
keys from Mailpile to another mail agent. For better or worse,
the ASM defines a password protection scheme for the key material
which is different from a passphrase on the key itself.
So when syncing the keys, I need to remove the passphrase. I
cannot figure out an elegant way to do this using GnuPG or GPGME.
The GPGME manual's "Changing Passphrases" section 7.5.10 states:
"The backend engine will usually popup a window to ask for the
old and the new passphrase. Thus this function is not useful in a
server application (where passphrases are not required anyway)."
I guess from the point of view of GnuPG and GPGME, Mailpile is
behaving like a server application. But I would still rather not
store the secret keys unprotected, so I need an automated way to
manage the key's passphrase. How do I square this circle?
Any hints on how to automatically remove the passphrase using
gnupg without direct user interaction?
A Google search showed that this is a question that comes up
every now and then, but I have only seen manual procedures for
resolving it. Is this perhaps a feature which should be added?
Thanks in advance,
PageKite.net lets your personal computer be part of the web
-----BEGIN PGP SIGNATURE-----
-----END PGP SIGNATURE-----
More information about the Gnupg-users