Automatically changing/removing key passphrase

Bjarni Runar Einarsson bre at
Wed Oct 23 10:27:21 CEST 2019

Hash: SHA512

Hello GnuPG users!

Background: I'm working a bit on Mailpile's Autocrypt support
these days. Mailpile creates OpenPGP keys for its users, which
are protected by a strong passphrase, but generally manages those
passphrases on the user's behalf to guarantee a seamless user
experience. I don't want my users to be locked in to Mailpile,
and I wanted to implement the Autocrypt Setup Message (ASM) spec
so users had a standardized, semi-automated way to migrate their
keys from Mailpile to another mail agent. For better or worse,
the ASM defines a password protection scheme for the key material
which is different from a passphrase on the key itself.

So when syncing the keys, I need to remove the passphrase. I
cannot figure out an elegant way to do this using GnuPG or GPGME.

The GPGME manual's "Changing Passphrases" section 7.5.10 states:
"The backend engine will usually popup a window to ask for the
old and the new passphrase. Thus this function is not useful in a
server application (where passphrases are not required anyway)."

I guess from the point of view of GnuPG and GPGME, Mailpile is
behaving like a server application. But I would still rather not
store the secret keys unprotected, so I need an automated way to
manage the key's passphrase. How do I square this circle?

Any hints on how to automatically remove the passphrase using
gnupg without direct user interaction?

A Google search showed that this is a question that comes up
every now and then, but I have only seen manual procedures for
resolving it. Is this perhaps a feature which should be added?

Thanks in advance,
 - Bjarni

- -- lets your personal computer be part of the web



More information about the Gnupg-users mailing list