how to add a passphrase to a keypair

Sun Oct 3 16:54:29 CEST 2021

On 10/2/21 22:51, raf via Gnupg-users wrote:
> On Sun, Oct 03, 2021 at 01:40:03PM +1100, raf <gnupg at raf.org> wrote:
>
>> On Sat, Oct 02, 2021 at 07:12:45PM -0400, Jack via Gnupg-users <gnupg-users at gnupg.org> wrote:
>>
>>> Is it possible to add a passphrase to a secret key originally created
>>> without one?  If so, please tell me how.  I'll be happy with either
>>> instructions or pointer to the fine manual I either missed or misread.
>>>
>>> I have tried lots of variations.  Attempts using gpg-agent fail because
>>> pinentry (I've tried text and gui versions) refuses to accept a blank
>>> passphrase.  Variants using --passphrase or --passphrase-fd don't work
>>> because they only allow passing one passphrase, and I need to provide the
>>> old one and the new one.  I've also tried --export-secret-key, which also
>>> fails with "error receiving key from agent: No passphrase given - skipped"
>>> when using --passphrase-fd.
>>>
>>> I do have a copy of gpg-1.4.23 available, but simply copying .gnupg to a new
>>> user and using the old gpg doesn't help because gpg1 doesn't see the secret
>>> keys from gpg2, and I haven't been able to export them.
>>>
>>> Is there a way to do this, or is revoking the old key and creating new keys
>>> from scratch the only solution?
>>>
>>> Thanks for any information.
>>>
>>> Jack
>> Try these instructions for changing the passphrase:
>>
>>    https://www.cyberciti.biz/faq/linux-unix-gpg-change-passphrase-command/
>>    https://help.ubuntu.com/community/GnuPrivacyGuardHowto#Changing_your_Passphrase
>>
>>    gpg --edit-key Your-Key-ID-Here
>>    gpg> passwd
>>    gpg> save
> Also, don't use gpg1. I'm guessing that either the key
> was created with gpg2, or was created with gpg1 but
> then ~/.gnupg was subsequently converted for use with
> gpg2 (since you say "gpg1 doesn't see the secret keys
> from gpg2"). If either is the case, keep using gpg2.
>
> Also, if you are getting the error "No passphrase
> given", I could be wrong, but that might suggest that
> the secret key is already encrypted. Are you sure that
> there is no existing passphrase? If so, ignore this.
>
> cheers,
> raf

Thanks for the suggestions, but they do not help.  On my main PC I only 
have version 2 installed, so gpg and gpg2 are the same command (one is a 
symlink to the other.)  The key was created many years ago with gpg 
version 1 and was definitely created without a passphrase.   I have gone 
through many PCs since then (all LInux) and always copied my ~/.gnupg 
folder to the new box.  Somewhere along the line some files do seem to 
have gotten lost, because I do not have secring.gpg or pubring.gpg, but 
gpg -k and gpg -K both show my main key.  I compiled a copy of gpg1 (not 
installed to the system) to try to use locally, since it doesn't enforce 
the use of a passphrase for the secret key.  Unfortunately, without 
secring.gpg, it doesn't see the secret key at all.

Your first suggestion does not work (as I said in my original post) 
because pinentry does not accept a blank passphrase, and it still 
prompts for one even if it doesn't actually need it.