Example of 'PINENTRY_USER_DATA which can fulfill the' (envpassphrase) 'task'?

omcujl92 at duck.com omcujl92 at duck.com
Fri Mar 22 00:45:58 CET 2024


At https://dev.gnupg.org/T4154 , 'allow setting passphrase from an
environment variable', there is a comment of "I don't see why we
should add yet more clumsy passphrase workarounds to gpg. We already
have PINENTRY_USER_DATA which can fulfill the same task."

Can anyone give an example of doing so?

I am looking to effect the equivalent of:
'@rem Get passhrase into (env.) var. programmatically (in your
favourite manner)'
'set /p myenvpassphrase="Enter symmetric keyphrase to use:"
'echo "Secret data" | gpg.exe -c --envpassphrase myenvpassphrase >
secretdata.gpg'
- thereby avoiding storing any passphrase (even temporarily) on a
storage medium, nor have it visible as the command line (via tasklist
or ps).
- in this case, the 'secret data' is actually confidential
information, piped from elsewhere, on the fly.

Of course, the '-envpassphrase' option doesn't exist in gpg currently,
but the comment at the above link indicates that there is another way
to effect the same intent.

Can anyone give an example of so doing?

A current means of effecting the same is, of course, '--passphase-fd
3", for something like:
'echo "Secret data" | gpg.exe -c --passphrase-fd 3 3< echo %PASSWORD%
> secretdata.gpg'
- except I have no idea [in (Win 10) DOS, not powershell, cmd] how to
get anything into file descriptor 3.
= let alone get an echo into fd 3 (without actually landing on a
filesystem, even temporarily).

Of course:
'echo "Secret data" | gpg.exe -c --passphrase > secretdata.gpg'
- doesn't work, as stdin can't be 'in two places at once', both
passphrase input, and data input.
= Remember, "Secret data" isn't on disk, either - it's being piped in, too.

Has anyone got a link to a working example of '3<' or
'PINENTRY_USER_DATA which can fulfill the same task' of gpg picking up
its passphrase from an environment variable?



More information about the Gnupg-users mailing list