Timeline for How can I remove the passphrase from a gpg2 private key?
Current License: CC BY-SA 3.0
12 events
| when toggle format | what | by | license | comment | |
|---|---|---|---|---|---|
| Jul 11, 2020 at 14:17 | answer | added | landfill baby | timeline score: 12 | |
| Nov 5, 2019 at 18:40 | answer | added | Eugene Yarmash | timeline score: 38 | |
| Nov 27, 2018 at 0:37 | comment | added | peterh | @AnonymousLurker In general, it exists in the key as some hash or salt. Thus, you can't so easily remove it, it requires a dictionary attack to do that. In the special case of this question, the password is an obstacle to automatize the key-based encryption. | |
| Nov 27, 2018 at 0:34 | comment | added | AnonymousLurker | what's the purpose of a key password then if you can just remove it? | |
| Nov 26, 2018 at 23:37 | answer | added | Bahman.A | timeline score: 1 | |
| Oct 1, 2018 at 21:28 | answer | added | miyasagi | timeline score: 3 | |
| Jul 18, 2017 at 23:46 | vote | accept | peterh | ||
| Jul 18, 2017 at 21:47 | comment | added | Deathgrip |
Not completely automated, but you can manually start and seed the agent and use it until the machine reboots or your cache's expire. I set max-cache-ttl and default-cache-ttl to 31536000 (365 days). Then "seed" the agent with a command similar to echo | gpg -sa -u <keyid> >/dev/null. A separate script could launch, source the environment file created when starting the agent, then sign a file. In the script, execute gpg with --batch mode and it should return an error if a password is required. Send an alert if that happens. I do a few things like this utilizing ssh and gpg agents.
|
|
| Jul 18, 2017 at 20:11 | answer | added | thrig | timeline score: 6 | |
| Jul 18, 2017 at 18:48 | comment | added | peterh | @Deathgrip Because the key has also a passphrase. Thus, in the case of signing anything, first this passphrase has to be given. It is an unavoidable human interaction. Thus, it can't be automatized. To automatize the gpg signing, I have to remove the passphrase from the key pair. Gpg can create key pairs without passphrase, and it can also change the passphrase of an existing key pair. The goal is now to remove the existing passphrase from the key pair, making it into a passphrase-less, unprotected one. (Note, file permissions still are still protecting the key pair.) | |
| Jul 18, 2017 at 18:26 | comment | added | Deathgrip | Is there a reason why using gpg-agent will not work for automating gpg signing tasks? | |
| Jul 18, 2017 at 17:59 | history | asked | peterh | CC BY-SA 3.0 |