30

Yes, I know it is a step into a lesser secure system, but the current setting makes it reasonable (the key is not important, but the signing has to be automatized).

Google results say this:

  1. List the keys with a gpg --list-keys
  2. Edit the key with a gpg --edit-key C0DEEBED....
  3. A gpg command line console starts, there a passwd command changes the passphrase
  4. Giving the password twice (in my case, simple enter) changes the key.

However, it doesn't work, because gpg2 simply doesn't allow an empty password.

What to do?

Improve this question
5
  • Is there a reason why using gpg-agent will not work for automating gpg signing tasks? Commented Jul 18, 2017 at 18:26
  • 2
    @Deathgrip Because the key has also a passphrase. Thus, in the case of signing anything, first this passphrase has to be given. It is an unavoidable human interaction. Thus, it can't be automatized. To automatize the gpg signing, I have to remove the passphrase from the key pair. Gpg can create key pairs without passphrase, and it can also change the passphrase of an existing key pair. The goal is now to remove the existing passphrase from the key pair, making it into a passphrase-less, unprotected one. (Note, file permissions still are still protecting the key pair.) Commented Jul 18, 2017 at 18:48
  • 1
    Not completely automated, but you can manually start and seed the agent and use it until the machine reboots or your cache's expire. I set max-cache-ttl and default-cache-ttl to 31536000 (365 days). Then "seed" the agent with a command similar to echo | gpg -sa -u <keyid> >/dev/null. A separate script could launch, source the environment file created when starting the agent, then sign a file. In the script, execute gpg with --batch mode and it should return an error if a password is required. Send an alert if that happens. I do a few things like this utilizing ssh and gpg agents. Commented Jul 18, 2017 at 21:47
  • what's the purpose of a key password then if you can just remove it? Commented Nov 27, 2018 at 0:34
  • @AnonymousLurker In general, it exists in the key as some hash or salt. Thus, you can't so easily remove it, it requires a dictionary attack to do that. In the special case of this question, the password is an obstacle to automatize the key-based encryption. Commented Nov 27, 2018 at 0:37

5 Answers 5

Reset to default
38

As of gpg version 2.4.3, gpg --edit-key <keyid> passwd seems to work fine for removing a passphrase.

Issue the command, then provide your current passphrase and then the new one. Just type Enter for no passphrase. Then type quit to quit the program.

Improve this answer
2
  • 1
    I had to enter the blank password twice -- and click yes, I really want to do this, twice, but it accepted it after that. Commented Jan 17, 2020 at 4:24
  • This didn't work for me, but this answer did Commented Dec 16, 2023 at 1:16
12 
gpg --pinentry-mode loopback --passwd KEY

Enter the original password, but press enter 3 times instead of just once (original password, new password, then confirming new password). The problem was pinentry itself, so loopback mode just removes it from the equation. This should work with all versions of gpg AFAIK.

Improve this answer
2
  • Thank you, this worked for removing the passphrase on a key stored in GPG 2.4.5 on MacOS when the --edit-key method refused to accept a blank passphrase. Commented Jul 24, 2024 at 16:51
  • OMG that pinentry mode was the damn problem! I've got my head cracked for many hours. Thank you this answer is gold. Commented Jul 1 at 12:22
6

With pinentry-0.8.1 (and gnupg2-2.0.22) on Centos 7 I was able to remove the passphrase from the secret key by not specifying a new password; pinentry did whine and warn about the blank password but both the console and GTK pinentry programs had a "Take this one anyway" prompt that resulted in a password-free secret key.

On the other hand, this attempt failed as the then imported secret key is marked as unusable:

gpg --export-options export-reset-subkey-passwd --export-secret-subkeys > x
Improve this answer
2
  • I dug sources a lot, I tried pinentry (completely undocumented command line interface), I used gpg --change-passphrase, I commented out "use agent" in ~/.gnupg/gpg.conf, and somehow, somewhere it started to work. I am too disappointed to invest even a little second into this any more. But thank you very much. Commented Jul 18, 2017 at 23:46
  • 1
    Yeah, I'm using gpg 1.4 elsewhere as gpg2 annoys me too much. Commented Jul 19, 2017 at 0:05
3

Well, I succeed in removing passphrase or creating new key without passphrase by using pinentry-gtk-2 as the pinentry program. Here is what I have done:

There is no config file in ~/.gnupg. I created a symbolic link from /usr/bin/pinentry to /usr/bin/pinentry-gtk-2

 sudo ln -s /usr/bin/pinentry-gtk-2 /usr/bin/pinentry

It also worked over an SSH connection with X11 forwarding.

Improve this answer
1
  • Welcome on the Unix SE! I fighted a lot with the ncurses-based pinentry, but without success. Commented Oct 1, 2018 at 21:32
1

I was able to do this using Kleopatra. In the application right-click on the keypair you want to remove the passphrase from. Click Change passphrase.... Enter the passphrase in the pop up window. In the next pop up window leave both inputs empty and click Ok. click the option similar to Yes, protection is not needed. These last two pop ups may show up a couple times as confirmation. Just leave the inputs for new passphrase blank and click Ok. Then you will receive a confirmation that "The passphrase has been successfully reset".

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.