Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

gpg-agent in gpg2

I'm attempting to futureproof some custom software that utilizes GPG (currently v 1.4.10) to perform symmetric encryption/decryption processes. My current encryption command looks like this:

gpg --batch --no-tty --no-use-agent --symmetric --cipher-algo AES256 --passphrase "foobar" /path/to/file_to_be_encrypted

Without the --no-use-agent option, I get the infamous error message

gpg-agent is not available in this session

I'm concerned about a move to gpg2 because, according to the documentation, the gpg-agent is always required, and --no-use-agent is simply a dummy option. My gpg calls occur in the background via a daemon process, so this is very much a no-agent scenario (plus the fact that it's symmetric, and I have no need of the agent at all).

Documentation at this level of detail is sparse, so I'm looking for user experience. Does gpg2 incorporate the agent more tightly, so that I don't have to worry about its availability?

like image 692
Frank Koehl Avatar asked Aug 10 '11 19:08

Frank Koehl


1 Answers

  1. The way you invoke gpg2, it might fail if the output file path/to/file_to_be_encrypted.gpg already exists. If you want the file to be overwritten, you should provide the --yes option:

    gpg2 --batch --yes --no-tty --no-use-agent --symmetric --cipher-algo AES256 --passphrase "foobar" /path/to/file_to_be_encrypted
    
  2. When you are using symmetric encryption (like you do), the passphrase constraints (even if set to enforced by gpg-agent) will not be applied at all—it will just work.

    Say the gpg-agent was run like this (and let the mypasswords file even contain the forbidden pattern that exactly matches your password):

    eval $(gpg-agent --daemon --enforce-passphrase-constraints --min-passphrase-len 8 --min-passphrase-nonalpha 4 --check-passphrase-pattern mypasswords)
    

    Then your command would still succeed.

    In short: gpg-agent will not make it fail (unless it crashes gpg for some reason—like wrong configuration or missing executable, which you cannot account for).

    EDIT: I've just checked and in symmetric mode gpg2 will work even if gpg-agent is wrongly configured or if the gpg-agent executable is missing.

    This is not related, but just in case: I also verified what happens when you try to change the password of your private key while gpg-agent is missing or is wrongly configured: gpg2 will report a warning, will not even ask for the new passphrase, and continue working.

Sources:

  • gpg-agent configuration manual
  • gpg documentation
like image 81
sinharaj Avatar answered Sep 19 '22 00:09

sinharaj