Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How to use Gnupg's passphrase-fd argument?

Tags:

gnupg

I would like to use GnuPG´s decrypt command without any user interation. The script's --passphrase-fd argument seems exactly what I need. But I don't know how it works - haven't found examples.

Could anyone give me an example of such a command, on both Windows and UNIX environments?

(FYI, I'm using GnuPG 2).

Thanks already :)

like image 812
Blackbird Avatar asked Nov 10 '13 20:11

Blackbird


People also ask

Why does gpg not ask for passphrase?

gpg caches the passphrase used for symmetric encryption so that a decrypt operation may not require that the user needs to enter the passphrase.

What is gpg passphrase?

The gpg-preset-passphrase is a utility to seed the internal cache of a running gpg-agent with passphrases. It is mainly useful for unattended machines, where the usual pinentry tool may not be used and the passphrases for the to be used keys are given at machine startup.


2 Answers

In order to use the gpg option --passphrase-fd in GnuPG v2, you must specify the --batch parameter. I will first explain how --passphrase-fd works, and then get to the examples.

--passphrase-fd tells GnuPG which file descriptor (-fd) to expect the passphrase to come from. The standard file descriptors are STDIN (0), STDOUT (1) and STDERR (2). For the context of this question, you would normally only be concerned about STDIN (0).

You didn't specify where you want the passphrase to come from, so I will demonstrate the usage of STDIN (standard in) in a variety of ways.

--passphrase-fd 0 tells GnuPG to retrieve the passphrase from input into the current shell; so for example if you want GnuPG to get the passphrase data in the very next line of console input, the command and output would be like so:

gpg2 --batch --passphrase-fd 0 --armor --decrypt /path/to/encrypted_file.pgp <next line of input is passphrase followed by hitting enter> gpg: encrypted with 1024-bit RSA key, ID EC18C175, created 2013-10-26       "testkey4321 (4321) <[email protected]>" this is a test... this is only a test... 

In the above example, the passphrase was provided via file descriptor 0 (STDIN) - which we provided by entering it on the shells current standard input.

In the next example, we will tell GnuPG to retrieve the passphrase from input into the current shell that is actually the output of another command (echo, in this case, which merely "echos" what you tell it to):

echo "mypassphrase" | gpg2 --batch --passphrase-fd 0 --armor --decrypt /path/to/encrypted_file.pgp gpg: encrypted with 1024-bit RSA key, ID EC18C175, created 2013-10-26       "testkey4321 (4321) <[email protected]>" this is a test... this is only a test... 

Another example that dumps the contents of a file that contains the passphrase to STDIN -

cat /path/to/file_with_passphrase | gpg2 --batch --passphrase-fd 0 --armor --decrypt /path/to/encrypted_file.pgp gpg: encrypted with 1024-bit RSA key, ID EC18C175, created 2013-10-26       "testkey4321 (4321) <[email protected]>" this is a test... this is only a test... 

In summary, --passphrase-fd just tells GnuPG that you want to feed it the requisite passphrase via a standard file descriptor; the difference between GnuPG v2 and GnuPG is merely the --batch parameter.

The above examples should work the same in Windows and *nix environments, with the only difference being that in Windows - depending on your configuration and version - you will have to replace cat with type in order to dump the contents of a file to STDIN.

like image 191
kylehuff Avatar answered Sep 18 '22 11:09

kylehuff


kylehuff's answer still wouldn't work for me, with gpupg still popping up a password prompt.

According to https://wiki.archlinux.org/index.php/GnuPG#Unattended_passphrase with gnupg version 2.1.0 and higher, you need to do additional steps to support --passphrase-fd

First, edit the gpg-agent configuration to allow loopback pinentry mode: ~/.gnupg/gpg-agent.conf

allow-loopback-pinentry 

Restart the gpg-agent process if it is running to let the change take effect.

Second, either the application needs to be updated to include a commandline parameter to use loopback mode like so:

$ gpg --pinentry-mode loopback ... 
like image 41
JodiTheTigger Avatar answered Sep 21 '22 11:09

JodiTheTigger