Menu
I am trying to automate backups with duplicity, but when I test the result, I get
gpg: public key decryption failed: bad passphrase
I want to check whether the passphrase I am using is actually the passphrase associated with the corresponding gpg secret-key, but I can't see anyway in the gpg command-line options to say "Don't encrypt or decrypt anything. Just confirm I am using the right passphrase."
This suggests that maybe I am (yet again) misunderstanding Gnu Privacy Guard. (It has a predilection for taunting me until I cry.)
Does it make sense to ask gpg to verify a passphrase? If so, how?
446
You might forget your GPG private key's passphrase. You need your private key's passphrase in order to decrypt an encrypted message or document which is encrypted using your public key. So, if you lost or forgot it then you will not be able to decrypt the messages or documents sent to you.
gpg caches the passphrase used for symmetric encryption so that a decrypt operation may not require that the user needs to enter the passphrase.
A good passphrase is absolutely critical when using GnuPG. Any attacker who gains access to your private key must bypass the encryption on the private key. Instead of brute-force guessing the key, an attacker will almost certainly instead try to guess the passphrase.
To view the contents of your public key ring: gpg --list-keys. To view the "fingerprint" of a public key, to help verify it over the telephone with its owner: gpg --fingerprint userid. To view the contents and check the certifying signatures of your public key ring: gpg --check-sigs.
There is no in-built method for doing this, but it is simple enough to create a test that doesn't modify anything and allows you to just check your passphrase.
You didn't specify, so I will assume you are using GnuPG version less than v2 and are on Linux with Bash for your commandline interpreter.
I will give the command here and below I will explain what each part does - (note: the following is for GnuPG series version 1, see below for GnuPG series v2)
echo "1234" | gpg --no-use-agent -o /dev/null --local-user <KEYID> -as - && echo "The correct passphrase was entered for this key"
What that does is first, pipe some text to sign to GnuPG with echo "1234" | - because we don't really want to sign anything, this is just a test, so we will sign some useless text.
Next, we tell gpg to not use the key agent with --no-use-agent; this is important later because, depending on your key agent, it may not return "0" on success, and that is all we want to do - verify success of your passphrase.
Next, we tell gpg to put the signed data directly into the /dev/null file, meaning we discard it and not write the result to the terminal -- NOTE: if you are not using some variant of Linux/Unix, this file may not exist. On windows you may have to just allow it to write the signed data to the screen by just omitting the -o /dev/null part.
Next, we specify the key we want to do our test with by using --local-user 012345. You can use the KeyID for maximum specificity, or use a username, whichever best suites your needs.
Next we specify -as, which enables ascii output mode, and sets the context mode for signing. The - afterwards just tells GnuPG to get the data to be signed from standard-in, which is the very first part of the command we gave echo "1234" |.
And last, we have && echo "A message that indicates success" -- the "&&" means, if the previous command was successful, print this message. This is just added for clarity, because the success of the command above would otherwise be indicated by no output at all.
I hope that is clear enough for you to understand what is going on, and how you can use it do the testing you want to do. If any part is unclear or you do not understand, I will be glad to clarify. Good luck!
[EDIT] - If you are using GnuPG v2, the above command will need to be modified slightly, like so:
echo "1234" | gpg2 --batch --passphrase-fd 1 -o /dev/null --local-user <KEYID> -as - && echo "The correct passphrase was entered for this key"
The reason being, GnuPG v2 expects the passphrase to be retrieved via an agent, so we cannot disable the use of the agent with --no-use-agent and have the desired effect; instead we need to tell GnuPG v2 that we want to run a "batch" process, and retrieve the passphrase from STDIN (standard in) by using the option --passphrase-fd 1.
118
This is a shorter command line to check if passphrase is OK:
gpg --export-secret-keys -a <KEYID> > /dev/null && echo OK If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
