Newbie can't get --passphrase option to work

classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|

Newbie can't get --passphrase option to work

Ryk McDorman
I was tasked with automating the decryption (and more) of files, so I've written a PowerShell program that does everything I need it to do, except that I can't get the decryption to decrypt without prompting for our passphrase. I'm using a default installation of GnuPG 2.1.19 on Windows 7 (it may go on a Win Server 2012 box for production).

In the program I'm passing the output and input filenames as parameters to a one-line batch file consisting of this command:
echo <mypassphrase>| "C:\Program Files (x86)\gnuPG\bin\gpg.exe" --batch  --output %1  --passphrase-fd 0 --decrypt %2

I've also tried the -passphrase-file and -passphrase <mypassphrase> options with the same results: when the program runs I'm prompted to enter the passphrase.

I've done a thorough search for a solution for this, but haven't come up with much: a vague reference to a bug in 2.1.x that may have to do with it, and at the end of my day yesterday I came across someone who used the "--pinentry-mode loopback" option. Interestingly, when I add that to my command, it DOES decrypt one file without prompting me, but then inexplicably stops. (My program logic is fine, as without the -pinentry option, it prompts me once for each file and decrypts each file.)  I haven't yet had time to investigate that option; it's my next action but I've literally been working on this for days now and needed to send out a plea for help!

I'm a total GPG newbie here, so, as they say on Reddit "Explain like I'm 5."  Thanks!

Ryk

CONFIDENTIALITY NOTICE:

This e-mail contains confidential information and is intended only for the
individual named. If you are not the named addressee, you should not
disseminate, distribute or copy this e-mail. Please notify the sender
immediately if you have received this e-mail by mistake and delete this
e-mail from your system. E-mail cannot be guaranteed to be secure or
error-free as information could be intercepted, corrupted, lost,
destroyed, arrive late or incomplete, or contain viruses. Neither the
sender nor CoBiz Financial and its subsidiaries accept liability for any
errors or omissions in the contents of this message which arise as a
result of e-mail transmission.



_______________________________________________
Gnupg-users mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Reply | Threaded
Open this post in threaded view
|

Re: Newbie can't get --passphrase option to work

Kristian Fiskerstrand-6
On 05/12/2017 04:15 PM, Ryk McDorman wrote:
> I was tasked with automating the decryption (and more) of files, so I've written a PowerShell program that does everything I need it to do, except that I can't get the decryption to decrypt without prompting for our passphrase. I'm using a default installation of GnuPG 2.1.19 on Windows 7 (it may go on a Win Server 2012 box for production).

look into --pinentry-mode loopback

--
----------------------------
Kristian Fiskerstrand
Blog: https://blog.sumptuouscapital.com
Twitter: @krifisk
----------------------------
Public OpenPGP keyblock at hkp://pool.sks-keyservers.net
fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3
----------------------------
Amantes sunt amentes
Lovers are lunatics


_______________________________________________
Gnupg-users mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnupg-users

signature.asc (499 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Newbie can't get --passphrase option to work

Kristian Fiskerstrand-6
In reply to this post by Ryk McDorman
On 05/12/2017 04:15 PM, Ryk McDorman wrote:
> I've done a thorough search for a solution for this, but haven't come up with much: a vague reference to a bug in 2.1.x that may have to do with it, and at the end of my day yesterday I came across someone who used the "--pinentry-mode loopback" option. Interestingly, when I add that to my command, it DOES decrypt one file without prompting me, but then inexplicably stops. (My program logic is fine, as without the -pinentry option, it prompts me once for each file and decrypts each file.)  I haven't yet had time to investigate that option; it's my next action but I've literally been working on this for days now and needed to send out a plea for help!

And here you discuss it :p .. yes, pinentry-mode loopback is necessary
for 2.1 use of --passphrase-fd and the likes , in earlier versions of
2.1 this requires allow-pinentry-loopback for the gpg-agent but in
recent versions that is defaulted to on.

Can you provide the information when this argument is used and the
scenario that fails including explicit error messages?

--
----------------------------
Kristian Fiskerstrand
Blog: https://blog.sumptuouscapital.com
Twitter: @krifisk
----------------------------
Public OpenPGP keyblock at hkp://pool.sks-keyservers.net
fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3
----------------------------
Amantes sunt amentes
Lovers are lunatics


_______________________________________________
Gnupg-users mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnupg-users

signature.asc (499 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Newbie can't get --passphrase option to work

Dan Kegel-2
Did you see my walkthrough of all the problems I ran into while
getting gpg to not prompt?

https://lists.gnupg.org/pipermail/gnupg-users/2017-April/058158.html
https://lists.gnupg.org/pipermail/gnupg-users/2017-April/058162.html

That's for Linux, but it might still have a trick you're missing.

_______________________________________________
Gnupg-users mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Reply | Threaded
Open this post in threaded view
|

RE: Newbie can't get --passphrase option to work

Ryk McDorman
In reply to this post by Ryk McDorman
Kristian,

Thanks for the quick confirmation that I need to use --pinentry-mode loopback. I reviewed my program and found that I'd forgotten that I'd inserted an Exit statement (to troubleshoot something else), and that's what was causing only the first decryption to work. So, problem resolved!  Thanks again.

Ryk

-----Original Message-----
From: Kristian Fiskerstrand [mailto:[hidden email]]
Sent: Saturday, May 13, 2017 2:50 PM
To: Ryk McDorman <[hidden email]>; [hidden email]
Subject: RE: [EXT]:Newbie can't get --passphrase option to work

On 05/12/2017 04:15 PM, Ryk McDorman wrote:
> I've done a thorough search for a solution for this, but haven't come up with much: a vague reference to a bug in 2.1.x that may have to do with it, and at the end of my day yesterday I came across someone who used the "--pinentry-mode loopback" option. Interestingly, when I add that to my command, it DOES decrypt one file without prompting me, but then inexplicably stops. (My program logic is fine, as without the -pinentry option, it prompts me once for each file and decrypts each file.)  I haven't yet had time to investigate that option; it's my next action but I've literally been working on this for days now and needed to send out a plea for help!

And here you discuss it :p .. yes, pinentry-mode loopback is necessary for 2.1 use of --passphrase-fd and the likes , in earlier versions of
2.1 this requires allow-pinentry-loopback for the gpg-agent but in recent versions that is defaulted to on.

Can you provide the information when this argument is used and the scenario that fails including explicit error messages?

--
----------------------------
Kristian Fiskerstrand
Blog: https://blog.sumptuouscapital.com
Twitter: @krifisk
----------------------------
Public OpenPGP keyblock at hkp://pool.sks-keyservers.net fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3
----------------------------
Amantes sunt amentes
Lovers are lunatics

CONFIDENTIALITY NOTICE:

This e-mail contains confidential information and is intended only for the
individual named. If you are not the named addressee, you should not
disseminate, distribute or copy this e-mail. Please notify the sender
immediately if you have received this e-mail by mistake and delete this
e-mail from your system. E-mail cannot be guaranteed to be secure or
error-free as information could be intercepted, corrupted, lost,
destroyed, arrive late or incomplete, or contain viruses. Neither the
sender nor CoBiz Financial and its subsidiaries accept liability for any
errors or omissions in the contents of this message which arise as a
result of e-mail transmission.

_______________________________________________
Gnupg-users mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Reply | Threaded
Open this post in threaded view
|

Re: Newbie can't get --passphrase option to work

Peter Lebbing
In reply to this post by Ryk McDorman
On 12/05/17 16:15, Ryk McDorman wrote:
> In the program I'm passing the output and input filenames as parameters to a one-line batch file consisting of this command:
> echo <mypassphrase>| "C:\Program Files (x86)\gnuPG\bin\gpg.exe" --batch  --output %1  --passphrase-fd 0 --decrypt %2

You should also ask yourself what the purpose of the passphrase is other
than to make your life difficult. Your disk holds a file with an
encrypted private key as well as a file containing the plaintext
password. Why would an attacker that is able to access the encrypted
private key not also be able to access the PowerShell script with the
password? What purpose does the password serve in this scenario?

You should probably just remove the passphrase from the key. That way
any decryption or signature will just succeed without jumping through
hoops to pass the passphrase to GnuPG.

HTH,

Peter.

--
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>


_______________________________________________
Gnupg-users mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnupg-users

signature.asc (499 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Newbie can't get --passphrase option to work

Dan Kegel-2
On Tue, May 16, 2017 at 12:31 AM, Peter Lebbing <[hidden email]> wrote:
> You should also ask yourself what the purpose of the passphrase is other
> than to make your life difficult....
> You should probably just remove the passphrase from the key. That way
> any decryption or signature will just succeed without jumping through
> hoops to pass the passphrase to GnuPG.

That wasn't my experience.  I used keys with no passphrase,
and *still* had to use loopback (and jump through other hoops) to get
gpg to work unattended.
https://lists.gnupg.org/pipermail/gnupg-users/2017-April/058158.html
https://lists.gnupg.org/pipermail/gnupg-users/2017-April/058162.html
describe my travails.  It was several days of learning curve.  In fairness,
I needed a solution that worked with all versions of gpg that shipped
with any LTS version of ubuntu, not just the current release, which
made things a bit harder.
- Dan

_______________________________________________
Gnupg-users mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Reply | Threaded
Open this post in threaded view
|

Re: Newbie can't get --passphrase option to work

Peter Lebbing
On 16/05/17 13:31, Dan Kegel wrote:
> That wasn't my experience.  I used keys with no passphrase,
> and *still* had to use loopback (and jump through other hoops) to get
> gpg to work unattended.

I was talking about the things one usually does on a headless server,
which is decryption and data signatures. I'm unaware of this having any
issues, and I don't see you mention them in your referenced posts either.

I haven't ever heard unattended certifications being discussed, I don't
know if it is straightforward.

With regards to key management, this is often something a logged in
human user does and can hence do without having to wrestle unattended
stuff. I understand this doesn't always apply, but the OP here was
talking about decryption, not key management. That should be
straightforward.

When I say, by the way, that having no passphrase is better than using a
passphrase which is literally contained in a script, I'm saying that it
is usually better, not that it is always appropriate. It might be
appropriate to solve it in a different way, but a passphrase literally
in a script is probably not it.

HTH,

Peter.

--
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>


_______________________________________________
Gnupg-users mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnupg-users

signature.asc (499 bytes) Download Attachment