Andrey Utkin wrote: > On 02.12.2015 22:12, Smith, Cathy wrote: > > I need to be able to decrypt a file using gpg2 in batch. I have a > > customer who requires us to provide a public key that is RSA 2048 bit. > > I have RHEL6 available which provides gpg 2.0.14 to create the key > > pair. However, I’ve not been able to use gpg2 in batch to provide the > > passphrase to decrypt a file. It wants an interactive prompt for the > > passphrase. I’ve tried some things that I’ve read on-line without any > > success. Is there a way to configure gpg2 to accept a passphrase in > > batch? > > Hi, > Have you tried generating a key with empty passphrase?
Hi, Warning: I am not an expert. I only just found out how to do this myself. If it needs to always work with no intervention and it's safe to leave the key unencrypted on disk permanently (unlikely) then having an empty passphrase is definitely the easy option but if you can't leave the key unencrypted on disk and decryption only needs to occur at certain known times, and it's OK to have someone supply the passphrase in advance, then the following approach might be more appropriate. You can run gpg-agent explicitly as a daemon and use the --allow-preset-passphrase option and then use gpg-preset-passphrase to load a passphrase into it. The gpg-agent command will probably also need the --write-env-file option to store the gpg-agent socket details on disk so other, unrelated processes can connect to the gpg-agent. Here's an example gpg-agent command: $ gpg-agent \ > --homedir /PATH/TO/.gnupg \ > --write-env-file /PATH/TO/.gpg-agent-info \ > --allow-preset-passphrase \ > --max-cache-ttl 7200 \ > --daemon -- \ > bash --login To load the passphrase from within the bash process started above (the double --fingerprint is important because it shows the key we need): $ gpg_cache_id="`gpg --homedir /PATH/TO/.gnupg --fingerprint --fingerprint USER@DOMAIN | grep 'Key fingerprint' | tail -1 | sed -e 's/^[^=]\+=//' -e 's/ //g'`" $ systemd-ask-password 'Enter GPG passphrase:' | /usr/lib/gnupg2/gpg-preset-passphrase --preset "$gpg_cache_id" To load the passphrase from an unrelated process, you would first need to do the following to connect to the gpg-agent before loading the passphrase into gpg-agent as described above: $ . /PATH/TO/.gpg-agent-info $ export GPG_AGENT_INFO The process that needs to perform the decryption would also need to do the above if it is from a process that is unrelated to the bash process started by gpg-agent. e.g.: $ . /PATH/TO/.gpg-agent-info $ export GPG_AGENT_INFO # unset GPG_TTY # This is probably unnecessary $ gpg --batch --quiet --no-greeting --no-tty --use-agent \ > --homedir /PATH/TO/.gnupg --decrypt < ENCRYPTEDFILE > DECRYPTEDFILE Note that the passphrase will stay resident in gpg-agent until gpg-agent terminates, or until it is explicitly forgotten with: /usr/lib/gnupg2/gpg-preset-passphrase --forget "$gpg_cache_id" or until the max-cache-ttl expires, whichever comes first. By default, this is 7200 seconds (i.e. two hours) but it can be increased or decreased on the gpg-agent command line. It's probably a very bad idea to increase it too much and leave the passphrase available permanently. If that were OK, you might as well use an unencrypted key with no passphrase. But if it were OK, there'd be a gpg-agent option to remove the TTL limit altogether, but there is no such option. Notes: The gpg commands above (--fingerprint and --decrypt) should still work if they were changed to gpg2. That's probably more sensible since gpg-agent is a gpg2 thing but gpg works too so I use that. If you don't have systemd-ask-password, you could use ssh-askpass but it requires X11. It only takes a few lines of Perl to implement your own askpass program if needed. Also, don't set $DISPLAY to be empty before running gpg-preset-passphrase. If you need to disable X11, unset DISPLAY instead or gpg-preset-passphrase will give an error: gpg-preset-passphrase: problem setting the gpg-agent options gpg-preset-passphrase: caching passphrase failed: Invalid response Also, the gpg-agent command can be run inside a screen or tmux session so that you can detach from it and reattach to it again later to terminate it. Also, I don't know about RHEL6. The above works on debian-8 and ubuntu-14.04.3 which have gpg2 2.0.26 and 2.0.22, respectively. Hopefully, it will all work on RHEL6 with gpg2 2.0.14 as well. Good luck, raf _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
