How can I remove the passphrase from a gpg2 private key?

Question

Yes, I know it is a step into a lesser secure system, but the current setting makes it reasonable (the key is not important, but the signing has to be automatized).

Google results say this:

List the keys with a gpg --list-keys
Edit the key with a gpg --edit-key C0DEEBED....
A gpg command line console starts, there a passwd command changes the passphrase
Giving the password twice (in my case, simple enter) changes the key.

However, it doesn't work, because gpg2 simply doesn't allow an empty password.

What to do?

Is there a reason why using gpg-agent will not work for automating gpg signing tasks? — Deathgrip, Jul 18 '17 at 18:26
@Deathgrip Because the key has also a passphrase. Thus, in the case of signing anything, first this passphrase has to be given. It is an unavoidable human interaction. Thus, it can't be automatized. To automatize the gpg signing, I have to remove the passphrase from the key pair. Gpg can create key pairs without passphrase, and it can also change the passphrase of an existing key pair. The goal is now to remove the existing passphrase from the key pair, making it into a passphrase-less, unprotected one. (Note, file permissions still are still protecting the key pair.) — peterh, Jul 18 '17 at 18:48
Not completely automated, but you can manually start and seed the agent and use it until the machine reboots or your cache's expire. I set max-cache-ttl and default-cache-ttl to 31536000 (365 days). Then "seed" the agent with a command similar to echo | gpg -sa -u <keyid> >/dev/null. A separate script could launch, source the environment file created when starting the agent, then sign a file. In the script, execute gpg with --batch mode and it should return an error if a password is required. Send an alert if that happens. I do a few things like this utilizing ssh and gpg agents. — Deathgrip, Jul 18 '17 at 21:47
what's the purpose of a key password then if you can just remove it? — AnonymousLurker, Nov 27 '18 at 00:34
@AnonymousLurker In general, it exists in the key as some hash or salt. Thus, you can't so easily remove it, it requires a dictionary attack to do that. In the special case of this question, the password is an obstacle to automatize the key-based encryption. — peterh, Nov 27 '18 at 00:37

score 36 · Answer 1 · edited Dec 23 '23 at 18:45

36

As of gpg version 2.4.3, gpg --edit-key <keyid> passwd seems to work fine for removing a passphrase.

Issue the command, then provide your current passphrase and then the new one. Just type Enter for no passphrase. Then type quit to quit the program.

edited Dec 23 '23 at 18:45

Roberto Tyley

103

answered Nov 05 '19 at 18:40

Eugene Yarmash

15,095

1

I had to enter the blank password twice -- and click yes, I really want to do this, twice, but it accepted it after that. – Sly Gryphon Jan 17 '20 at 04:24
1

thanks... worked like charm :) – Saksham Khurana Sep 28 '21 at 11:35
This didn't work for me, but this answer did – Dec 16 '23 at 01:16

landfill baby · Answer 2 · 2020-08-22T12:48:28.260

8

gpg --pinentry-mode loopback --passwd KEY

Enter the original password, but press enter 3 times instead of just once (original password, new password, then confirming new password). The problem was pinentry itself, so loopback mode just removes it from the equation. This should work with all versions of gpg AFAIK.

edited Aug 22 '20 at 12:48

answered Jul 11 '20 at 14:17

landfill baby

93

score 6 · Accepted Answer · answered Jul 18 '17 at 20:11

6

With pinentry-0.8.1 (and gnupg2-2.0.22) on Centos 7 I was able to remove the passphrase from the secret key by not specifying a new password; pinentry did whine and warn about the blank password but both the console and GTK pinentry programs had a "Take this one anyway" prompt that resulted in a password-free secret key.

On the other hand, this attempt failed as the then imported secret key is marked as unusable:

gpg --export-options export-reset-subkey-passwd --export-secret-subkeys > x

answered Jul 18 '17 at 20:11

thrig

34,938

I dug sources a lot, I tried pinentry (completely undocumented command line interface), I used gpg --change-passphrase, I commented out "use agent" in ~/.gnupg/gpg.conf, and somehow, somewhere it started to work. I am too disappointed to invest even a little second into this any more. But thank you very much. – peterh Jul 18 '17 at 23:46
1

Yeah, I'm using gpg 1.4 elsewhere as gpg2 annoys me too much. – thrig Jul 19 '17 at 00:05

score 3 · Answer 4 · edited Oct 01 '18 at 21:31

3

Well, I succeed in removing passphrase or creating new key without passphrase by using pinentry-gtk-2 as the pinentry program. Here is what I have done:

There is no config file in ~/.gnupg. I created a symbolic link from /usr/bin/pinentry to /usr/bin/pinentry-gtk-2

 sudo ln -s /usr/bin/pinentry-gtk-2 /usr/bin/pinentry

It also worked over an SSH connection with X11 forwarding.

edited Oct 01 '18 at 21:31

answered Oct 01 '18 at 21:28

miyasagi

31

Welcome on the Unix SE! I fighted a lot with the ncurses-based pinentry, but without success. – peterh Oct 01 '18 at 21:32

score 1 · Answer 5 · answered Nov 26 '18 at 23:37

I was able to do this using Kleopatra. In the application right-click on the keypair you want to remove the passphrase from. Click Change passphrase.... Enter the passphrase in the pop up window. In the next pop up window leave both inputs empty and click Ok. click the option similar to Yes, protection is not needed. These last two pop ups may show up a couple times as confirmation. Just leave the inputs for new passphrase blank and click Ok. Then you will receive a confirmation that "The passphrase has been successfully reset".

How can I remove the passphrase from a gpg2 private key?

5 Answers5

Linked