Mailing List Archive

On Sat, Oct 02, 2021 at 07:12:45PM -0400, Jack via Gnupg-users <gnupg-users@gnupg.org> wrote:

> Is it possible to add a passphrase to a secret key originally created
> without one? If so, please tell me how. I'll be happy with either
> instructions or pointer to the fine manual I either missed or misread.
>
> I have tried lots of variations. Attempts using gpg-agent fail because
> pinentry (I've tried text and gui versions) refuses to accept a blank
> passphrase. Variants using --passphrase or --passphrase-fd don't work
> because they only allow passing one passphrase, and I need to provide the
> old one and the new one. I've also tried --export-secret-key, which also
> fails with "error receiving key from agent: No passphrase given - skipped"
> when using --passphrase-fd.
>
> I do have a copy of gpg-1.4.23 available, but simply copying .gnupg to a new
> user and using the old gpg doesn't help because gpg1 doesn't see the secret
> keys from gpg2, and I haven't been able to export them.
>
> Is there a way to do this, or is revoking the old key and creating new keys
> from scratch the only solution?
>
> Thanks for any information.
>
> Jack

Try these instructions for changing the passphrase:

https://www.cyberciti.biz/faq/linux-unix-gpg-change-passphrase-command/
https://help.ubuntu.com/community/GnuPrivacyGuardHowto#Changing_your_Passphrase

gpg --edit-key Your-Key-ID-Here
gpg> passwd
gpg> save

cheers,
raf


_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

On Sun, Oct 03, 2021 at 01:40:03PM +1100, raf <gnupg@raf.org> wrote:

> On Sat, Oct 02, 2021 at 07:12:45PM -0400, Jack via Gnupg-users <gnupg-users@gnupg.org> wrote:
>
> > Is it possible to add a passphrase to a secret key originally created
> > without one? If so, please tell me how. I'll be happy with either
> > instructions or pointer to the fine manual I either missed or misread.
> >
> > I have tried lots of variations. Attempts using gpg-agent fail because
> > pinentry (I've tried text and gui versions) refuses to accept a blank
> > passphrase. Variants using --passphrase or --passphrase-fd don't work
> > because they only allow passing one passphrase, and I need to provide the
> > old one and the new one. I've also tried --export-secret-key, which also
> > fails with "error receiving key from agent: No passphrase given - skipped"
> > when using --passphrase-fd.
> >
> > I do have a copy of gpg-1.4.23 available, but simply copying .gnupg to a new
> > user and using the old gpg doesn't help because gpg1 doesn't see the secret
> > keys from gpg2, and I haven't been able to export them.
> >
> > Is there a way to do this, or is revoking the old key and creating new keys
> > from scratch the only solution?
> >
> > Thanks for any information.
> >
> > Jack
>
> Try these instructions for changing the passphrase:
>
> https://www.cyberciti.biz/faq/linux-unix-gpg-change-passphrase-command/
> https://help.ubuntu.com/community/GnuPrivacyGuardHowto#Changing_your_Passphrase
>
> gpg --edit-key Your-Key-ID-Here
> gpg> passwd
> gpg> save

Also, don't use gpg1. I'm guessing that either the key
was created with gpg2, or was created with gpg1 but
then ~/.gnupg was subsequently converted for use with
gpg2 (since you say "gpg1 doesn't see the secret keys
from gpg2"). If either is the case, keep using gpg2.

Also, if you are getting the error "No passphrase
given", I could be wrong, but that might suggest that
the secret key is already encrypted. Are you sure that
there is no existing passphrase? If so, ignore this.

cheers,
raf


_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

On 10/2/21 22:51, raf via Gnupg-users wrote:
> On Sun, Oct 03, 2021 at 01:40:03PM +1100, raf <gnupg@raf.org> wrote:
>
>> On Sat, Oct 02, 2021 at 07:12:45PM -0400, Jack via Gnupg-users <gnupg-users@gnupg.org> wrote:
>>
>>> Is it possible to add a passphrase to a secret key originally created
>>> without one? If so, please tell me how. I'll be happy with either
>>> instructions or pointer to the fine manual I either missed or misread.
>>>
>>> I have tried lots of variations. Attempts using gpg-agent fail because
>>> pinentry (I've tried text and gui versions) refuses to accept a blank
>>> passphrase. Variants using --passphrase or --passphrase-fd don't work
>>> because they only allow passing one passphrase, and I need to provide the
>>> old one and the new one. I've also tried --export-secret-key, which also
>>> fails with "error receiving key from agent: No passphrase given - skipped"
>>> when using --passphrase-fd.
>>>
>>> I do have a copy of gpg-1.4.23 available, but simply copying .gnupg to a new
>>> user and using the old gpg doesn't help because gpg1 doesn't see the secret
>>> keys from gpg2, and I haven't been able to export them.
>>>
>>> Is there a way to do this, or is revoking the old key and creating new keys
>>> from scratch the only solution?
>>>
>>> Thanks for any information.
>>>
>>> Jack
>> Try these instructions for changing the passphrase:
>>
>> https://www.cyberciti.biz/faq/linux-unix-gpg-change-passphrase-command/
>> https://help.ubuntu.com/community/GnuPrivacyGuardHowto#Changing_your_Passphrase
>>
>> gpg --edit-key Your-Key-ID-Here
>> gpg> passwd
>> gpg> save
> Also, don't use gpg1. I'm guessing that either the key
> was created with gpg2, or was created with gpg1 but
> then ~/.gnupg was subsequently converted for use with
> gpg2 (since you say "gpg1 doesn't see the secret keys
> from gpg2"). If either is the case, keep using gpg2.
>
> Also, if you are getting the error "No passphrase
> given", I could be wrong, but that might suggest that
> the secret key is already encrypted. Are you sure that
> there is no existing passphrase? If so, ignore this.
>
> cheers,
> raf

Thanks for the suggestions, but they do not help.  On my main PC I only
have version 2 installed, so gpg and gpg2 are the same command (one is a
symlink to the other.)  The key was created many years ago with gpg
version 1 and was definitely created without a passphrase.   I have gone
through many PCs since then (all LInux) and always copied my ~/.gnupg
folder to the new box.  Somewhere along the line some files do seem to
have gotten lost, because I do not have secring.gpg or pubring.gpg, but
gpg -k and gpg -K both show my main key.  I compiled a copy of gpg1 (not
installed to the system) to try to use locally, since it doesn't enforce
the use of a passphrase for the secret key.  Unfortunately, without
secring.gpg, it doesn't see the secret key at all.

Your first suggestion does not work (as I said in my original post)
because pinentry does not accept a blank passphrase, and it still
prompts for one even if it doesn't actually need it.


_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

> gpg -k and gpg -K both show my main key.  I compiled a copy of gpg1 (not
> installed to the system) to try to use locally, since it doesn't enforce
> the use of a passphrase for the secret key.  Unfortunately, without
> secring.gpg, it doesn't see the secret key at all.

I haven't tried this, but it might be exactly what you want to do:

/path/to/gpg2 --export-secret-keys 0xMY_KEY_ID > secret.gpg
/path/to/gpg1 --import secret.gpg

When you import the secret key, secring.gpg will be recreated, and the
corresponding public key will be automatically imported into
pubring.gpg. (A copy of the public key is embedded into each secret key.)

At that point you'll have the necessary pubring.gpg/secring.gpg files,
and should be able to change the passphrase at a GPG1 command line.


_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

On 10/3/21 12:53, Robert J. Hansen via Gnupg-users wrote:
>> gpg -k and gpg -K both show my main key. I compiled a copy of gpg1
>> (not installed to the system) to try to use locally, since it doesn't
>> enforce the use of a passphrase for the secret key.  Unfortunately,
>> without secring.gpg, it doesn't see the secret key at all.
>
> I haven't tried this, but it might be exactly what you want to do:
>
> /path/to/gpg2 --export-secret-keys 0xMY_KEY_ID > secret.gpg
It is what I want, but it doesn't work.  gpg2 uses pinentry to request
the passphrase, and so fails with a blank one.  I would expect that
using --passphrase-fd would work, but it also fails, as stated in my
original post with "error receiving key from agent: No passphrase given
- skipped".  I do find this odd, as I know using --passphrase-fd works:
gpg --passwd fails with no passphrase given using pinentry, and fails
with the same error using --passphrase-fd and a blank passphrase, but
fails with bad passphrase using --passphrase-fd and any non blank
passphrase.  I have just reconfirmed this behavior.
> /path/to/gpg1 --import secret.gpg
>
> When you import the secret key, secring.gpg will be recreated, and the
> corresponding public key will be automatically imported into
> pubring.gpg.  (A copy of the public key is embedded into each secret
> key.)
>
> At that point you'll have the necessary pubring.gpg/secring.gpg files,
> and should be able to change the passphrase at a GPG1 command line.

I do expect this would work if I could successfully do the export with gpg2.

Jack


_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

On Sunday, October 3rd, 2021 at 7:54 AM, Jack via Gnupg-users <gnupg-users@gnupg.org> wrote:

> The key was created many years ago with gpg
> version 1 and was definitely created without a passphrase.

One of many problems with having no password protection for a key is there is nothing to stop someone who has access to your PC from creating a password for it.

> I do not have secring.gpg or pubring.gpg, but
> gpg -k and gpg -K both show my main key.

Secret keys are now stored in the /.gnupg/private-keys-v1.d folder with a filename that is the key's keygrip with a .key suffix.

To know which key each keygrip belongs to, use:
$ gpg --with-keygrip -K.

You can get some more information about the key's protection by viewing the keygrip file with the xxd command:
$ xxd ~/.gnupg/private-keys-v1.d/KEYGRIP.key
(obviously replace "KEYGRIP" with the actual keygrip).
The rightmost column will display text, with the part at the end of the file being the time password protection was added to the key.

> because pinentry does not accept a blank passphrase, and it still
> prompts for one even if it doesn't actually need it.

That prompt is a sure sign that the key is now protected with a password.

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

OK, I have to declare defeat. I obviously have a far worse case of CRS
(Can't remember stuff) than I thought.

On 2021.10.06 16:03, anonymous via Gnupg-users wrote:
> On Sunday, October 3rd, 2021 at 7:54 AM, Jack via Gnupg-users
> <gnupg-users@gnupg.org> wrote:

> > I do not have secring.gpg or pubring.gpg, but gpg -k and gpg -K
> both show my main key.
> Secret keys are now stored in the /.gnupg/private-keys-v1.d folder
> with a filename that is the key's keygrip with a .key suffix.
Not sure why I mentioned that, other than that the lack of those files
prevented my trying to access they keys with gpg 1.4.
>
> To know which key each keygrip belongs to, use:
> $ gpg --with-keygrip -K.
>
> You can get some more information about the key's protection by
> viewing the keygrip file with the xxd command:
> $ xxd ~/.gnupg/private-keys-v1.d/KEYGRIP.key
> (obviously replace "KEYGRIP" with the actual keygrip).
> The rightmost column will display text, with the part at the end of
> the file being the time password protection was added to the key.
That was the key (no pun intended) to seeing that indeed, there is a
password on the key, and, in complete conflict with my (obviously
flaky) memory, it was added when the key was created, and that date
(April 2020) was much more recent than I thought. The only saving
grace here (unless I can actually remember the password) is that it
seems I never actually uploaded that key to any keyerver, although I do
have a revocation certificate.
>
> > because pinentry does not accept a blank passphrase, and it still
> prompts for one even if it doesn't actually need it.
> That prompt is a sure sign that the key is now protected with a
> password.
I may follow up on this later, but are you saying that if there is no
password on the key, then gpg/gpg-agent/pinentry will not even prompt
for it? So, if I did have a key without a password, then "gpg --passwd
that-key" would not prompt for the original (blank) password, and only
for the new password?

Thanks again for giving me the necessary clue.

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Jack via Gnupg-users <gnupg-users@gnupg.org> wrote:
> I may follow up on this later, but are you saying that if there is no
> password on the key, then gpg/gpg-agent/pinentry will not even prompt
> for it? So, if I did have a key without a password, then "gpg --passwd
> that-key" would not prompt for the original (blank) password, and only
> for the new password?

That is correct. It will only prompt to "enter new passphrase" if the key does not already have password protection.

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users