gpg-agent in gpg2

gnupg encryption-symmetric
Frank Koehl picture Frank Koehl · Aug 10, 2011 · Viewed 8.1k times · Source

I'm attempting to futureproof some custom software that utilizes GPG (currently v 1.4.10) to perform symmetric encryption/decryption processes. My current encryption command looks like this:

gpg --batch --no-tty --no-use-agent --symmetric --cipher-algo AES256 --passphrase "foobar" /path/to/file_to_be_encrypted

Without the --no-use-agent option, I get the infamous error message

gpg-agent is not available in this session

I'm concerned about a move to gpg2 because, according to the documentation, the gpg-agent is always required, and --no-use-agent is simply a dummy option. My gpg calls occur in the background via a daemon process, so this is very much a no-agent scenario (plus the fact that it's symmetric, and I have no need of the agent at all).

Documentation at this level of detail is sparse, so I'm looking for user experience. Does gpg2 incorporate the agent more tightly, so that I don't have to worry about its availability?

Answer

sinharaj picture sinharaj · Aug 19, 2011

  1. The way you invoke gpg2, it might fail if the output file path/to/file_to_be_encrypted.gpg already exists. If you want the file to be overwritten, you should provide the --yes option:

    gpg2 --batch --yes --no-tty --no-use-agent --symmetric --cipher-algo AES256 --passphrase "foobar" /path/to/file_to_be_encrypted

  2. When you are using symmetric encryption (like you do), the passphrase constraints (even if set to enforced by gpg-agent) will not be applied at all—it will just work.

    Say the gpg-agent was run like this (and let the mypasswords file even contain the forbidden pattern that exactly matches your password):

    eval $(gpg-agent --daemon --enforce-passphrase-constraints --min-passphrase-len 8 --min-passphrase-nonalpha 4 --check-passphrase-pattern mypasswords)

    Then your command would still succeed.

    In short: gpg-agent will not make it fail (unless it crashes gpg for some reason—like wrong configuration or missing executable, which you cannot account for).

    EDIT: I've just checked and in symmetric mode gpg2 will work even if gpg-agent is wrongly configured or if the gpg-agent executable is missing.

    This is not related, but just in case: I also verified what happens when you try to change the password of your private key while gpg-agent is missing or is wrongly configured: gpg2 will report a warning, will not even ask for the new passphrase, and continue working.

Sources:

Related questions

How to Export Private / Secret ASC Key to Decrypt GPG Files

Background: My boss has tried exporting an ASC key to me with public and private parts but whenever I get the file the private part never loads up and it won't decrypt any files. We have tried Exporting the ASC …

Read More
How to trust a apt repository : Debian apt-get update error public key is not available: NO_PUBKEY <id>

Trying to update some repositories on Debian Etch installation and getting the following errors from running "apt-get update" W: GPG error: http://www.debian-multimedia.org etch Release: The following signatures couldn't be verified because teh public key is not available: …

Read More
gpg decryption fails with no secret key error

I have a gpg .key file that is used as passphrase for decrypting a .dat.pgp file. The encrypted .data.pgp file gets successfully decrypted on one server with same .key file using following command cat xxx_gpg.key | /usr/…

Read More