7

Has anyone tried creating GPG keys for encrypted pillars on Ubuntu 18.04?

I'm using the following command to attempt to generate the keys:

gpg --gen-key --homedir /etc/salt/gpgkeys

When I run that I get the usual set of questions, full name, email, etc. However when it gets to the passphrase screen, I seem to be unable to get past it without entering a passphrase. I get a ncurses display that looks like this:

gpg passphrase

If I just hit enter to get past it, it immediately pops right back up. If I hit "Cancel" then I get the following error:

gpg: agent_genkey failed: Operation cancelled
Key generation failed: Operation cancelled

Anyone run into this?

dave_thompson_085
  • 3,100
  • 1
  • 15
  • 14
Soviero
  • 4,306
  • 7
  • 34
  • 59
  • 4
    Here's the real answer to this question, since the people here at Server Fault are profoundly unhelpful: https://superuser.com/questions/1360324/gpg-remove-passphrase – Throw Away Account Oct 31 '19 at 04:51
  • +1 @ThrowAwayAccount. One thing to keep in mind is that the flags for the created key will all be set (i.e. `[SCEA]`). See the answers in the following question for instructions on how to narrow down the scope of your key: https://unix.stackexchange.com/questions/31996/how-are-the-gpg-usage-flags-defined-in-the-key-details-listing – Tenders McChiken Feb 08 '20 at 13:28

1 Answers1

-3

If you don't have a passphrase, you can just as well not bother to encrypt your data in the first place, because anyone who can get access to the server with the data will also be able to use the key.

If you for some reason want to pretend to be secure while not actually being it, you can use the argument --passphrase='' to gpg. But you shouldn't do that.

Jenny D
  • 27,358
  • 21
  • 74
  • 110
  • I'm currently creating a subkey for signing Git commits. I have a master key with a strong passphrase but would like a subkey with an expiration that doesn't use a passphrase - I'm figuring as long as I keep the private key secret I am good, and now I'm stumbling across this post because I don't see the point in having to type a passphrase each time I do a Git commit on a PC which is not accessible to anyone else, when I can just revoke the subkey and create a new one if someone burgles my apartment. – toon81 Aug 10 '19 at 18:15
  • 1
    This does not apply to anything involving other servers. If you encrypt data on one server, then send it to a different server which has this passwordless private key, it absolutely adds security. Also, signing data and shipping it elsewhere still confers a benefit. – Dessa Simpson Sep 27 '19 at 23:13
  • 7
    I suppose your job is to sit in the server room all day and type in the passphrase every time the prompt comes up? – Throw Away Account Nov 25 '20 at 00:18