GnuPG: Add passphrase to passphrase-less key

1

1

I've created my PGP keypair using an online site. The thing is, I didn't provide a passphrase upon creation; The site didn't make supplying a passphrase mandatory.

Since this key is passphraseless, GnuPG asks for it everytime I want to encrypt something, or even when using it to sign commits. I don't have a passphrase, so when I provide an empty passphrase using pinentry, the program exits with error status after three attempts.

I've tried changing the passphrase via --edit-key, but this is impossible since it requests the passphrase. I also can't revoke it (I've uploaded the public key to the SKS Keyservers and Biglumber), it also asks for the passphrase.

I used --batch mode to import it into GnuPG without it asking for a passphrase, and it succeeded.

How could I go about adding a passhprase to this private key? I searched here on SuperUser (And Google), and all the solutions I found are not working, since they rely on a passphrase.

Decrypting content works on the site I originally created the keypair at (https://sela.io/pgp/). I know I shouldn't have used a website for key generation, but my PGP knowledge was practically non-existent.

Note: I can encrypt/decrypt text using my private key via other tools other than GnuPG (without a passphrase); Like the "PGP Anywhere" Chrome browser extension.

Thanks in advance.

Miguel Nogueira

Posted 2017-12-20T16:56:10.847

Reputation: 21

Are you using GnuPG 2.1.x/2.2.x? – user1686 – 2017-12-20T17:45:34.930

@grawity Yes, I'm using GnuPG 2.2.3. – Miguel Nogueira – 2017-12-20T17:58:52.933

If it's asking you for a passphrase, and it fails when you enter a wrong one, it sounds like it already has a passphrase but you just don't know it. Are you sure you can sign & decrypt things with it's secret key, not just on the site that created it? Tried finding out the passphrase from the site? Probably want to make a new one anyway, unless you explicitly trust that site now & in the future as long as the key's used – Xen2050 – 2017-12-21T23:55:56.667

@Xen2050 I've installed a browser extension called "PGP Anywhere". I'm able to encrypt and decrypt text with it without a passphrase. I tried to search for the other site's default passphrase, but the variable is equal to null. – Miguel Nogueira – 2017-12-22T13:23:56.983

Answers

1

I managed to revoke my key using an Android application called OpenKeychain.

This application is able to recognize passphrase-less keypairs and therefore able to revoke such keys.

This question might have gotten no attention, but I'm sure there are more people in a similar situation that might find this answer useful.

I can now upload this key to my computer and to the SKS keyservers, effectively deterring anyone from using it. But, a useful piece of advice: Create a revocation certificate for your key right after creating it, and store it in a safe place. Never ignore passphrase prompts; always use one.

This will save you from a big headache.

Miguel Nogueira

Posted 2017-12-20T16:56:10.847

Reputation: 21

0

I've created my PGP keypair using an online site.

That's the worst possible thing you could ever do. Now you're not the only one that has the private key.

Always create a keypair yourself using gpg --gen-key.

Alex

Posted 2017-12-20T16:56:10.847

Reputation: 2 094

Asked: 2017-12-20T16:56:10.847

Viewed: 470 times

Active: 2018-01-23T12:33:57.203