8

Has anyone tried creating GPG keys for encrypted pillars on Ubuntu 18.04?

I'm using the following command to attempt to generate the keys:

gpg --gen-key --homedir /etc/salt/gpgkeys

When I run that I get the usual set of questions, full name, email, etc. However when it gets to the passphrase screen, I seem to be unable to get past it without entering a passphrase. I get a ncurses display that looks like this:

gpg passphrase

If I just hit enter to get past it, it immediately pops right back up. If I hit "Cancel" then I get the following error:

gpg: agent_genkey failed: Operation cancelled
Key generation failed: Operation cancelled

Anyone run into this?

Improve this question
3
  • 5
    Here's the real answer to this question, since the people here at Server Fault are profoundly unhelpful: superuser.com/questions/1360324/gpg-remove-passphrase
    – Throw Away Account
    Oct 31, 2019 at 4:51
  • +1 @ThrowAwayAccount. One thing to keep in mind is that the flags for the created key will all be set (i.e. [SCEA]). See the answers in the following question for instructions on how to narrow down the scope of your key: unix.stackexchange.com/questions/31996/…
    – Tenders McChiken
    Feb 8, 2020 at 13:28
  • i got gpg: can't connect to the agent: IPC connect call failed gpg: problem with the agent: No agent running gpg: can't connect to the agent: IPC connect call failed gpg: problem with the agent: No agent running gpg: Key generation canceled. when i try to run gpg --gen-key --homedir /home/ec2-user/SageMaker/.gnupg --passphrase '' inside a sageMaker notebook instance, anyone how to resolve it?
    – Cecilia
    Jun 1 at 14:44

1 Answer 1

Reset to default
-3

If you don't have a passphrase, you can just as well not bother to encrypt your data in the first place, because anyone who can get access to the server with the data will also be able to use the key.

If you for some reason want to pretend to be secure while not actually being it, you can use the argument --passphrase='' to gpg. But you shouldn't do that.

Improve this answer
3
  • I'm currently creating a subkey for signing Git commits. I have a master key with a strong passphrase but would like a subkey with an expiration that doesn't use a passphrase - I'm figuring as long as I keep the private key secret I am good, and now I'm stumbling across this post because I don't see the point in having to type a passphrase each time I do a Git commit on a PC which is not accessible to anyone else, when I can just revoke the subkey and create a new one if someone burgles my apartment.
    – toon81
    Aug 10, 2019 at 18:15
  • 1
    This does not apply to anything involving other servers. If you encrypt data on one server, then send it to a different server which has this passwordless private key, it absolutely adds security. Also, signing data and shipping it elsewhere still confers a benefit.
    – Dessa Simpson
    Sep 27, 2019 at 23:13
  • 7
    I suppose your job is to sit in the server room all day and type in the passphrase every time the prompt comes up?
    – Throw Away Account
    Nov 25, 2020 at 0:18

Not the answer you're looking for? Browse other questions tagged .