Hello, On 16/06/16 08:46, Mike Kaufmann wrote: > I've used http://www.asciitohex.com/ to convert my passphrase in > hexstring. Therefore I think, that's not the reason.
Does it end in bytes 0D or 0A? Those are CR/LF ASCII bytes, and should not be included. > What I'm not sure: Is the value I use for the first parameter > correct? By the looks of it, you could check this through: > $ gpg-connect-agent > > havekey 3D88DC9D60F791821AF8D537EEAC3C8DF7720D63 > OK > > havekey 44696420796F7520736565206D79206B6579733F > ERR 67108881 No secret key <GPG Agent> preset_passphrase will take anything thrown at it without complaint, as long as it's syntactically valid. Whether the information was useful will only become apparent when it is needed. Also, are you unlocking the correct (sub)key? Let's take a look at a test key: > $ gpg2 --with-keygrip -K DCDFDFA4 sec rsa1024/DCDFDFA4 2012-03-17 > [SC] [expires: 2016-06-17] Keygrip = > 2F677680CA15F6F7B963AF35822E8EC01FBF840A uid err Test > Teststra <test@work.invalid> uid err Test Teststra (Koning > van Wezel) <test@example.invalid> ssb rsa1024/77A3395A 2012-03-17 > [E] Keygrip = 15CB764B81D542CF921978CA89910C69D53F4E2D ssb > rsa2048/38EF7410 2016-01-12 [A] Keygrip = > 3D88DC9D60F791821AF8D537EEAC3C8DF7720D63 If I wanted to unlock the key for signatures or certifying, I would unlock the first keygrip. Note that if you have a separate signing subkey, you'd most likely use that for signatures. If I wanted to decrypt stuff, I would unlock the second keygrip. Finally, if I wanted to use the key for SSH authentication, I would unlock the third and final keygrip. If I wanted to unlock the whole private key, I'd unlock all three. > What is correct: keygrip or fingerprint? Keygrips work, so I'd stick to that. > Is there a way with gpg commands to find out the value for this parameter? You mean, like, what the program gpg-preset-passphrase uses? It might, but before I spend time on that, please see if you've already figured it out with the previous part of this message. > We have planed to save the passphrase in a database on Server A. On > Server B a Webservice can be called from our client app, that reads > the passphrase out of database on Server A and calls the gpg-commands > on Server B with the passphrase parameter. So the passphrase is not > stored plainly on disc on the same server as the key. I don't feel qualified to comment on the usefulness of this arrangement, so I won't. This says something about me, not about your setup. > Or does gpg-agent do this, when using preset-passphrase? No, gpg-agent will not write to disk, and tries to prevent the operating system from doing so, if it is supported on your OS. HTH, Peter. PS: Could you perhaps use inline-quoting and strip your quotes? Alternatively, sometimes it's not unreasonable to just remove all the quoted text. But the dangling original message below your reply is an unwanted style here at gnupg-users. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at <http://digitalbrains.com/2012/openpgp-key-peter> _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
