35

I want to remove the passphrase from gpg key after creating it. Why? . Because the tigase-kontalk documentation says so and I want to compile and setup my own version of this server . But am stuck at this point

Create GPG key Create a GPG key for both signing and encrypting, and remove its passphrase after creating it

I want a linux gpg command to remove the passphrase or to export unprotected keys.

imz -- Ivan Zakharyaschev
  • 665
  • 1
  • 10
  • 26
Dr Deo
  • 803
  • 3
  • 9
  • 14
  • If you just want to export an unprotected version of the secret key (and keep it passphrase-protected in your keyring), there is now a tool for that: https://github.com/pts/gpg-export-secret-key-unprotected – pts Apr 27 '20 at 21:04

4 Answers4

40

Here is a more complete answer based on Justin's:

(Using gpg 1.4.16 on Ubuntu 14)

  • Get the ID of your key like this:
gpg --list-secret-keys

This will output a few lines similar to below. The key ID is the value XXXX

/home/username/.gnupg/secring.gpg
----------------------------------
sec   4096R/XXXX <creation date>
uid                  name <email.address>
ssb   4096R/YYYY <creation date>

  • Open the gpg key edit submenu like this:

    gpg --edit-key XXXX

    You will see information about the key.

  • Type passwd at the prompt to change the password:

    gpg> passwd

  • Enter your existing passphrase.

  • Enter the new passphrase for this secret key. (Leave this blank and press Enter)

  • Press Enter twice and consider the warnings from the tool and its implications before proceeding.

    You don't want a passphrase - this is probably a *bad* idea!

    Do you really want to do this? (y/N) y
Community
  • 1
Frak
  • 502
  • 4
  • 9
21

Let me share what I found. I thought I might share in case there is another lost soul In the bash shell,

gpg2 --batch --gen-key <<EOF
%no-protection
Key-Type:1
Key-Length:2048
Subkey-Type:1
Subkey-Length:2048
Name-Real: My super name
Name-Email: admin@superuser.com
Expire-Date:0
EOF

The key can now be exported

gpg2 --export-secret-key fingerprinthere > private-key.key
gpg2 --export fingerprintshuld_be_put_here > public-key.key
Dr Deo
  • 803
  • 3
  • 9
  • 14
  • 2
    The trick is %no-protection – Dr Deo Sep 22 '18 at 22:30
  • 3
    Your question was how to "remove" a passphrase on a key after creating it. This answer, however, is for how to create it without a passphrase to start with. – Frak Oct 01 '19 at 19:38
  • This answer doesn't answer the original question. The OP already has a passphrase-protected secret key in their keyring, and they want to remove the protection. – pts Apr 27 '20 at 21:06
  • 1
    with `gpg 2.2.27` this was the only solution that worked to generate keys for an automated environment – Stuart Cardall Sep 18 '21 at 22:59
9

It's simple. Just run:

gpg --edit-key <yourkeyhere>
passwd

When GnuPG prompts for the new passphrase, just leave it blank and hit enter.

Source: https://lists.gnupg.org/pipermail/gnupg-users/2003-April/017623.html

Justin Pearce
  • 2,972
  • 18
  • 21
  • 13
    This doesn't work. It returns error `gpg: key key B64F361BF49F2E74/B64F361BF49F2E74: error changing passphrase: No passphrase given` – Dr Deo Sep 21 '18 at 19:21
  • 1
    It worked for me (Ubuntu 16.04, GPG 1.4.20). At the end you need to save the key with `save` – user1182474 Jan 25 '19 at 16:17
  • It doesn't work for me either. – Sedat Kapanoglu Aug 31 '19 at 04:08
  • 1
    This doesn't work on gpg 1.4.16. It lists some information about the key and puts you into a gpg submenu. – Frak Oct 01 '19 at 19:39
  • This works with GPG 1.4 (I've just tried it with 1.4.16). It also works with GPG 2.1.18. I suspect it was broken in earlier GPG 2.0--2.1.x. – pts Apr 27 '20 at 18:55
2

See https://unix.stackexchange.com/a/597949/20960. It seems that some varieties of pinentry refuse to accept an empty passphrase, while others are fine with it.

gpg --pinentry-mode loopback --passwd KEY

Chris Jones
  • 121
  • 2