Premature passphrase prompt during stdin for `gpg -a ---symmetric`


I’ve noticed that when I use gpg -a --symmetric and the message to encrypt (which I’m entering to stdin) is more than 30 characters, then I will be prematurely prompted for the passphrase even though I haven’t finished entering my message (I just happened to want to add a new line after more than 30 characters).

So, as soon as I press enter after the z here (because I want to continue writing the second line of the message to encrypt):

% gpg -a --symmetric

then, this pops up (without me signaling that I’m done, i.e. without me typing ctrl + D):

            │ Enter passphrase                                     │
            │                                                      │
            │                                                      │
            │ Passphrase: *****___________________________________ │
            │                                                      │
            │       <OK>                              <Cancel>     │

Note that there are already 6 characters entered in the passphrase field (not by me). I’ve noticed that the number of these already entered characters is the number of characters I entered in my message before hitting enter minus 30, so in this case it was 36 (0…9 + a…z), and 36-30 = 6.

It works as expected (I can signal an EOF using ctrl+D) as long as the message to encrypt is 30 or less characters. But I’d of course like to be able to encrypt messages that are longer than 30 characters.

Using a file as input (instead of stdin) works but is not an option for my use case.

I’m using

% gpg --version
gpg (GnuPG) 2.4.3
libgcrypt 1.10.3

on macOS 14.2 on an intel MacBook Pro.

Hi @jens,

I didn’t use symmetric encryption with GnuPG yet so I searched for information regarding this topic.

This manual tells that the command is intended to read messages only from files. I don’t know if you can use it like you want to.

Hi, the problem here is the streaming mode. Of GnuPG. E.g. if you encrypt a 1TB of data it won’t hold it in memory but start encrypting it and putting out the results either to stdout or to something that is provided with the -o output option.

My suggestion would be to keep the passphrase in a file and then add “–pinentry-mode loopback --passphrase-file” to your command. In that case GnuPG can know the password immediately and won’t ask you during the process.

1 Like

Thanks for the explanation of what causes the issue!

It would be nice if I could avoid having to save the passphrase to a file, since the point of adding the message to encrypt via stdin was to not have to store it in a file.

The man page also says “don’t use this option if you can avoid it”:

       --passphrase-file file
              Read the passphrase from file file. Only the first line will be read from file file. This can only be used if only one passphrase is supplied. Obviously, a passphrase stored in a
              file is of questionable security if other users can read this file. Don't use this option if you can avoid it.

              Note that since Version 2.0 this passphrase is only used if the option --batch has also been given. Since Version 2.1 the --pinentry-mode also needs to be set to loopback.

Is there any way to change the buffer size or steaming mode? (to allow something more than 30 (32?) Bytes, let’s say 4KB.)

Well, this really depends on your usecase where the password should come from and when it should be asked. Usually in a UI environment for example you would get something like pinentry-qt popping up that will open the passphrase entry in a completely different window. That the option should be avoided is mostly as a caution that you should not really use the passphrase options if you have an alternative. But when you do symmetric encryption you somehow have to expose the system to the passphrase there is no other choice. With asymmetric encryption you of course do not need a passphase for encryption and so you do not have such issues.

Regarding the buffer size. There is the following:

   ‐‐debug‐set‐iobuf‐size n
          Change the buffer size of the IOBUFs to n kilobyte.  Using 0 prints the current size.  Note well: This is a maintainer only option and may thus be changed or removed at any time without notice.

You could try that. But I don’t know if this fits your usecase.

1 Like

Thank you for your detailed replies.