Thank you guys. Both the "cat pipe" way and the "<" way work well. David, yes you made a very good point of not hard-coding the passphrase or its file name. In my current script, I have a variable to hold the passphrase file name. The actual file name is passed in as a parameter when I call the script from another command outside the script. If an attacker opens the current script, s/he won't see the actual passphrase or its file name, s/he will only see the variable name. The passphrase is stored in a separate place.
I am thinking of better ways to secure the passphrase and automate the jobs at the same time. I appreciate everyone's input. Jane On 4/14/07, David Shaw <[EMAIL PROTECTED]> wrote: > On Sat, Apr 14, 2007 at 10:23:24PM -0500, jane grove wrote: > > Hello, > > I am trying to use the GnuPG command "decrypt" in batch mode (i.e. in a > > script). > > When I use the option "--batch", I don't have a way to enter the user > > id or passphrase. > > Look at the --passphrase-fd, --passphrase-file, or --passphrase > options. They are all in the manual, and can be used to provide a > passphrase during batch operation. > > However, if you are including the passphrase in a script, it is worth > asking yourself if there is any security benefit in having a > passphrase-protected key at all. After all, an attacker who gets > access to the script needs merely to read it to know the passphrase. > > David > > _______________________________________________ > Gnupg-users mailing list > [email protected] > http://lists.gnupg.org/mailman/listinfo/gnupg-users > _______________________________________________ Gnupg-users mailing list [email protected] http://lists.gnupg.org/mailman/listinfo/gnupg-users
