To be honest, there is really no way to properly secure a passphrase for an automated system if the passphrase exists anywhere on that system. All users with root access will be able to get to the private key through some means.
If you are not worried about users with root access, then you don't need to encrypt the private key, since non-root users won't be able to read the secret key in the process's home directory.
It's a chicken-or-egg situation. If you can trust the root users, you are better off keeping it simple and just not using an encrypted private key. If you cannot trust the root users, you should not trust the system at all.
On Apr 19, 2007, at 8:33 AM, jane grove wrote:
Thank you guys. Both the "cat pipe" way and the "<" way work well. David, yes you made a very good point of not hard-coding the passphrase or its file name. In my current script, I have a variable to hold the passphrase file name. The actual file name is passed in as a parameter when I call the script from another command outside the script. If an attacker opens the current script, s/he won't see the actual passphrase or its file name, s/he will only see the variable name. The passphrase is stored in a separate place. I am thinking of better ways to secure the passphrase and automate the jobs at the same time. I appreciate everyone's input. Jane On 4/14/07, David Shaw <[EMAIL PROTECTED]> wrote:On Sat, Apr 14, 2007 at 10:23:24PM -0500, jane grove wrote:Hello,I am trying to use the GnuPG command "decrypt" in batch mode (i.e. in a script). When I use the option "--batch", I don't have a way to enter the userid or passphrase.Look at the --passphrase-fd, --passphrase-file, or --passphrase options. They are all in the manual, and can be used to provide a passphrase during batch operation. However, if you are including the passphrase in a script, it is worth asking yourself if there is any security benefit in having a passphrase-protected key at all. After all, an attacker who gets access to the script needs merely to read it to know the passphrase. David _______________________________________________ Gnupg-users mailing list [email protected] http://lists.gnupg.org/mailman/listinfo/gnupg-users_______________________________________________ Gnupg-users mailing list [email protected] http://lists.gnupg.org/mailman/listinfo/gnupg-users
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ Gnupg-users mailing list [email protected] http://lists.gnupg.org/mailman/listinfo/gnupg-users
