Rick Funderburg wrote:
I am trying to make a bash backup script that will encrypt the output
using symmetric encryption through GPG. How do I pass in the passphrase
securely? Right now, I have the passphrase hard coded as a variable in
the script. GPG can read the passphrase from a specified file
descriptor. How do I hook up the two in a secure way? If i just use
the environment variable as an argument to a program (like echo), my
passphrase could show up in process lists.
The manpage and user guide talk about this, but the exact recipe may not
be totally obvious. Here's the recipe
put your passphrase in a file (say "secret"), and ==> BE SURE to make
the file accessible only to you, and lockup the computer so that it's
physical security is guaranteed, too, and ...
then in your script, write
gpg --passphrase-fd=0 rest_of_command_specs <secret
(You may run across variations of the above using other redirection options)
This achieves the objective of keeping the passphrase out of the
commandline.
..jim
--
[email protected]
http://www.kernel-panic.org/cgi-bin/mailman/listinfo/kplug-list
