GnuPG Security Disaster?

Bernard bht@actrix.gen.nz
Wed Jan 2 01:39:01 2002


Hi,

I am using gnupg decryption executed from within a Java application in
an external Win95 process.

Due to a bug somewhere between Win95/98 and the Java Virtual Machine,
Java cannot write to stdin of the external gnupg process.

That forces me to write and execute a batch file that pipes the
passphrase into stdin of the gnupg program.

I suppose that security-wise, this technique is the opposite of what
the designers intended to achieve with the option

       --passphrase-fd n
                 Read  the  passphrase from file descriptor n. If
                 you use 0 for n, the  passphrase  will  be  read
                 from  stdin.     This  can  only be used if only
                 one passphrase  is  supplied.   Don't  use  this
                 option if you can avoid it.

The pgp command line program which I used before has a passphrase
command parameter (-z). I guess it was more secure with Java because
the passphrase was not written to disk.

Can anyone suggest a more civilised approach to interfacing to the
Windows executable from within Java?

As far as I can see the current situation is a disaster.

Please correct me if I am wrong.

Regards,
Bernard