A last word on --passphrase-fd
James H. Cloos Jr.
cloos@jhcloos.com
21 Jan 2000 19:42:37 -0600
>>>>> "Chuck" == Chuck Robey <chuckr@picnic.mat.net> writes:
Chuck> How does either of your two options deal with a process started
Chuck> on a regular basis by cron? No daemon to store the passphrase
Chuck> in ram with, and impossible to make interactive input.
The trick might be to have the cron daemon itself act as the daemon
storing the passphrase. It would provide the process w/ a FD to read
the passphrase from; the process can then pipe that direct to the gpg
sub-process.
Another option is to have the daemon sleeping in the background, and
use cron to send it a wakeup signal. Again, it has the phrase in RAM
and can pass it to gpg via a pipe.
I've not spent much time (ie more than a few seconds) thinking about
the security issues of these proposals. Obviously of course the RAM
used to store the phrase must be mlock(2)ed (or the equivalent), but
beyond that....
Comments welcome.
-JimC
--
James H. Cloos, Jr. <URL:http://jhcloos.com/public_key> 1024D/ED7DAEA6
<cloos@jhcloos.com> E9E9 F828 61A4 6EA9 0F2B 63E7 997A 9F17 ED7D AEA6
Save Trees: Get E-Gold! <URL:http://jhcloos.com/go?e-gold>