A last word on --passphrase-fd

James H. Cloos Jr. cloos@jhcloos.com
21 Jan 2000 19:42:37 -0600

>>>>> "Chuck" == Chuck Robey <chuckr@picnic.mat.net> writes:
Chuck> How does either of your two options deal with a process started Chuck> on a regular basis by cron? No daemon to store the passphrase Chuck> in ram with, and impossible to make interactive input. The trick might be to have the cron daemon itself act as the daemon storing the passphrase. It would provide the process w/ a FD to read the passphrase from; the process can then pipe that direct to the gpg sub-process. Another option is to have the daemon sleeping in the background, and use cron to send it a wakeup signal. Again, it has the phrase in RAM and can pass it to gpg via a pipe. I've not spent much time (ie more than a few seconds) thinking about the security issues of these proposals. Obviously of course the RAM used to store the phrase must be mlock(2)ed (or the equivalent), but beyond that.... Comments welcome. -JimC -- James H. Cloos, Jr. <URL:http://jhcloos.com/public_key> 1024D/ED7DAEA6 <cloos@jhcloos.com> E9E9 F828 61A4 6EA9 0F2B 63E7 997A 9F17 ED7D AEA6 Save Trees: Get E-Gold! <URL:http://jhcloos.com/go?e-gold>