Another idea (was Re: Password on command line?)

Steve Butler
Tue Aug 6 16:56:02 2002

And now somebody can do a 'ps -ef' and see it on the command for many
flavors of Unix.

My solution is not much better but does raise one small fence to keep the
mildly curious out.

Have the script read that pass phrase once from the keyboard and keep it in
a local environmental variable.

If you must write it out to a file then do something to make it non-clear
text.  It would still be fairly easy to decode but you have at least raised
one small fence.

echo "my pass phrase" | gzip | xxd -p > mypassphrase.file

Then when you need the passphrase read from the file:

  xxd -r -p mypassphrase.file | zcat | gpg --passphrase-fd 0 .....

Be aware that the above does not encrypt the file.  It simply changes it so
that it is not readily readable by a human.  But then, as you can see, it
doesn't take much to revert it back to plain text and a determined
individual will read your script and figure out how to read the file.  But,
by then, your file should be gone from the system.

-----Original Message-----
From: Daniel Carrera []
Sent: Monday, August 05, 2002 7:35 PM
To: Frank Hrebabetzky
Subject: Another idea (was Re: Password on command line?)

It just occurred to me that, since you want to put this on a script, the
'echo "password" | gpg ...' option would be bad.  Your password would be
in plain text in a file.

Here's an improvement on that idea.

1) Make your script accept your password as a command-line argument.
Then, on your script you'd have:

echo "$1" | gpg --passphrase-fd 0

You could then call your script with:  "my secret passphrase"

If you use "quotes" you won't have trouble with special characters and

2) If you still don't want your passphrase to show up on your screen, you
can add this additional Perl program:

#!/usr/bin/perl -w

use strict;

use Term::ReadKey;
ReadMode('noecho');  # Turn off output to the screen.

print "Please enter your passphrase: ";
chomp( my $password = ReadLine(0) );

` "$password"`;

I hope that this helps.


On Sun, 4 Aug 2002, Frank Hrebabetzky wrote:

> Hi there,
> I work occationally on some text files ciphered symmetrically, which
> involves the following steps:
> 	gpg -decrypt <file> > <file>.txt	# get clear text
> 	pico <file>.txt				# edit it
> 	gpg -co <file> <file>.txt		# cipher symmetric.
> 	wipe <file>.txt				# erase clear text
> So I wrote a script for that, but I have to type in 3 times the same
> passphrase: for deciphering, ciphering and confirmation.
> Passing the passphrase as command line parameter would solve the problem,
> because the script could read it and pass it to gpg, but according to the
> man pages such a gpg option doesn't exist. The option --passphrase-fd gave
> me some hope first, because I thought I could write the passphrase in a
> file first and wipe it out at the end, but my linux book only told me
> about the standard file descriptors 0, 1 and 2, which don't help me.
> Any suggestion?
> -------------------------------------------------
> Frank Hrebabetzky	Tel.:     +55 / 48 / 9998 7686
> Florianopolis		email:
> Brazil
> _______________________________________________
> Gnupg-users mailing list

Gnupg-users mailing list

CONFIDENTIALITY NOTICE:  This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information.  Any unauthorized review, use, disclosure or distribution is prohibited.  If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message.