reading a passphrase out of an environment variable

Ken Takusagawa ken.takusagawa.2 at gmail.com
Thu Jun 28 10:06:55 CEST 2007


I'd like to propose a feature: to read a passphrase out of an
environment variable.

When one wants to use a passphrase for symmetric encryption in an
automated application, I've used the flag "--passphrase-fd 0".  (Any
better ideas?)

But there is a problem:

If you write the passphrase to a file and use input redirection, e.g.,
"gpg ... < passphrasefile" then that file (almost) certainly has to
hit disk (/dev/shm is the thing to do, if it is available) and the
person who buys this used hard disk on eBay might be able to recover
the passphrase.

If you use it as part of a pipeline, i.e., "echo mypassphrase | gpg
..." then it's vulnerable to another user running "ps" at just the
right moment to see the echo command and its argument (Or so I think.
Do shells "desugar" echo commands so that they never spawn a
process?).  Plus you have to be careful that it doesn't hit the
command history file.

If we had a feature of reading a passphrase out of an environment
variable, one could write a script along these lines

#! /bin/bash
read -s GNUPG_PASSPHRASE
# -s is a bash-special option to read that does not echo

#multiple invocations of gpg that use the same passphrase
for file in *.gpg
do gpg --get-passphrase-from-environment ...
done
...
unset GNUPG_PASSPHRASE

This has the vulnerability that the chunk of memory that is holding
the value of the environment variable might get swapped out to disk,
but I'm willing to live with that small possibility (or maybe
implement encrypted swap).

(Threat model: multi-user machine.  I trust the super-user not to
maliciously hack me.  I do not trust the other local users of the
machine.  I do not trust that the hard drive of this machine to be
eventually disposed/destroyed securely.  I trust the OS to separate
user environments.)

--ken



More information about the Gnupg-devel mailing list