--passphrase and command line

hymie! hymie at lactose.homelinux.net
Wed Jan 14 17:23:55 CET 2015

Can you please expand on your answer?

Werner Koch <wk <at> gnupg.org> writes:
> On Wed, 14 Jan 2015 15:39, hymie <at> lactose.homelinux.net said:
> > Can this feature be added to the "--passphrase" option of gpg?  It's my
> No!
> The only reason to use --passphrase is for symmetric encryption and for
> regression tests.

I'm intrigued by your claim that this is "the only reason".  I'm sure that
some people can think of other reasons.

> For the former --passphrase-file and --passphrase-fd
> is what you actually want to use.

You are claiming that writing my key to a file on my disk is more secure?

I agree that --passphrase-fd is probably the best option.  In my particular
use-case, it comes with an unfortunate side-effect that I'm hoping to avoid.

> If you do public key decryption/signing there is no need for a
> passphrase - just do not set one for your key.  It is useless and only
> needed by check mark style security policies [1].

I'm sorry... "Don't set a passphrase on my key" ?  How is that possibly a
good idea?


More information about the Gnupg-devel mailing list