--passphrase and command line

Werner Koch wk at gnupg.org
Wed Jan 14 20:34:18 CET 2015

On Wed, 14 Jan 2015 17:23, hymie at lactose.homelinux.net said:

> I'm intrigued by your claim that this is "the only reason".  I'm sure that
> some people can think of other reasons.

Putting the passphrase on the command line and assuming that this can be
hidden by gpg is false assumption.  The passphrase ends up at a lot of
places - in the shell's memory, in ~/.bash_history, in audit logs, and
so on.

Well, if your write a tool where you retrieve the passpharse from
/dev/somwhere after the fork and before the exec you can make it a bit
more secure.  Hwoever, having already hacked up such code it is similar
easy to use --passphrase-{fd,file}

Slowing down another user's process is easy enough to see the passphrase
before it has been overwritten by gpg.

> You are claiming that writing my key to a file on my disk is more secure?

Yes, Unix has a permssion system which allows you to secure the file
against being accessed by other users.  You can't protect the process
environment in the same way.

> I'm sorry... "Don't set a passphrase on my key" ?  How is that possibly a
> good idea?

Why do you need a passpharse stored somewhere on your system to protect
a key stored somewhere on the system?  As easy as it is to read the key,
as easy it is to read the passphrase.



Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.

More information about the Gnupg-devel mailing list