gpg from cronjobs

Frank Tobin ftobin@uiuc.edu
Tue, 21 Dec 1999 22:57:51 -0600 (CST)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Dave Harvill, at 22:36 on Tue, 21 Dec 1999, wrote:


> I believe there is a batch mode which can read the passphrase from a file.
> I suppose you could also tie some scripts together to accomplish this.
> Perl by itself might be able to, or perhaps you can use excpect. Either
> of these, in fact any solution, will involve either putting the passphrase
> in one kind of file or another, or leaving no passphrase on the key.
Personally, I just say go for the key without a passphrase. Here's thoughts on the issue: Normally, the security of your secret keys relies on the usage two things, the security of your system, and the security of the passphrase in your head. The passphrase you use for your key really isn't necessary to the use of OpenPGP; it's just a security mechanism for your protecting your secret key. Regardless, abiding by convention and using a passphrase to encrypt your secret key requires that two different things be compromised before your OpenPGP communication is compromised, and having layring in security like this gives people a warm feeling all over. In your case, you are trying to achieve communication using OpenPGP without securing your private key withou a passphrase. Now, assuming you were just communicating between two points, this could be just as bad as using a human-generated secret passphrase; in this example, the secret of the communication is probably more easily broken by brute-forcing the shared secret passphrase or breaking into the system. However, in your case, the security of your OpenPGP communication is reliant soley on the security of your system, and this could be a very, very, very bad thing, especially if you have any idea how often various vulnerabilities become exposed for virtutally ever operating system. If this is sensitive information, the only hope of really keeping your system secure is for no users to be on the system, and no daemons are run on the system; get your information from a 'suck' (e.g., wget), and hope your wget program is secure; preferably, run it in a tight, tight environment (I smell chroot). Of course, if this really isn't that sensitive sensitive enough of information, you are free to use it on your normal machine without all the lockdowns of disabling your daemons and users; however, your vunerability points skyrocket when doing so (especially whlie having local users). Just keep in mind the security of your communications is is solely reliant on the ability of someone not being able to break your system. - -- Frank Tobin http://www.neverending.org/~ftobin/ "To learn what is good and what is to be valued, those truths which cannot be shaken or changed." Myst: The Book of Atrus OpenPGP: 4F86 3BBB A816 6F0A 340F 6003 56FF D10A 260C 4FA3 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.1 (FreeBSD) Comment: pgpenvelope - http://www.uiuc.edu/ph/www/ftobin/resources.html iEYEARECAAYFAjhgWl0ACgkQVv/RCiYMT6MHawCfaMnBEQrnZtBv4kkLMd+zB/Xe jfgAn3Ziu+VgvHrF63EKPXAd59fYGfia =Lueu -----END PGP SIGNATURE-----