Running gpg with a public key file path
ESP
evangelo@pigdog.org
Thu May 10 08:37:01 2001
>>>>> "FN" == Faisal Nasim <swiftkid@sat.net.pk> writes:
FN> decrypt: echo 'PASS_PHRASE'|gpg --armor --yes --homedir
FN> /etc/gnupg \ --recipient blahblah --passphrase-fd 0 --output
FN> secret2.txt \ --decrypt secret.txt
One last thing: for automatic software, daemons, or whatever, it's
really better to just have an ID with NO password than to keep a
password in a file and send it to GnuPG.
Why? Because having a password on the ID gives you a false sense of
security. Anyone with physical access to the script or whatever will
be able to get your password. Not only that, but the GnuPG keyring
only has to be readable by the account running gpg. The script may
have to be readable by multiple accounts (like a Web server account),
making having the passphrase in code or a file LESS secure than just
having a no-password ID.
By having a no-password ID in the keyring, you'll make sure that you
take adequate precautions to protect your system and the account that
can read/write the keyring. You can concentrate on that one keyring
file, rather than various nebulous scripts floating all over your file
system.
Good luck,
~ESP
--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
ESP <evangelo@pigdog.org> | http://pigdog.org/
"Fan belts break at 3AM. I get mad, drinks get spilled."
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~