Running gpg with a public key file path

ESP evangelo@pigdog.org
Thu May 10 08:37:01 2001



>>>>> "FN" == Faisal Nasim <swiftkid@sat.net.pk> writes:
FN> decrypt: echo 'PASS_PHRASE'|gpg --armor --yes --homedir FN> /etc/gnupg \ --recipient blahblah --passphrase-fd 0 --output FN> secret2.txt \ --decrypt secret.txt One last thing: for automatic software, daemons, or whatever, it's really better to just have an ID with NO password than to keep a password in a file and send it to GnuPG. Why? Because having a password on the ID gives you a false sense of security. Anyone with physical access to the script or whatever will be able to get your password. Not only that, but the GnuPG keyring only has to be readable by the account running gpg. The script may have to be readable by multiple accounts (like a Web server account), making having the passphrase in code or a file LESS secure than just having a no-password ID. By having a no-password ID in the keyring, you'll make sure that you take adequate precautions to protect your system and the account that can read/write the keyring. You can concentrate on that one keyring file, rather than various nebulous scripts floating all over your file system. Good luck, ~ESP -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ESP <evangelo@pigdog.org> | http://pigdog.org/ "Fan belts break at 3AM. I get mad, drinks get spilled." ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~