Symmetric encryption from shell script/cron job?
William M. Shubert
wms@igoweb.org
Sun May 27 19:26:01 2001
Hi. I need to do symmetric encryption from a cron job, and gnupg seems
like a good way to do it, except that it insists on reading the
passphrase from a terminal and there is no terminal when it is a cron
job! I need to be able to feed the passphrase in thorough stdin or by
having it read from a file.
Now I know that usually it is a really, REALLY bad idea to have shell
scripts lying around that know how to read passphrases for symmetric
encryption. But in this case, I think I have a good reason. Here's my
situation:
I have one computer that I trust quite well. I am admin there, and I try
to always be careful to keep up to date on security patches etc. BUT I
have no backup device. I *do* have access to another system where I can
save my backups - but this other system I know is not secure at all!
Many users have terrible passwords, the software is ancient and probably
missing many important security updates, etc. I am not an admin on this
insecure system so I can't fix these problems.
What I want to do is have a nightly cron job tar up the files that I
need to back up, encrypt them, then copy this encrypted tar file to the
insecure system. Usually the danger of having shell scripts that can get
to passwords/symmetric key phrases is that once somebody can get access
to the shell script they know your password - but in this case, once
somebody can get at my shell script the whole point is moot because then
they can access all the files that I want to back up anyway. So it would
be so nice if I could write a cron job like:
tar jcf - /files/needing/backup | \
gpg -c --passphrase-from-file passphrase.txt | \
ssh me@insecure-system.com cat '>backup.tar.bz2.gpg'
Looks pretty spiffy, doesn't it? Is there any way to get gnupg to work
in a script like this? Or is there some other tool that would do the job
better? I know about a few other tools that can do symmetric encryption,
but gpg seems to be one of the better supported tools, and I'd rather
use something that I can trust I will find easily if I ever need to
unpack my backups.
--
Bill Shubert (wms@igoweb.org)