Security of message when private key is exposed but password
isn't?
Nick Hall
NickHall@flashmail.com
Wed Aug 28 12:12:02 2002
I have an application in a semi-automated environment using
gnupg. Its required that data be encrypted regularly and
stored in a database automatically, without anyone having
to type in a password, but when the data is retrieved, it
is done manually by someone typing in a password in on the
console. The way I'm currently doing this is that I have
created a single public/private key pair and messages are
encrypted with that key as the recipient and also the
sender. This enables messages to be encrypted without the
use of the secret password and be decrypted with it. My
question is, is this a good practice? The private key is
kept secure but I want to assume that someone obtains it
somehow -- since the password is not stored on disk is
my data still secure? I'm fine with knowing that my data
is a little less secure than if no one had the secure key
since gnupg encrypts messages so highly anyway, but would
the message still be decently secure since the password
is secure? Thanks for any advice,
Nick