DO's and DON'Ts about using gpg on the internet?

Thu Jan 24 18:20:02 2002


I need to install gpg on a server which will be used simply to encyrpt data 
received from a web form and sent as an e-mail through a cgi program.  I 
only need to installe the public key ring since it will be maintained off-site.

I've been looking on the net for a HOW TO or a set of DO's and 
DON'Ts  reviewing the best way to install and access gpg (or pgp for that 
matter) via a web form and it all seems to be in bits and pieces in the 

Here are my questions to thrash this out.

a. gpg needs to run as setuid in order to lock memory pages preventing the 
os writing memory pages to disk.

Q1. How secure is the setuid when run through a cgi script. I suppose this 
is os and version number dependent.  Comments on this is appreciated.

Q2. The public key ring is best owned by root. Is this true?

(In my case it can be done but hypothetically for virtually hosted sites 
this may not be true?)

Q3. Where should the userid for the public key be stored and who should own 
it. ie should it be in a data file owned by root, an intermediate user with 
no telnet/ssh/ftp access or just in the cgi program owned by user.

Q4. Will a firewall help to protect the keyring. Can a firewall help in 

These are few questions that have come to mind (there could be more) but it 
would help me to understand the limitations of using gpg on the internet 
and if this could be organized into How to; or at least some DON'Ts (which 
people are doing) and a set of DO's (with the alternatives.)