encrypting and signing a file without a passphrase

James R. Hendrick Jim_Hendrick@KEANE-NNE.com
Mon Feb 10 03:05:02 2003


In a UNIX shell, If "paswd.txt" has the password, you would do 
"gpg --passhprase-fd 3 <other options> 3< /<path>/<to>/paswd.txt"

the "3" is simply a file descriptor like STDIN or STDOUT, 
and the "3<" tells the shell to take the file and feed it to file descriptor
3.

Note: storing a password like this is very bad for security. You have taken
the strength of the cryptography and reduced it to the strength of whoever
has access to "paswd.txt".

If you need to do something like this so it can run unattended, you should
create short-lived keys to do the encrypting.

Something like:

You create a key for "Feb Key" with an expiration lifetime of one month.
You have a "Steve Kwong" key that uses a strong passphrase that you keep
secret and safe.

You sign the "Steve Temp Key0" with the "Steve Kwong" key.

You put the passphrase to "Steve Temp Key0" in the file.

When "Steve Temp Key0" expires, you create a new one "Steve Temp Key2" or
whatever (you can use the same name. This is just for illustration)

If you suspect "Steve Temp Key0" has been compromised, you simply revoke it
and create a new one.

People know it is your key as long as you don't sign any other "Steve Temp
Keys".

You never expose your real key, but you can use the "Steve Temp Keys"
unattended.

Jim

-----Original Message-----
From: Steve Kwong [mailto:stevek@intergate.bc.ca] 
Sent: Sunday, February 09, 2003 5:21 PM
To: gnupg-users@gnupg.org
Subject: Re: encrypting and signing a file without a passphrase


I read about --passphrase-fd n, but I do not know what value to specify for
the file descriptor.  If I have a temporary file called, pswd.txt,
containing the passphrase, what value do I specify for the file descriptor,
and how will gpg know the name of the file it needs to read to get the
passphrase.

Steve
----- Original Message -----
From: "James R. Hendrick" <Jim_Hendrick@KEANE-NNE.com>
To: "'Steve Kwong'" <stevek@intergate.bc.ca>; <gnupg-users@gnupg.org>
Sent: Sunday, February 09, 2003 12:56 PM
Subject: RE: encrypting and signing a file without a passphrase


> man gpg
>
> ...
>
>
> --passphrase-fd n
> Read the passphrase from file descriptor n. If you use 0 for n, the 
> passphrase will be read from stdin. This can only be used if only one 
> passphrase is supplied.  Don't use this option if you can avoid it.
>
>
> ...
>
>
>
>
> -----Original Message-----
> From: Steve Kwong [mailto:stevek@intergate.bc.ca]
> Sent: Sunday, February 09, 2003 12:43 PM
> To: gnupg-users@gnupg.org
> Subject: Fw: encrypting and signing a file without a passphrase
>
>
>  Hi all,
>
>  I am using version 1.2.1.  Can someone help me with the following:
>
>  I would like to send encrpyt and sign a file without having to enter 
> a passphrase each time.  I could not find a way to pass the passphrase as
an
>  argument to GPG.   In the FAQ, there was some mention (article 4.14)
about
> a
>  batch process and removing the passphrase using --edit.  I tried 
> that,
but
> when I entered:
>      gpg --edit foo
>
>   I had no means of editing foo.
>
>  Any ideas how I can encrpyt and sign a file without having to enter 
> my passphrase?
>
>  Steve
>  stevek@intergate.bc.ca
>
>
>
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users@gnupg.org 
> http://lists.gnupg.org/mailman/listinfo/gnupg-users


_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users