Script with sensitive info

Ben Finney ben@benfinney.id.au
Thu Jul 24 01:37:02 2003


--h31gzZEtNLTqOjlF
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On 23-Jul-2003, kynn@panix.com wrote:
> I want to write a Perl script whose operation requires it to have some
> sensitive information (bank account passwords, etc.).  This script is
> meant to run non-interactively, so having it prompt the user for this
> information is not an option.

The problem as you present it is no longer technological in nature, so
don't expect any technological solution to be a good fit.

The point of passphrases, etc., is to ensure that the person to be
authenticated is actually present at the computer, consciously deciding
to perform the requested action.  If you expect to automate this, you
break the authentication part of the scheme; you no longer have a strong
assurance that the human to whom the authentication information
corresponds is actually requesting the action.

(This applies, of course, to interactive authentication also; but in
that case, the presence of a human allows much stronger authentication
to be performed and thus the assurance is that much stronger.)

> Is there a way to use Gnupg to solve the problem of protecting this
> script?

As explained in other responses, any automated process must have
complete information to carry out the process; thus, the authentication
information, or information sufficient to get at that information, will
be accessible.

The problem then is sociological: how do you make it more trouble to get
at that information than it is worth?  This is not something that can be
solved unilaterally with a technological measure.

The fact that you want it automated means the authentication is that
much weaker.

--=20
 \       "As far as the laws of mathematics refer to reality, they are |
  `\    not certain, and as far as they are certain, they do not refer |
_o__)                                 to reality."  -- Albert Einstein |
ben@benfinney.id.au F'print 9CFE12B0 791A4267 887F520C B7AC2E51 BD41714B

--h31gzZEtNLTqOjlF
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iEYEARECAAYFAj8fHJQACgkQt6wuUb1BcUuCDgCg0jxtjNKGFMKe0EybWfLY8lVz
tksAniZ2eeycBgIvrClHVmkucGrRCIA3
=qMY5
-----END PGP SIGNATURE-----

--h31gzZEtNLTqOjlF--