GPG decryption within shell scripts.

Steve Butler
Tue Jul 29 16:43:01 2003

> From: Anyabwile, Ayi Q []
> What's the best way to set up decryption from a shell script without
> to place the text of the pass-phrase within the script itself?

The best way is not to!  Please understand that this shop does what you are
asking.  But, it's still not the best way since somebody could gain access
to the box and hijack your secret key (and leave the original behind for you
to use) without your knowledge.

There are two ways with adherents in both camps.  Pick one:

1.  Remove the pass phrase from your secret key.  Use the --batch and
--no-tty options.  Your script will not need to know the pass phrase as
there isn't one.  However, your secret key is vulnerable to anybody who can
read your keyring.

2.  Place your secret key in a file (if you encrypt it how will you decrypt
it?) and do something like:

cat pass_phrase_file | \
gpg --homedir $homedir --passphrase-fd 0 --no-tty --output $out_file
--decrypt $in_file

You might gzip the pass_phrase_file and use zcat instead of cat to add some
false security.  But, anybody more than a casual observer will locate and
have your pass phrase.

CONFIDENTIALITY NOTICE:  This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information.  Any unauthorized review, use, disclosure or distribution is prohibited.  If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message.