GPG decryption within shell scripts.

Steve Butler sbutler@fchn.com
Tue Jul 29 17:18:01 2003


See correction below

-----Original Message-----
From: Steve Butler [mailto:sbutler@fchn.com]
Sent: Tuesday, July 29, 2003 7:44 AM
To: 'Anyabwile, Ayi Q'; gnupg-users@gnupg.org
Subject: RE: GPG decryption within shell scripts.




> From: Anyabwile, Ayi Q [mailto:aqa24188@GlaxoWellcome.com]
> What's the best way to set up decryption from a shell script without
having
> to place the text of the pass-phrase within the script itself?

The best way is not to!  Please understand that this shop does what you are
asking.  But, it's still not the best way since somebody could gain access
to the box and hijack your secret key (and leave the original behind for you
to use) without your knowledge.

There are two ways with adherents in both camps.  Pick one:

1.  Remove the pass phrase from your secret key.  Use the --batch and
--no-tty options.  Your script will not need to know the pass phrase as
there isn't one.  However, your secret key is vulnerable to anybody who can
read your keyring.

2.  Place your secret key in a file (if you encrypt it how will you decrypt
it?) and do something like:

  <<Make that 'pass phrase for your secret key' instead of 'secret key'>>

cat pass_phrase_file | \
gpg --homedir $homedir --passphrase-fd 0 --no-tty --output $out_file
--decrypt $in_file

You might gzip the pass_phrase_file and use zcat instead of cat to add some
false security.  But, anybody more than a casual observer will locate and
have your pass phrase.


CONFIDENTIALITY NOTICE:  This e-mail message, including any attachments, is
for the sole use of the intended recipient(s) and may contain confidential
and privileged information.  Any unauthorized review, use, disclosure or
distribution is prohibited.  If you are not the intended recipient, please
contact the sender by reply e-mail and destroy all copies of the original
message.


_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users


CONFIDENTIALITY NOTICE:  This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information.  Any unauthorized review, use, disclosure or distribution is prohibited.  If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message.