GPG decryption within shell scripts.

Ben Finney
Wed Jul 30 00:49:02 2003

Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On 28-Jul-2003, Anyabwile, Ayi Q wrote:
> What's the best way to set up decryption from a shell script without
> having to place the text of the pass-phrase within the script itself?

Any automated process that's going to use your key must have complete
information to unlock the key.  Thus, automating the process removes
whatever security the passphrase gives.


Your choices are:

  - Don't automate the process.  If you want the security provided by
    a passphrase, you must get a human to interactively authenticate
    using it.

  - Don't encrypt the file.  You might as well not encrypt the file at
    all if you're not going to interactively check that an authorised
    person is accessing it.

  - Don't set a passphrase on the key.  This results in a far less
    secure key, but it will at least not give you false illusions of

In short: once you automate the use of crypto, your authentication model
is reduced to the one used to access the files involved in the automated
process.  In which case, why use encryption at all?

 \     "I thought I'd begin by reading a poem by Shakespeare, but then |
  `\        I thought 'Why should I? He never reads any of mine.'"  -- |
_o__)                                                   Spike Milligan |
Ben Finney <>

Content-Type: application/pgp-signature
Content-Disposition: inline

Version: GnuPG v1.2.1 (GNU/Linux)