GPG decryption within shell scripts.
Wed Jul 30 00:49:02 2003
Content-Type: text/plain; charset=us-ascii
On 28-Jul-2003, Anyabwile, Ayi Q wrote:
> What's the best way to set up decryption from a shell script without
> having to place the text of the pass-phrase within the script itself?
Any automated process that's going to use your key must have complete
information to unlock the key. Thus, automating the process removes
whatever security the passphrase gives.
Your choices are:
- Don't automate the process. If you want the security provided by
a passphrase, you must get a human to interactively authenticate
- Don't encrypt the file. You might as well not encrypt the file at
all if you're not going to interactively check that an authorised
person is accessing it.
- Don't set a passphrase on the key. This results in a far less
secure key, but it will at least not give you false illusions of
In short: once you automate the use of crypto, your authentication model
is reduced to the one used to access the files involved in the automated
process. In which case, why use encryption at all?
\ "I thought I'd begin by reading a poem by Shakespeare, but then |
`\ I thought 'Why should I? He never reads any of mine.'" -- |
_o__) Spike Milligan |
Ben Finney <email@example.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
-----END PGP SIGNATURE-----