GPG decryption within shell scripts.

Ben Finney ben@benfinney.id.au
Wed Jul 30 00:49:02 2003


--+g7M9IMkV8truYOl
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On 28-Jul-2003, Anyabwile, Ayi Q wrote:
> What's the best way to set up decryption from a shell script without
> having to place the text of the pass-phrase within the script itself?

Any automated process that's going to use your key must have complete
information to unlock the key.  Thus, automating the process removes
whatever security the passphrase gives.

    <http://marc.theaimsgroup.com/?l=3Dgnupg-users&m=3D105900532531018&w=3D=
2>

Your choices are:

  - Don't automate the process.  If you want the security provided by
    a passphrase, you must get a human to interactively authenticate
    using it.

  - Don't encrypt the file.  You might as well not encrypt the file at
    all if you're not going to interactively check that an authorised
    person is accessing it.

  - Don't set a passphrase on the key.  This results in a far less
    secure key, but it will at least not give you false illusions of
    security.

In short: once you automate the use of crypto, your authentication model
is reduced to the one used to access the files involved in the automated
process.  In which case, why use encryption at all?

--=20
 \     "I thought I'd begin by reading a poem by Shakespeare, but then |
  `\        I thought 'Why should I? He never reads any of mine.'"  -- |
_o__)                                                   Spike Milligan |
Ben Finney <ben@benfinney.id.au>

--+g7M9IMkV8truYOl
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iEYEARECAAYFAj8m+j4ACgkQt6wuUb1BcUsDTwCeIeKRyqThXv9LOvpxtDcOOGPl
jSQAoI0nqG8J9hYrZDjhbcCVieoQ7w2u
=1XRB
-----END PGP SIGNATURE-----

--+g7M9IMkV8truYOl--