GPG decryption within shell scripts. - another option?

James R. Hendrick hendrick@keane-nne.com
Wed Jul 30 13:14:02 2003 

I agree that giving key passphrases to an automated process puts the
burden of security elsewhere (like within the security of the system
where the passphrase is stored for example).

I disagree that it removes whatever security the passphrase gives.

Consider this process as a possible workaround:

Use two pairs of keys in the file exchange process.

Automated Key "A" - used for encryption/decryption - passphrase stored
on disk - key limited to short lifetime

Admin Key "A" - used to sign Automated Key "A" and Automated Key "B" -
passphrase stored in admin's brain :-)

Automated Key "B" - used for encryption/decryption - passphrase stored
on disk - key limited to short lifetime

Admin Key "B" - used to sign Automated Key "A" and Automated Key "B" -
passphrase stored in admin's brain :-)

This way the automated processes use the automated keys whose
passphrases are stored on disk which should be as well protected as the
policies of the systems allow.

The automated keys timeout according to whatever is deemed appropriate
for the data, the systems involved, and the paranoia of the admins.

Before they expire, new automated keys are generated/exchanged/signed
(note: this can be done securely using the admin keys)

If compromise is suspected, the automated key is revoked and a new one
generated/signed "early".


Admittedly not a totally seamless process, but:
 - it eliminates the need for encryption/authentication on the transfer
itself
 - it provides for file-level security with built-in timeout for the
encrypted files
 - it allows an override by admins if compromise is suspected
 - it only requires GnuPG or something compatible on both ends
 - it assumes nothing about the transfer method (ftp, email, shared
filesystems, etc. etc. all work)

Clearly using human authentication is much better, but this does provide
the ability to do lots of files "after-hours".


Just another possibility.

Jim


-----Original Message-----
From: Ben Finney [mailto:ben@benfinney.id.au]=20
Sent: Tuesday, July 29, 2003 6:51 PM
To: 'gnupg-users@gnupg.org'
Subject: Re: GPG decryption within shell scripts.


On 28-Jul-2003, Anyabwile, Ayi Q wrote:
> What's the best way to set up decryption from a shell script without=20
> having to place the text of the pass-phrase within the script itself?

Any automated process that's going to use your key must have complete
information to unlock the key.  Thus, automating the process removes
whatever security the passphrase gives.

    =
<http://marc.theaimsgroup.com/?l=3Dgnupg-users&m=3D105900532531018&w=3D2>=


Your choices are:

  - Don't automate the process.  If you want the security provided by
    a passphrase, you must get a human to interactively authenticate
    using it.

  - Don't encrypt the file.  You might as well not encrypt the file at
    all if you're not going to interactively check that an authorised
    person is accessing it.

  - Don't set a passphrase on the key.  This results in a far less
    secure key, but it will at least not give you false illusions of
    security.

In short: once you automate the use of crypto, your authentication model
is reduced to the one used to access the files involved in the automated
process.  In which case, why use encryption at all?

--=20
 \     "I thought I'd begin by reading a poem by Shakespeare, but then |
  `\        I thought 'Why should I? He never reads any of mine.'"  -- |
_o__)                                                   Spike Milligan |
Ben Finney <ben@benfinney.id.au>