Newbie question - how to include the pass phrase in the command

Johan Wevers johanw@vulcan.xs4all.nl
Tue Jun 10 03:25:27 2003


Ping Kam wrote:

> First, I am not sure if the secret key is encrypted.  Is there a way to find
> out?

Yes, if you want to use it and gpg asks for a password, it is encrypted. If
you sign something you need your secret key so it needs to be decrypted if
it's encrypted. To encrypt, you need the recipient's public key, and public
keys are not encrypted. They need not be.

> And how to encrypt the secret key?

gpg --edit-key <keyID>

then use the commands "passwd", "save", "quit".

> Second, which secret key?  Our secret key, the recipient key, or both?

You have only access to your own secret key. Wether the recipient has a
password on his secret key is irrelevant for your setup. You don't have
access that key anyway (unless there's something wrong).

> Third, it seems like pass phrase is required only if I want to encrypt and
> sign the file.  It is not required to encrypt the file with signing.

No, to encrypt you only need unencrypted public keys.

>> Not that I don't agree that
>> passing it via a file descriptor is safer,

> I really doubt this.  Don't you think passing the pass phrase via parameters
> is safer than to reading it from a separate file?

No. But the current situation leeds to people removing the password from the
secret key completely because they don't know how to use file descriptors in
VB, which is an even more unsafe situation.

> The problem I have is that I can't find any
> documentation about this fd option.  It is not in the list of help.

Try gpg --dump-options. It will show you really all options, even those that
are not in the standard help.

> But I think it will be safer if the pass phrase is provided via parameter
> instead of from a hardcoded non-standard place.

On a single-user box like a windows machine, yes. On a multi-user Unix
machine, some users can view the complete commandlines of all commands,
which would give away the password. My POV is that the coder of an
application that uses gpg should decide which threat it the greatest,
since he knows his target box the best, but the gpg developers seem to
disagree.

-- 
ir. J.C.A. Wevers         //  Physics and science fiction site:
johanw@vulcan.xs4all.nl   //  http://www.xs4all.nl/~johanw/index.html
PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html