Newbie question - how to include the pass phrase in the command

Ping Kam pkam@quikcard.com
Tue Jun 10 20:46:03 2003


Hi:

Thanks for your reply.  With help from Steve Butler via private email, I got
the recipient's key trusted and solved most of the problem.

The dump option is very interesting.  Unfortunately, there is no explanation
and example so I can't figure out how to use those options.

Thanks,
Ping Kam



----- Original Message -----
From: "Johan Wevers" <johanw@vulcan.xs4all.nl>
To: "GnuPG users" <gnupg-users@gnupg.org>
Sent: Monday, June 09, 2003 5:48 PM
Subject: Re: Newbie question - how to include the pass phrase in the command


> Ping Kam wrote:
>
> > First, I am not sure if the secret key is encrypted.  Is there a way to
find
> > out?
>
> Yes, if you want to use it and gpg asks for a password, it is encrypted.
If
> you sign something you need your secret key so it needs to be decrypted if
> it's encrypted. To encrypt, you need the recipient's public key, and
public
> keys are not encrypted. They need not be.
>
> > And how to encrypt the secret key?
>
> gpg --edit-key <keyID>
>
> then use the commands "passwd", "save", "quit".
>
> > Second, which secret key?  Our secret key, the recipient key, or both?
>
> You have only access to your own secret key. Wether the recipient has a
> password on his secret key is irrelevant for your setup. You don't have
> access that key anyway (unless there's something wrong).
>
> > Third, it seems like pass phrase is required only if I want to encrypt
and
> > sign the file.  It is not required to encrypt the file with signing.
>
> No, to encrypt you only need unencrypted public keys.
>
> >> Not that I don't agree that
> >> passing it via a file descriptor is safer,
>
> > I really doubt this.  Don't you think passing the pass phrase via
parameters
> > is safer than to reading it from a separate file?
>
> No. But the current situation leeds to people removing the password from
the
> secret key completely because they don't know how to use file descriptors
in
> VB, which is an even more unsafe situation.
>
> > The problem I have is that I can't find any
> > documentation about this fd option.  It is not in the list of help.
>
> Try gpg --dump-options. It will show you really all options, even those
that
> are not in the standard help.
>
> > But I think it will be safer if the pass phrase is provided via
parameter
> > instead of from a hardcoded non-standard place.
>
> On a single-user box like a windows machine, yes. On a multi-user Unix
> machine, some users can view the complete commandlines of all commands,
> which would give away the password. My POV is that the coder of an
> application that uses gpg should decide which threat it the greatest,
> since he knows his target box the best, but the gpg developers seem to
> disagree.
>
> --
> ir. J.C.A. Wevers         //  Physics and science fiction site:
> johanw@vulcan.xs4all.nl   //  http://www.xs4all.nl/~johanw/index.html
> PGP/GPG public keys at http://www.xs4all.nl/~johanw/pgpkeys.html
>
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
>