How To: Create a batch mode, signed, encryted file on AIX?
Alexander Komarov
toor at izardsnest.org
Tue Apr 20 16:18:25 CEST 2004
I am using this:
echo password | gpg .... --passphrase-fd 0
Could anybody suggest if it is secure?
Quoting Jon.Morisey at serono.com:
> Hi all,
>
> I am new to GNU and have a question regarding their encryption tools? I
> have an options file in place. How can I encrypt and sign a file in batch
> mode in the most secure way?
>
> I have considered:
> GPG=`/usr/local/bin/gpg --encrypt ${FILE_TO_ENCRYPT}<<EOF
> ${GNUGPPASS}
> EOF`
> that doesn't work
>
> I also checked:
> /usr/local/bin/gpg --encrypt --passphrase-fd ${GNUPASSFILE}
> ${FILE_TO_ENCRYPT}
> this one is always waiting for input, I have not been able to get it
> to read from the file containing the passphrase. Does anyone know how to
> make it accept the passphrase from the file descriptor parameter?
>
> I know that is not so secure anyway so I also found:
> http://www.gnupg.org/(en)/documentation/faqs.html
> this one fails for me on step 3. The command errors out. Does anyone
> know how to make this one work?
>
>
>
> 4.14) How can I use GnuPG in an automated environment?
> You should use the option --batch and don't use passphrases as there is
> usually no way to store it more securely than on the secret keyring
> itself. The suggested way to create keys for an automated environment is:
> On a secure machine:
> 1. If you want to do automatic signing, create a signing subkey for your
> key
> (use the interactive key editing menu by issueing the command 'gpg
> --edit-key keyID', enter "addkey" and select the DSA key type).
> 2. Make sure that you use a passphrase (needed by the current
> implementation).
> 3. gpg --export-secret-subkeys --no-comment foo >secring.auto
> 4. Copy secring.auto and the public keyring to a test directory.
> 5. Change to this directory.
> 6. gpg --homedir . --edit foo and use "passwd" to remove the passphrase
> from
> the subkeys. You may also want to remove all unused subkeys.
> 7. Copy secring.auto to a floppy and carry it to the target box.
> On the target machine:
> 1. Install secring.auto as the secret keyring.
> 2. Now you can start your new service. It's also a good idea to install
> an
> intrusion detection system so that you hopefully get a notice of an
> successful intrusion, so that you in turn can revoke all the subkeys
> installed on that machine and install new subkeys.
>
>
> Regards,
>
>
> **********************************************************************************
>
> * *
> * Jon Morisey, OCP E-mail:
> jon.morisey at serono.com *
> * Serono, Project Manager Office: 781-681-2336
> *
> * One Technology Place Cellular: 781-308-9295
> *
> * Rockland, MA 02370 Fax: 781-681-2922
> *
> * *
>
> **********************************************************************************
>
>
>
>
>
>
>
********************************************************************************************
> S - This message contains confidential information and is intended only for
> the individual
> named. If you are not the named addressee, you should not disseminate,
> distribute or copy
> this e-mail. Please notify the sender immediately by e-mail if you have
> received this
> e-mail by mistake and delete this e-mail from your system.
> e-mail transmission cannot be guaranteed to be secure or error-free as
> information could be
> intercepted, corrupted, lost, destroyed, arrive late or incomplete, or
> contain malware. The
> presence of this disclaimer is not a proof that it was originated at Serono
> International S.A.
> or one of its affiliates. Serono International S.A and its affiliates
> therefore do not accept
> liability for any errors or omissions in the content of this message, which
> arise as a result
> of e-mail transmission. If verification is required, please request a
> hard-copy version.
> Serono International SA, 15bis Chemin Des Mines, Geneva, Switzerland,
> www.serono.com.
>
*********************************************************************************************
More information about the Gnupg-users
mailing list