How To: Create a batch mode, signed, encryted file on AIX?

Ken T Takusagawa kenta at MIT.EDU
Wed Apr 21 16:28:34 CEST 2004


Someone running the "ps" command at just the right time will
see the command "echo password" in the list of processes,
thereby learning your password.

Maybe if you are the only user of your machine, and you
aren't too paranoid, then it's an OK thing to do.

The point about --passphrase-fd is that it expects a number,
not a file name.

--ken

On Tue, 20 Apr 2004, Alexander Komarov wrote:

> I am using this:
> echo password | gpg .... --passphrase-fd 0
> Could anybody suggest if it is secure?
>
> Quoting Jon.Morisey at serono.com:
> > Hi all,
> >
> > I am new to GNU and have a question regarding their encryption tools?  I
> > have an options file in place.  How can I encrypt and sign a file in batch
> > mode in the most secure way?
> >
> > I have considered:
> > GPG=`/usr/local/bin/gpg --encrypt ${FILE_TO_ENCRYPT}<<EOF
> > ${GNUGPPASS}
> > EOF`
> >    that doesn't work
> >
> > I also checked:
> > /usr/local/bin/gpg --encrypt --passphrase-fd ${GNUPASSFILE}
> > ${FILE_TO_ENCRYPT}
> >     this one is always waiting for input, I have not been able to get it
> > to read from the file containing the passphrase.  Does anyone know how to
> > make it accept the passphrase from the file descriptor parameter?
> >
> > I know that is not so secure anyway so I also found:
> > http://www.gnupg.org/(en)/documentation/faqs.html
> >    this one fails for me on step 3.  The command errors out.  Does anyone
> > know how to make this one work?
> >
> >
> >
> > 4.14) How can I use GnuPG in an automated environment?
> > You should use the option --batch and don't use passphrases as there is
> > usually no way to store it more securely than on the secret keyring
> > itself. The suggested way to create keys for an automated environment is:
> > On a secure machine:
> > 1.      If you want to do automatic signing, create a signing subkey for your
> > key
> > (use the interactive key editing menu by issueing the command 'gpg
> > --edit-key keyID', enter "addkey" and select the DSA key type).
> > 2.      Make sure that you use a passphrase (needed by the current
> > implementation).
> > 3.      gpg --export-secret-subkeys --no-comment foo >secring.auto
> > 4.      Copy secring.auto and the public keyring to a test directory.
> > 5.      Change to this directory.
> > 6.      gpg --homedir . --edit foo and use "passwd" to remove the passphrase
> > from
> > the subkeys. You may also want to remove all unused subkeys.
> > 7.      Copy secring.auto to a floppy and carry it to the target box.
> > On the target machine:
> > 1.      Install secring.auto as the secret keyring.
> > 2.      Now you can start your new service. It's also a good idea to install
> > an
> > intrusion detection system so that you hopefully get a notice of an
> > successful intrusion, so that you in turn can revoke all the subkeys
> > installed on that machine and install new subkeys.
> >
> >
> > Regards,
> >
> >
> > **********************************************************************************
> >
> >   *           *
> >  *  Jon Morisey, OCP                           E-mail:
> > jon.morisey at serono.com      *
> > *   Serono, Project Manager                    Office:    781-681-2336
> >   *
> > *   One Technology Place                       Cellular:  781-308-9295
> >   *
> >  *  Rockland, MA 02370                         Fax:       781-681-2922
> >  *
> >   *           *
> >
> > **********************************************************************************
> >
> >
> >
> >
> >
> >
> >
> ********************************************************************************************
> > S - This message contains confidential information and is intended only for
> > the individual
> > named. If you are not the named addressee, you should not disseminate,
> > distribute or copy
> > this e-mail. Please notify the sender immediately by e-mail if you have
> > received this
> > e-mail by mistake and delete this e-mail from your system.
> > e-mail transmission cannot be guaranteed to be secure or error-free as
> > information could be
> > intercepted, corrupted, lost, destroyed, arrive late or incomplete, or
> > contain malware. The
> > presence of this disclaimer is not a proof that it was originated at Serono
> > International S.A.
> > or one of its affiliates. Serono International S.A and its affiliates
> > therefore do not accept
> > liability for any errors or omissions in the content of this message, which
> > arise as a result
> > of e-mail transmission. If verification is required, please request a
> > hard-copy version.
> > Serono International SA, 15bis Chemin Des Mines, Geneva, Switzerland,
> > www.serono.com.
> >
> *********************************************************************************************
>
>
>
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users at gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
>



More information about the Gnupg-users mailing list