How to decide which private key to use?

Ryan Malayter rmalayter at bai.org
Tue Dec 7 18:45:58 CET 2004


[Neil Williams]
> 
> Any time you store passphrases for an automated process, it's 
> as bad as having 
> no passphrase at all. Anyone who gains access to the machine 
> can locate the 
> stored passphrase and the secret key file.

Unless, of course, you use a good code-obfuscation tool to munge the
program that stores a hard-coded passphrase and passes it to GnuPG.

Using code obfuscation is marginally more secure than no passphrase from
a practical standpoint, but not from a theoretical one. Still,
decompiling and picking apart obfuscated and string-encrypted code from
a tool like Preemptive's DashO is another hurdle for the attacker to go
through, and may give you that much more time to notice that your server
has been compromised and take remedial action.



More information about the Gnupg-users mailing list