Automated processes

John M Church john.m.church at lmco.com
Fri Apr 7 18:39:10 CEST 2006 

I wasn't thinking of encrypting the passphrase with gpg. I have on 
occasion embedded a password in a perl script and then encyrpted that 
portion of the script via Perl module Filter::CBC. The script upon 
execution decrypts on-the-fly w/o the need for a passphrase. A user can 
never decrypt it though so you have to keep a nonencrypted backup of 
your script (w/o the password of course).

John_inDenver












Benjamin Mord wrote:

>(Don't encrypt the passphrase - if you do, then you still need a
>passphrase to decrypt the passphrase, etc... etc...)
>
>Asymmetric cryptography can be extremely handy for automated
>encryption/decryption scenarios. For example, I sometimes have a
>somewhat vulnerable general-purpose machine encrypt data using only a
>public key, and write it somewhere shared. Then I'll have a tightly
>secured single-purpose machine later read and decrypt that data for some
>purpose. This is analogous to a one-way mail drop, where you trust the
>mailman more than the general public. I use this technique in scenarios
>where although both machines are somewhat trusted, one is machine is
>more trusted than the other. This way the machine that does the
>encryption has no knowledge of how to decrypt, so that if compromised,
>only the data that it processes from point of compromise going forward
>is in any kind of danger. (At this point you've reduced the security
>problem to one of monitoring or periodic cleaning, e.g. periodic reboots
>while running off read-only media.) The second machine is entrusted with
>knowledge of how to decrypt, but in exchange it is tightly secured and
>specialized for a single task.
>
>Ben
>
>-----Original Message-----
>From: gnupg-users-bounces at gnupg.org
>[mailto:gnupg-users-bounces at gnupg.org] On Behalf Of John M Church
>Sent: Friday, April 07, 2006 10:16 AM
>To: johnmoore3rd at joimail.com; GnuPG Users List
>Subject: Re: Automated processes
>
>I think it's simplistic to just brush-off this request as a user who 
>wants convenience.  There are very valid reasons for automated 
>decryption.  I'm working a similar project (and have my own issue - see 
>"Automated Decryption via Script Running Setuid" written 4/5/06).  Seems
>
>to me if you protect your script and you are behind a firewall you're 
>not 'trading security for convenience'.  You can even encrypt the 
>passphrase in your script if you're afraid someone with sudo or root 
>priveldges could open your script.
>
>John_inDenver
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>John W. Moore III wrote:
>
>  
>
>>-----BEGIN PGP SIGNED MESSAGE-----
>>Hash: SHA256
>>
>>jkaye wrote:
>>
>> 
>>
>>    
>>
>>>I know that for PGP, there's an environment setting that
>>>can be used to prevent this.  Is there a similar thing for
>>>GnuPG, or do I have to jump through some hoops?  
>>>   
>>>
>>>      
>>>
>>Hmm.....Let me see if I've understood you.  You desire to use GPG for
>>security 'Point to Point' then swap security for convenience on your
>>    
>>
>end?
>  
>
>>My suggestion would be to either switch to Thunderbird w/Enigmail as
>>your MUA.  You can set Enigmail to 'remember' your passphrase for a
>>specified length of time or until you Close the program.
>>
>>JOHN ;)
>>Timestamp: Thursday 06 Apr 2006, 19:42  --400 (Eastern Daylight Time)
>>-----BEGIN PGP SIGNATURE-----
>>Version: GnuPG v1.4.4-4094cvs: (MingW32)
>>Comment: Public Key at:  http://tinyurl.com/8cpho
>>Comment: Gossamer Spider Web of Trust (US26): http://www.gswot.org
>>Comment: Homepage:  http://tinyurl.com/9ubue
>>Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>>
>>iQEcBAEBCAAGBQJENadvAAoJEBCGy9eAtCsPcecIAKLnkCbOlXQR7sWASIE0oaD7
>>8Kf7rMw+Me2CSNujNCG6hqPOr4Uh9fhrfAtSVnqoSuq9t96SR5XRpfm7b46K+P3j
>>1wLoYlwvEhpflhQaMe4x9awWEZDL4LUWswFU2Q9R/h3eDGyxAbXK1CR5vJ22XewJ
>>25aUAlvYyndcN9G9LPDM6ypOgjKE/+/WAZ06Jegqh9oFQc7tENR0NwfQvi192411
>>prOXFa3y8A46gswtffdK16FPDJiGiSmFgO+iq+tgWGYkMndH9mtHkY/r2vgBHoPZ
>>xB/j9IWw33baG5Qe+XqZl8hkr5C8AVKZE+1KJjmx0lFM/SBSboYChDgPrJadAnA=
>>=++kk
>>-----END PGP SIGNATURE-----
>>
>>_______________________________________________
>>Gnupg-users mailing list
>>Gnupg-users at gnupg.org
>>http://lists.gnupg.org/mailman/listinfo/gnupg-users
>>
>> 
>>
>>    
>>
>
>_______________________________________________
>Gnupg-users mailing list
>Gnupg-users at gnupg.org
>http://lists.gnupg.org/mailman/listinfo/gnupg-users
>
>  
>

More information about the Gnupg-users mailing list