Automated processes

Ryan Malayter ryan at malayter.com
Sun Apr 9 15:25:34 CEST 2006


On 4/7/06, John M Church <john.m.church at lmco.com> wrote:
> Qed/Ryan et al,
> Do either of you guys do automated decryption?  This doesn't seem to be
> addressed in the FAQ - just automated signing.  I'm open to suggestions.

I do use GnuPG for automated decryption for one batch process. To do
so, I use a low-value, single-purpose key that has *no pass phrase*
and very strict permissions on the secring.gpg file. This file is then
placed in a folder that is encrypted at the file system level (using
Windows EFS).

I think this is about as secure as you can make automatic decryption
without trusted hardware being involved. An attacker with the ability
to run code using the same account as my script would be able to read
the secret key from the encrypted file system.

Using the --passphrase-fd option would offer roughly the same security
- that is, permissions on the script file would be your only
protection, just as the permissions on secring.gpg are my only real
protection.
--
   RPM
=========================
All problems can be solved by diplomacy, but violence and treachery
are equally effective, and more fun.
      -Anonymous



More information about the Gnupg-users mailing list