Automated processes

Benjamin Mord bmord at iconnicholson.com
Fri Apr 7 17:20:26 CEST 2006


(Don't encrypt the passphrase - if you do, then you still need a
passphrase to decrypt the passphrase, etc... etc...)

Asymmetric cryptography can be extremely handy for automated
encryption/decryption scenarios. For example, I sometimes have a
somewhat vulnerable general-purpose machine encrypt data using only a
public key, and write it somewhere shared. Then I'll have a tightly
secured single-purpose machine later read and decrypt that data for some
purpose. This is analogous to a one-way mail drop, where you trust the
mailman more than the general public. I use this technique in scenarios
where although both machines are somewhat trusted, one is machine is
more trusted than the other. This way the machine that does the
encryption has no knowledge of how to decrypt, so that if compromised,
only the data that it processes from point of compromise going forward
is in any kind of danger. (At this point you've reduced the security
problem to one of monitoring or periodic cleaning, e.g. periodic reboots
while running off read-only media.) The second machine is entrusted with
knowledge of how to decrypt, but in exchange it is tightly secured and
specialized for a single task.

Ben

-----Original Message-----
From: gnupg-users-bounces at gnupg.org
[mailto:gnupg-users-bounces at gnupg.org] On Behalf Of John M Church
Sent: Friday, April 07, 2006 10:16 AM
To: johnmoore3rd at joimail.com; GnuPG Users List
Subject: Re: Automated processes

I think it's simplistic to just brush-off this request as a user who 
wants convenience.  There are very valid reasons for automated 
decryption.  I'm working a similar project (and have my own issue - see 
"Automated Decryption via Script Running Setuid" written 4/5/06).  Seems

to me if you protect your script and you are behind a firewall you're 
not 'trading security for convenience'.  You can even encrypt the 
passphrase in your script if you're afraid someone with sudo or root 
priveldges could open your script.

John_inDenver














John W. Moore III wrote:

>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA256
>
>jkaye wrote:
>
>  
>
>>I know that for PGP, there's an environment setting that
>>can be used to prevent this.  Is there a similar thing for
>>GnuPG, or do I have to jump through some hoops?  
>>    
>>
>
>Hmm.....Let me see if I've understood you.  You desire to use GPG for
>security 'Point to Point' then swap security for convenience on your
end?
>
>My suggestion would be to either switch to Thunderbird w/Enigmail as
>your MUA.  You can set Enigmail to 'remember' your passphrase for a
>specified length of time or until you Close the program.
>
>JOHN ;)
>Timestamp: Thursday 06 Apr 2006, 19:42  --400 (Eastern Daylight Time)
>-----BEGIN PGP SIGNATURE-----
>Version: GnuPG v1.4.4-4094cvs: (MingW32)
>Comment: Public Key at:  http://tinyurl.com/8cpho
>Comment: Gossamer Spider Web of Trust (US26): http://www.gswot.org
>Comment: Homepage:  http://tinyurl.com/9ubue
>Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
>iQEcBAEBCAAGBQJENadvAAoJEBCGy9eAtCsPcecIAKLnkCbOlXQR7sWASIE0oaD7
>8Kf7rMw+Me2CSNujNCG6hqPOr4Uh9fhrfAtSVnqoSuq9t96SR5XRpfm7b46K+P3j
>1wLoYlwvEhpflhQaMe4x9awWEZDL4LUWswFU2Q9R/h3eDGyxAbXK1CR5vJ22XewJ
>25aUAlvYyndcN9G9LPDM6ypOgjKE/+/WAZ06Jegqh9oFQc7tENR0NwfQvi192411
>prOXFa3y8A46gswtffdK16FPDJiGiSmFgO+iq+tgWGYkMndH9mtHkY/r2vgBHoPZ
>xB/j9IWw33baG5Qe+XqZl8hkr5C8AVKZE+1KJjmx0lFM/SBSboYChDgPrJadAnA=
>=++kk
>-----END PGP SIGNATURE-----
>
>_______________________________________________
>Gnupg-users mailing list
>Gnupg-users at gnupg.org
>http://lists.gnupg.org/mailman/listinfo/gnupg-users
>
>  
>

_______________________________________________
Gnupg-users mailing list
Gnupg-users at gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users



More information about the Gnupg-users mailing list