Need non-writable --homedir

Josef Wolf jw at
Sun Sep 10 22:44:58 CEST 2006


I need a setup where the user running "gpg -e -r foobar" is not able to
modify keyring contents.  I tried:

  # chown -R root:user     ~user/.gnupg
  # chmod -R o=rwX,g=rX,o= ~user/.gnupg

Unfortunately, this don't work because gpg does some write operations
in its .gnupg directory:

 1. It locks the keyring.  --lock-never will avoid this.  Is it safe
    to use --lock-never as long as it is guaranteed that _only_ "gpg -e" 
    is ever run?  No key generation, no imports, no signung. Only
    "gpg -e".  Is this safe?

 2. There's the random_seed file.  It is modified at every run.  How can
    I handle this?  I bet it would be a security problem should someone
    be able to read this file.  Would it be possible to put it into a
    different directory?

 3. gpg writes temporary files into ~/.gnupg while encrypting.

Any ideas?

More information about the Gnupg-users mailing list