Need non-writable --homedir
Robert J. Hansen
rjh at sixdemonbag.org
Mon Sep 11 00:36:33 CEST 2006
-----BEGIN PGP SIGNED MESSAGE-----
Josef Wolf wrote:
> 1. It locks the keyring. --lock-never will avoid this. Is it safe
> to use --lock-never as long as it is guaranteed that _only_ "gpg -e"
> is ever run? No key generation, no imports, no signung. Only
> "gpg -e". Is this safe?
Locking is a concurrency mechanism. As such, as long as you can
guarantee that only one process will ever use the keyring, you should be
fine regardless of what you do.
Concurrent encryptions should be safe as well.
> 2. There's the random_seed file. It is modified at every run.
With good reason. Random number generation is important, and if you
keep the same seed values it's possible for the same values to be
generated, in which case it's not very random at all.
> Any ideas?
My first idea, and I think the best suggestion, is to look into
rearchitecting your solution so that this kind of lockdown isn't
necessary. Barring that, I'll defer other suggestions to the core GnuPG
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
-----END PGP SIGNATURE-----
More information about the Gnupg-users