Need non-writable --homedir
Robert J. Hansen
rjh at sixdemonbag.org
Mon Sep 11 00:36:33 CEST 2006
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Josef Wolf wrote:
> 1. It locks the keyring. --lock-never will avoid this. Is it safe
> to use --lock-never as long as it is guaranteed that _only_ "gpg -e"
> is ever run? No key generation, no imports, no signung. Only
> "gpg -e". Is this safe?
Locking is a concurrency mechanism. As such, as long as you can
guarantee that only one process will ever use the keyring, you should be
fine regardless of what you do.
Concurrent encryptions should be safe as well.
> 2. There's the random_seed file. It is modified at every run.
With good reason. Random number generation is important, and if you
keep the same seed values it's possible for the same values to be
generated, in which case it's not very random at all.
> Any ideas?
My first idea, and I think the best suggestion, is to look into
rearchitecting your solution so that this kind of lockdown isn't
necessary. Barring that, I'll defer other suggestions to the core GnuPG
developers.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iQEcBAEBCgAGBQJFBJNwAAoJELcA9IL+r4EJcV0IAL8cFTdKEQynS7jeImVniClH
HbHl7blwQR0ROfJ8zI4HcUAzM7iWNsDQ5LeYhdoHY0cZOZz2OGWttwohNUzhfnRi
LDyOcnmA6Ws8IVIApcnBfATI+24+XWX61kqTCmpu1s/40NX8vuLhHMNFCCU9X0p0
0c9zwkwkqr6YKmwUcze0PTmYDlsiyHeUxKBK2/ULNkEhzs6VJFwLPMb2weTFTg3h
zZenoVFwt45wSd9Pjzhd7UhIFJFrhqtNcRg5XQ7d1agbXQWx1U+Y2CgOPazH6456
rtdx7a+Jk9JR3DDSS8IqM0qKaGZLir5gTKz7KtAVdCd6wi33LdLkGMe/MahaigU=
=HHcf
-----END PGP SIGNATURE-----
More information about the Gnupg-users
mailing list