Need non-writable --homedir

Remco Post at
Mon Sep 11 08:14:14 CEST 2006

Josef Wolf wrote:
> Hello!
> I need a setup where the user running "gpg -e -r foobar" is not able to
> modify keyring contents.  I tried:
>   # chown -R root:user     ~user/.gnupg
>   # chmod -R o=rwX,g=rX,o= ~user/.gnupg
> Unfortunately, this don't work because gpg does some write operations
> in its .gnupg directory:
>  1. It locks the keyring.  --lock-never will avoid this.  Is it safe
>     to use --lock-never as long as it is guaranteed that _only_ "gpg -e" 
>     is ever run?  No key generation, no imports, no signung. Only
>     "gpg -e".  Is this safe?
>  2. There's the random_seed file.  It is modified at every run.  How can
>     I handle this?  I bet it would be a security problem should someone
>     be able to read this file.  Would it be possible to put it into a
>     different directory?
>  3. gpg writes temporary files into ~/.gnupg while encrypting.
> Any ideas?

use --keyring, --secret-keyring together with --no-default-keyring (see
the manpage) to store the keyrings on some ro media/place and leave the
homedir alone? You could even put that in the users (ro) gpg.conf.

> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users at

Met vriendelijke groeten,

Remco Post

SARA - Reken- en Netwerkdiensten            
High Performance Computing  Tel. +31 20 592 3000    Fax. +31 20 668 3167
PGP Key fingerprint = 6367 DFE9 5CBC 0737 7D16  B3F6 048A 02BF DC93 94EC

"I really didn't foresee the Internet. But then, neither did the
computer industry. Not that that tells us very much of course - the
computer industry didn't even foresee that the century was going to
end." -- Douglas Adams

More information about the Gnupg-users mailing list