Need non-writable --homedir

Josef Wolf jw at raven.inka.de
Mon Sep 11 21:49:42 CEST 2006 

Thanks for your response, Robert!

On Sun, Sep 10, 2006 at 05:36:33PM -0500, Robert J. Hansen wrote:
> Josef Wolf wrote:
> >  1. It locks the keyring.  --lock-never will avoid this.  Is it safe
> >     to use --lock-never as long as it is guaranteed that _only_ "gpg -e" 
> >     is ever run?  No key generation, no imports, no signung. Only
> >     "gpg -e".  Is this safe?
> 
> Locking is a concurrency mechanism.  As such, as long as you can
> guarantee that only one process will ever use the keyring, you should be
> fine regardless of what you do.
> 
> Concurrent encryptions should be safe as well.

OK.

> >  2. There's the random_seed file.  It is modified at every run.
> 
> With good reason.  Random number generation is important, and if you
> keep the same seed values it's possible for the same values to be
> generated, in which case it's not very random at all.

I wondered why /dev/random is not used.

It seems that "gpg -e --no-random-seed-file --lock-never -r foobar" does
what I want.  With this, only a warning about trustdb not beeing writable
is issued.  Can I safely ignore this warning?  Does --no-random-seed-file
force /dev/random to be used?

> > Any ideas?
> 
> My first idea, and I think the best suggestion, is to look into
> rearchitecting your solution so that this kind of lockdown isn't
> necessary.

I think my architecture should be OK.  But I'm open for suggestions.
Here's a (simplified, bacause it is OT on this list) description of
what I try to do:

The goal is to make backups over the network (similar to amanda).
For this I set up an account named "backupserver" on the server and a
"backupclient" on the client.  Backupserver's public key is copied to
backupclient at client:~/.ssh/authorized_keys.  Backupserver initiates
a backup via

  $ ssh backupclient at client sudo /usr/local/bin/sendbackup >out

sendbackup runs gnutar as root and gpg as backupclient.  To make sure
that backupserver at server is not able to request unencrypted data, I need
to make sure that backupclient is not able to modify the keyring.

Please drop me a note if you see any flaws in such a setup.

More information about the Gnupg-users mailing list