Need non-writable --homedir
Robert J. Hansen
rjh at sixdemonbag.org
Mon Sep 11 22:27:59 CEST 2006
-----BEGIN PGP SIGNED MESSAGE-----
Josef Wolf wrote:
> I wondered why /dev/random is not used.
A few reasons, any one of which would be sufficient.
1. /dev/random isn't available on all platforms. GnuPG's random number
2. /dev/random is exhaustible. This is a Bad And Wrong for crypto
3. /dev/random is, as I understand it, an ad-hoc design. Many people
who need crypto software need vetted, certified designs (even if the
software itself isn't certified). E.g., some people may require ANSI
X9.17 RNG. With a software RNG, it's fairly easy to just drop in
whatever RNG you need.
> It seems that "gpg -e --no-random-seed-file --lock-never -r foobar"
> does what I want. With this, only a warning about trustdb not beeing
> writable is issued. Can I safely ignore this warning?
I'm not sure what can cause the trustdb to be updated, I'm sorry. For
instance, if GnuPG sees that the system clock has advanced to the point
where a key has expired, does GnuPG cause the trustdb to be updated?
Etcetera. For this question, you're going to have to ask the GnuPG
developers, since it depends on GnuPG internals.
That said, my intuition--and beware of taking anyone's intuition too
seriously--is that as long as you avoid modifying operations, the
warning will be insignificant.
> Does --no-random-seed-file force /dev/random to be used?
Platform-dependent. Obviously, --no-random-seed-file won't force
/dev/random to be used if you're on a system that has no /dev/random
(e.g., Win32). You need to tell us the precise system environment
before we can really answer these kinds of questions.
> sendbackup runs gnutar as root and gpg as backupclient. To make sure
> that backupserver at server is not able to request unencrypted data, I
> need to make sure that backupclient is not able to modify the
I'm having a cognitive disconnect here. How does the _client's_
inability to modify the keyring affect the _server's_ ability to request
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
-----END PGP SIGNATURE-----
More information about the Gnupg-users