Batch Mode and decrypt
grove.jane at gmail.com
Thu Apr 19 17:33:49 CEST 2007
Thank you guys. Both the "cat pipe" way and the "<" way work well.
David, yes you made a very good point of not hard-coding the
passphrase or its file name. In my current script, I have a variable
to hold the passphrase file name. The actual file name is passed in
as a parameter when I call the script from another command outside the
script. If an attacker opens the current script, s/he won't see the
actual passphrase or its file name, s/he will only see the variable
name. The passphrase is stored in a separate place.
I am thinking of better ways to secure the passphrase and automate the
jobs at the same time. I appreciate everyone's input.
On 4/14/07, David Shaw <dshaw at jabberwocky.com> wrote:
> On Sat, Apr 14, 2007 at 10:23:24PM -0500, jane grove wrote:
> > Hello,
> > I am trying to use the GnuPG command "decrypt" in batch mode (i.e. in a script).
> > When I use the option "--batch", I don't have a way to enter the user
> > id or passphrase.
> Look at the --passphrase-fd, --passphrase-file, or --passphrase
> options. They are all in the manual, and can be used to provide a
> passphrase during batch operation.
> However, if you are including the passphrase in a script, it is worth
> asking yourself if there is any security benefit in having a
> passphrase-protected key at all. After all, an attacker who gets
> access to the script needs merely to read it to know the passphrase.
> Gnupg-users mailing list
> Gnupg-users at gnupg.org
More information about the Gnupg-users