Batch Mode and decrypt

jane grove grove.jane at gmail.com
Thu Apr 19 17:33:49 CEST 2007


Thank you guys.  Both the "cat pipe" way and the "<" way work well.
David, yes you made a very good point of not hard-coding the
passphrase or its file name.  In my current script, I have a variable
to hold the passphrase file name.  The actual file name is passed in
as a parameter when I call the script from another command outside the
script.  If an attacker opens the current script, s/he won't see the
actual passphrase or its file name, s/he will only see the variable
name.  The passphrase is stored in a separate place.

I am thinking of better ways to secure the passphrase and automate the
jobs at the same time.  I appreciate everyone's input.

Jane

On 4/14/07, David Shaw <dshaw at jabberwocky.com> wrote:
> On Sat, Apr 14, 2007 at 10:23:24PM -0500, jane grove wrote:
> > Hello,
> > I am trying to use the GnuPG command "decrypt" in batch mode (i.e. in a script).
> > When I use the option "--batch", I don't have a way to enter the user
> > id or passphrase.
>
> Look at the --passphrase-fd, --passphrase-file, or --passphrase
> options.  They are all in the manual, and can be used to provide a
> passphrase during batch operation.
>
> However, if you are including the passphrase in a script, it is worth
> asking yourself if there is any security benefit in having a
> passphrase-protected key at all.  After all, an attacker who gets
> access to the script needs merely to read it to know the passphrase.
>
> David
>
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users at gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
>



More information about the Gnupg-users mailing list