Batch Mode and decrypt

Joseph Oreste Bruni jbruni at mac.com
Thu Apr 19 17:57:04 CEST 2007 

If the passphrase is passed in as a parameter to the script, the  
passphrase will be clearly visible in the process list (on Unix/ 
Linux) (via the "ps" command).

To be honest, there is really no way to properly secure a passphrase  
for an automated system if the passphrase exists anywhere on that  
system. All users with root access will be able to get to the private  
key through some means.

If you are not worried about users with root access, then you don't  
need to encrypt the private key, since non-root users won't be able  
to read the secret key in the process's home directory.

It's a chicken-or-egg situation. If you can trust the root users, you  
are better off keeping it simple and just not using an encrypted  
private key. If you cannot trust the root users, you should not trust  
the system at all.


On Apr 19, 2007, at 8:33 AM, jane grove wrote:

> Thank you guys.  Both the "cat pipe" way and the "<" way work well.
> David, yes you made a very good point of not hard-coding the
> passphrase or its file name.  In my current script, I have a variable
> to hold the passphrase file name.  The actual file name is passed in
> as a parameter when I call the script from another command outside the
> script.  If an attacker opens the current script, s/he won't see the
> actual passphrase or its file name, s/he will only see the variable
> name.  The passphrase is stored in a separate place.
>
> I am thinking of better ways to secure the passphrase and automate the
> jobs at the same time.  I appreciate everyone's input.
>
> Jane
>
> On 4/14/07, David Shaw <dshaw at jabberwocky.com> wrote:
>> On Sat, Apr 14, 2007 at 10:23:24PM -0500, jane grove wrote:
>>> Hello,
>>> I am trying to use the GnuPG command "decrypt" in batch mode  
>>> (i.e. in a script).
>>> When I use the option "--batch", I don't have a way to enter the  
>>> user
>>> id or passphrase.
>>
>> Look at the --passphrase-fd, --passphrase-file, or --passphrase
>> options.  They are all in the manual, and can be used to provide a
>> passphrase during batch operation.
>>
>> However, if you are including the passphrase in a script, it is worth
>> asking yourself if there is any security benefit in having a
>> passphrase-protected key at all.  After all, an attacker who gets
>> access to the script needs merely to read it to know the passphrase.
>>
>> David
>>
>> _______________________________________________
>> Gnupg-users mailing list
>> Gnupg-users at gnupg.org
>> http://lists.gnupg.org/mailman/listinfo/gnupg-users
>>
>
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users at gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2508 bytes
Desc: not available
Url : /pipermail/attachments/20070419/3eef354e/attachment.bin

More information about the Gnupg-users mailing list