Possible to pass the private key?
Roscoe
eocsor at gmail.com
Wed Sep 12 14:07:29 CEST 2007
If all you're doing is encrypting files you don't need the private key
on the server at all.
One only needs the private key to decrypt. The private keys are kept
in their own keyring, indeed they are encrypted. Any user who has
access to gpg on a host will not have access to all other users
private keys on that host, unless file permissions are setup as such.
You didn't make any mention of automated decryption, but your
consultants quote makes more sense if you replace encrypt with
decrypt.
-- Roscoe
On 8/24/07, Greg Motter <greg_motter at hotmail.com> wrote:
>
> Hello all,
>
> I have a couple of questions about how to handle the private key on a
> server. The company I'm working with , is working with a consultant who said
> the following:
>
> "GNUPG has a keyring just like PGP. The private keys on that keyring need to
> be controlled and not just left in the keyring file. If it's an automated
> process to encrypt the flat files then you should compile the program doing
> it with the private key. If it's a manual process, the private key needs to
> be kept with someone off the server."
>
> First off, from what i've read, it sounds like private keys are not kept in
> the keyring, but rather in their own file that is then encrypted
> symetrically using the passphrase?
>
> Secondly is it possible to do what he is asking? Is it possible to pass in
> the private key through gpg command?
>
> Next, If I could pass in the private key through the program itself, and
> then secure the source code. Would the private key likely be more at risk in
> the object code since it would not truly be encrypted at that point?
>
> Basically what we are trying to do is encrypt flat text files that will be
> on our server at rest. I'll be creating a subroutine to handle all of the
> gpg goodness in the background. But we're still trying to work out the best
> way that these files would be secure.
>
> Obviously if we leave the private key out there, then any user who had
> access to gpg would have access to the key, although not to the passphrase.
>
> Is there some better way?
>
> Thanks,
>
> Greg Motter
>
> --
> View this message in context: http://www.nabble.com/Possible-to-pass-the-private-key--tf4319226.html#a12299545
> Sent from the GnuPG - User mailing list archive at Nabble.com.
>
>
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users at gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
>
More information about the Gnupg-users
mailing list