Automate decryption

[Werner Koch]

On Fri, 29 Aug 2008 19:24, duwainer at srlcd.com said:

> It will be a server doing the work. I want it completely automated, so
> there will be no human interaction.

To avoid having your keys or a passphrase stored somewhere on the disk
you have two choices:

 1. Use gpg-agent and gpg-preset-passphrase along with a script to ask
    the operator at boot time to enter the passphrase.  That will keep
    the passphrase only in memory and thus make it a little bit harder
    for attackers to get it.  Note that gpg-preset-passphrase has a bug
    but that will be fixed soon.

 2. Use a HSM, like a smartcard to store the key and have it decrypt the
    key.  This way an attacker won't be able to get the key.

One attack you can't avoid is an attacker using your system to decrypt
files.  I doubt that this is a real threat because the attacker could
just get the plaintext after gpg decrypted it.


Shalom-Salam,

   Werner


-- 
Linux-Kongress 2008 + Hamburg + October 7-10 + www.linux-kongress.org

   Die Gedanken sind frei.  Auschnahme regelt ein Bundeschgesetz.