Req. advice on automated gpg batch job and storage of private key/keyring offline

vedaal at vedaal at
Mon Sep 15 19:13:00 CEST 2008

John French johnlfrench at wrote on
Sun Sep 14 18:18:19 CEST 2008 :

>I want to keep the public key on the server to
>encrypt the card numbers when entered by account holders
>and prior to db storage

>When its time to run the cards
>against the cc merchant account, 
>I'd like to go to a password protected ssl
>page on my site and enter (paste)  the key as ASCII (armored) 
>and allow the php script to decrypt the cc numbers, process them 
and >exit, all in memory.

> If I remove the private keyring, 
> gnupg complains about the keyring being missing 
> and goes so far as to recreate it

i don't know much about php scripts on ssl sites,
but if you accept that part of your plan as 'secure',
then this may be a way of using gnupg to accomplish what you want:

[1] generate a keypair that you don't use for anything, and keep 
the resulting public and secret keyrings on the server
(this will eliminate any error messages from gnupg, as well as 
providing a secret keyring to be able to import into)

[2] when you are ready to decrypt, import the secret key from your 
php script

[3] when you are done, remove the secret key from the keyring,
with this command:
gpg --delete-secret-key 0x'rest of numeric key id'
(the says that for batch files, the key 'name' is not good 
for this command)

Robert's precautions/advice should be very seriously considered,
as you might face considerable legal responsibility if any part of 
your procedure proves to be 'hackable' and the cc's numbers 
revealed ...


any ads or links below this message are added by hushmail without 
my endorsement or awareness of the nature of the link

Self Storage Options - Click Here.

More information about the Gnupg-users mailing list