How to handle user passphrase input from python script

orionbelt2 at gmail.com orionbelt2 at gmail.com
Mon Jan 31 03:41:51 CET 2011


Hi all,

I use a python script to (a) open a file encrypted with a symmetric 
cipher using a passphrase, (b) do some operations on it, and (c) 
re-encrypt it.

So far i've had GnuPG handle the user input of the passphrase, e.g.:

os.system('gpg foo.gpg')
# Do something with file 'foo'
os.system('gpg -c foo')

However, this obliges the user to enter the password three times 
--rather annoying. I am looking for a way to avoid this.

An obvious, but probably unsafe, solution would be to use python's 
passphrase-reading facility along with GnuPG's --passphrase option, 
e.g.:

passwd = getpass.getpass()
os.system('gpg --batch --passphrase ' + passwd + ' foo.gpg')
# Do something with file 'foo' 
os.system(''gpg -c --batch --passphrase ' + passwd + ' foo')

But then the passwd variable would be lying unprotected in memory during 
script execution (and perhaps beyond)... Is there a nice way to do this 
operation safely? I looked around a little, and i suspect that GPGME 
might offer the way, but from the provided online API documentation i am 
not sure exactly how :) Any hints appreciated!

That said, i am wondering whether there is actually a point in taking 
this extra precaution: Once foo.gpg is decrypted and opened by the 
python script, its decrypted contents will find their way in memory... 
which is about as bad as having the passphrase lying around in memory, 
is it not?...

Should i be thinking about this in a completely different framework? Is 
there any semi-automated way (external libraries?) to guarantee that the 
application memory is protected from things like paging, core dumps, 
ptrace attacks and so on? Or am i just giving you a good laugh? :)

I would probably be quite happy if i could guarantee that the passphrase 
and file contents are no longer accessible once the script terminates.

Thanks!

Chris



More information about the Gnupg-users mailing list