Web-based pinentry

Werner Koch wk at gnupg.org
Fri Aug 31 09:34:28 CEST 2012

On Thu, 30 Aug 2012 16:28, mike at silverorange.com said:

> Where can I find documentation that recommends not using a passphrase?
> My understanding is a passphrase is important to protect private keys
> in the event they are acquired:

Right.  However, most people asking for an easy way to convey the
passphrase to gpg already have the passphrase online in some file.  The
usual code is a script like

 echo mypassphrase |  gpg --passphrase-fd 0 .....


 cat myfilewiththepassphrase |  gpg --passphrase-fd 0 .....

This does not give you any protection at all because an attacker has
immediate access to the passphrase.  Thus the suggestion is to use an
empty (ie. no) passphrase.

However, if the system is an attended one and the user is able to enter
a passphrase, a passphrase is useful.  In that case the passphrase is
not stored on the system and a stolen hard disk won't be a problem (as
long as a good passphrase is used).



Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.

More information about the Gnupg-users mailing list