Setting up shared access to gpg on a UNIX server
bd9439 at att.com
Fri Jan 31 01:29:13 CET 2014
Firstly, as a Windows Outlook user, I've never figured out the correct etiquette on formatting responses to list-server messages, so I'm just going to post a new message without previous references.
Taking previous comments to heart, I've altered my "home directory" permissions to remove write access to every other than the owner (755). I believe this plugs the hole that would have allowed others to replace files as Peter demonstrated.
The reason I allowed "write" was to overcome an error message users were getting. Apparently, gpg needs to create some file in that location. Allowing "write" permission was the first thing that came to mind when I first started using gpg and it's stayed that way for several years.
I was not previously familiar with the --keyring and --secret-keyring options and I believe that helps me a lot. So now, to encrypt files:
gpg --keyring /opt/app/apps/dbmprod/gpg/pubring.gpg --always-trust --no-secmem-warning
--recipient <vendor-id? --encrypt <file-name>
I found I had to add the --always-trust option to prevent a prompt for "batch" processes. The keys are all "trusted" in my "home directory, but I didn't find an option to point to the "trustdb" file.
And to decrypt a file:
gpg --secret-keyring /opt/app/apps/dbmprod/gpg/secring.gpg
--keyring /opt/app/apps/dbmprod/gpg/pubring.gpg --no-secmem-warning
It seems that since my "secring" only contains the private key used by vendors to send files to us, I do not need to actually specify the key by name. My initial testing shows it works well.
How does that look?
>From what I can tell, the remaining risk is that anyone can copy and use my private key because I do not have it passphrase protected. I'd be happy to add a passphrase, as long as I can figure out how to make the key easily used by any user.
A couple folks (Diego and Johannes) mentioned using a smartcard or a token. I think a smartcard refers to a piece of hardware, but I don't know what a "token" means. Our server is in a datacenter and I'm sure I cannot attach any sort of hardware. I might be able to use a software only solution; I've heard something about "agents", but don't really understand any details. Can such an agent be used, one that I can start and load the key with passphrase at system startup?
Thanks again for the comments; very helpful so far!
More information about the Gnupg-users