GnuPG encryption with key file

Peter Lebbing peter at
Thu Mar 27 16:52:46 CET 2014

On 2014-03-27 14:35, David Shaw wrote:
> Limitations of the method

Plus that it has the same problems as

$ echo mysecret|gpg --passphrase-fd 0

That is, it ends up in your history if your shell keeps a history and 
you don't prevent it, and other users on a multi-user system can see the 
passphrase / the specific file used as a passphrase in the process list.

These issues wouldn't exist if GnuPG actually *supported* key files, 
and would prompt for the key file as it does for a passphrase. That's 
why I simply said "no", as in "it is not supported". But you can hack it 

Also, key files easily lead to security-by-obscurity implementations 
where people think "an attacker doesn't know which file I use", whereas 
the attacker thinks "let's try all files, that's computationally 
feasible". But obviously that depends on the way you use it, it's just 
something to be aware of.

> it's not really using the binary file as a key, but rather as a 
> passphrase

I would consider this an advantage: the actual session key has good 
entropy, and the file is just used to encrypt the session key. Even if a 
"key file" would be properly supported by GnuPG, I would still prefer 
this two-step approach.



I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at 

More information about the Gnupg-users mailing list