GnuPG encryption with key file
peter at digitalbrains.com
Fri Mar 28 12:48:52 CET 2014
On 27/03/14 16:52, Peter Lebbing wrote:
> Plus that it has the same problems as
> $ echo mysecret|gpg --passphrase-fd 0
> Also, key files easily lead to security-by-obscurity implementations where
> people think "an attacker doesn't know which file I use", whereas the attacker
> thinks "let's try all files, that's computationally feasible".
I suddenly realise that in the "problems" I mention I'm making the exact same
mistake as the one I'm warning for: I'm assuming that it is secret which file
you use, rather than that the contents of the file is secret.
If some other user on a multi-user system can see which file I'm using, but
doesn't have the rights to access the contents of that file, they are none the
So the "key file" method /is/ better than echo passphrase. It's still a risky
thing to use, in my opinion, though. And the hack presented doesn't allow for
the common scenario: a key file *as well as* a password. It might be possible to
hack that in as well.
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>
More information about the Gnupg-users