WINDOWS - Adding passphrase to gpg via command line

flapflap flapflap at riseup.net
Tue May 12 07:59:09 CEST 2015


Josh Clearihan:
> Hi,
> 
> Thanks, but our requirement is that the key is secured with a passphrase.
> 
> Any other ideas into what is wrong with my coding?

> echo "mypassphrase"| gpg2.exe  ...

In my opinion it makes little sense to use a passphrase in this way: the
passphrase is supposed to be entered interactively since in case someone
gets access to the script with hardcoded passphrase, then she gets the
passphrase, too.
If you don't want to store the secret key unencrypted on disk, maybe you
could use a disk encryption layer below the file system (like
dm-crypt/LUKS on GNU/Linux). As a result, you have a passphrase for the
disk that is entered only once on reboot, then - when the system is
running - you use the secret OpenPGP key without passphrase, but the key
material is still not stored unencrypted on disk and protected in case
an adversary just takes the disks with her.

Of course, this does not protect from cold-boot attacks, but (IMHO)
should be better than hardcoding the passphrase in a script on an
unencrypted disk, just to meet the requirement that the key should be
encrypted with a passphrase.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20150512/ff73d837/attachment.sig>


More information about the Gnupg-users mailing list