Using a passphrase FD from variable and piped data for encryption

Tue Apr 19 11:59:44 CEST 2016

On 19/04/16 09:42, Brett Cave wrote:
> Hi all, I'm wondering if anyone uses gpg piping data to it (on a *nix
> To create an archive, and then encrypt it using a variable in 2 steps:
> tar zxf dir.tgz dir
> echo $PASSPHRASE | gpg -c --passphrase-fd 0 -o dir.tgz.gpg dir.tgz
> 
> This way, the passphrase is never written to the fs and does not show up
> in the process list - it is only in-memory.

That doesn't seem to be the case, though. $PASSPHRASE is expanded and
fed as an argument to echo. For instance:

$ ARGS=f
$ ps $ARGS
[...]
26958 pts/1    Ss     0:01 /bin/bash
27915 pts/1    R+     0:00  \_ ps f
[...]

In addition, there's a good chance your environment variable ends up in
your swap space.

> But how can it be done from a variable?

I'm certainly not suggesting you use this method, but out of an
academical interest, I got it to work with:

$ tar zcf - . | gpg -c --passphrase-fd 3 -o dir.tgz.gpg 3< <(echo test)

I'm redirecting twice. First, I redirect "echo test" to an FD or FIFO of
Bash's choosing. Then I connect that to fd 3, so I can name fd 3 as the
passphrase-fd. <(echo test) is expanded to a filename, either of the
form /dev/fd/X or of some named FIFO created by bash, if I understand
the Bash manual correctly. The space between the two less-than's is
necessary.

> [...] this is purely for "because I want to know
> how to do it this way" sort of question).

Which was my motivation exactly :).

Oh, by the way, your plaintext was already on disk. The only reason to
worry about the passphrase being on disk is that you might reuse the
passphrase, right?

Asymmetric crypto would nicely avoid the issue by never needing the
secret part to encrypt data in the first place.

HTH,

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>