Using a passphrase FD from variable and piped data for encryption

Dashamir Hoxha dashohoxha at gmail.com
Tue Apr 19 14:12:19 CEST 2016 

I have written a small password utility, where passwords are stored on an
encrypted archive.
I use something like this:
 - https://github.com/dashohoxha/pw/blob/master/src/pw.sh#L26-L27
I think that all these three ways are the same (security-wise), isn't it?
The second way (described by Peter) is just more complex and more difficult
to understand, but not safer.
Am I right?

Dashamir

On Tue, Apr 19, 2016 at 11:59 AM, Peter Lebbing <peter at digitalbrains.com>
wrote:

> On 19/04/16 09:42, Brett Cave wrote:
> > Hi all, I'm wondering if anyone uses gpg piping data to it (on a *nix
> > To create an archive, and then encrypt it using a variable in 2 steps:
> > tar zxf dir.tgz dir
> > echo $PASSPHRASE | gpg -c --passphrase-fd 0 -o dir.tgz.gpg dir.tgz
> >
> > This way, the passphrase is never written to the fs and does not show up
> > in the process list - it is only in-memory.
>
> That doesn't seem to be the case, though. $PASSPHRASE is expanded and
> fed as an argument to echo. For instance:
>
> $ ARGS=f
> $ ps $ARGS
> [...]
> 26958 pts/1    Ss     0:01 /bin/bash
> 27915 pts/1    R+     0:00  \_ ps f
> [...]
>
> In addition, there's a good chance your environment variable ends up in
> your swap space.
>
> > But how can it be done from a variable?
>
> I'm certainly not suggesting you use this method, but out of an
> academical interest, I got it to work with:
>
> $ tar zcf - . | gpg -c --passphrase-fd 3 -o dir.tgz.gpg 3< <(echo test)
>
> I'm redirecting twice. First, I redirect "echo test" to an FD or FIFO of
> Bash's choosing. Then I connect that to fd 3, so I can name fd 3 as the
> passphrase-fd. <(echo test) is expanded to a filename, either of the
> form /dev/fd/X or of some named FIFO created by bash, if I understand
> the Bash manual correctly. The space between the two less-than's is
> necessary.
>
> > [...] this is purely for "because I want to know
> > how to do it this way" sort of question).
>
> Which was my motivation exactly :).
>
> Oh, by the way, your plaintext was already on disk. The only reason to
> worry about the passphrase being on disk is that you might reuse the
> passphrase, right?
>
> Asymmetric crypto would nicely avoid the issue by never needing the
> secret part to encrypt data in the first place.
>
> HTH,
>
> Peter.
>
> --
> I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
> You can send me encrypted mail if you want some privacy.
> My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>
>
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users at gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20160419/e056110b/attachment.html>

More information about the Gnupg-users mailing list