AW: Extraction of decryption session key without copying complete encrypted file
Fiedler Roman
Roman.Fiedler at ait.ac.at
Fri Aug 4 14:36:12 CEST 2017
> Von: Werner Koch [mailto:wk at gnupg.org]
>
> On Wed, 2 Aug 2017 15:52, Roman.Fiedler at ait.ac.at said:
>
> > How to decrypt large files, e.g. gpg-encrypted backups, without
> copying them to the machine with the GPG private key?
>
> With GnuPG 2.1 this is easy: You use ssh's socket forwarding feature to
> forward gpg-agent's restricted remote socket, for example
>
> /run/user/1000/gnupg/S.gpg-agent.extra
>
> to the host and there you run gpg which will then connect back to the
> agent on your desktop. For details see
>
> https://wiki.gnupg.org/AgentForwarding
Ah, that's great - and actually the first nice gpg-agent feature apart from
gpg-agent being little annoying when running it on RAM-disks in early boot.
The agent forwarding guide from above is fine, should be easy to implement.
Just one more question: how do I restrict the private key lifetime within the
agent or the number of agent requests before password repeat is needed? Best
would be 0 seconds (agent should ask for passphrase every time a key is
requested), but I could also live with something below 60sec.
What's the best way to implement that? I did not find a gpg option by myself.
If none available, I guess it might be possible to find some value for
RLIMIT_CPU, that would kill the agent process when attempting to do another
sign/decrypt operation?
LG R
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4814 bytes
Desc: not available
URL: </pipermail/attachments/20170804/1fab9adc/attachment.bin>
More information about the Gnupg-users
mailing list