Automating and integrating GPG

Andreas Heinlein aheinlein at gmx.com
Tue Sep 19 15:53:46 CEST 2017


Am 18.09.2017 um 23:45 schrieb Daniel Kahn Gillmor:
> I don't know how much smartcard interaction gpgme supports, though.

None, as it seems. I have started developing with python-gpg and gpgme
some weeks ago, but haven't yet done anything with smartcards yet. But
as far as I can tell from the docs, gpgme completely hides the internals
of key storage, to gpgme it doesn't matter whether the key is located on
disk or stored in a smartcard or token.

Having said that, I must say that your goal is somewhat difficult to
achieve. Handling of the passphrase is about one of the most sensitive
tasks when dealing with encryption. I currently can think of no way you
could handle passphrases on your own in python which I would call
'secure'. Don't pass it on the command line to a gpg subprocess, that
will be readable in the process list for everyone. But even if you pass
it along with e.g. gpgme, it might be possible to read the memory of
that python process and steal the passphrase. That part of the memory
might also be swapped out. Read the relevant part of the FAQ:

https://www.gnupg.org/faq/gnupg-faq.html#insecure_memory

Furthermore, for me one of the best reasons for using smartcards is that
you don't enter the PIN/passphrase on the (potentially compromised)
computer at all, but use a class 2 or 3 smartcard reader for that. Using
a class 1 reader and juggling around the PIN in scripts defeats 50% of
the purpose of a smartcard to me (the other 50% being that you can't
copy the secret key from the card, this stays untouched). I guess you
just have no choice when you say you are "required to", but keep that in
mind.

If you must use python and cannot use gpgme, your best bet might be to
write the passphrase out to a file which only you can read, and pass it
to the gpg command line using '--passphrase-file' or "--passphrase-fd'.
You will need to trust root on that machine in any case.

Andreas


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 213 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20170919/b31e5244/attachment.sig>


More information about the Gnupg-users mailing list