GPG : "No secret key found" error
Robert J. Hansen
rjh at sixdemonbag.org
Thu Jun 10 02:46:09 CEST 2021
> But, this command had a risk of exposing *$PASSPHRASE* to the UNIX
> console if any user executes *ps -ef* command while the code is running.
> This was a huge security breach so I chose the *--passphrase-file*
> option to read the decryption password from a file.
>
> Now, all I need is to place the file, which stores the decryption
> password, with strict user permissions.
And this is probably a bad idea.
Clearly, you have a place where you feel it's safe to store a file
containing the passphrase for your certificate. So remove the
passphrase from your certificate and store it there, in that safe place
on your filesystem.
> Having said that, just to add a little bit of more security...
This is a really bad habit: thinking that "I'll just add one more step
to add a little bit more security." It's endemic to the community --
you are far from the only person to have it. But it's a bad habit, and
here's why: security decisions always need to be connected to your
threat model.
Is there something in your threat model you can point to and say,
"because of this particular threat we're concerned about, this step I
want to take is warranted"? If so, go for it. If not, don't.
More information about the Gnupg-users
mailing list