Example of 'PINENTRY_USER_DATA which can fulfill the' (envpassphrase) 'task'?

Jacob Bachmeyer jcb62281 at gmail.com
Tue Apr 30 02:14:40 CEST 2024


Bee via Gnupg-users wrote:
>> Its is called "USER DATA" for a reason - you have to decide what to do
>> with it.
>>     
>
> But a novel pinentry must be created to receive the data. Again, this
> is circular.
>
>   
>> If your really really want a passphrase, what about passing
>> the filename of a file holding the passphrase.
>>     
>
> AGAIN, this requires clear text storage trying to be avoided in the
> first place, or ... decrypting the encrypted file on the fly ... which
> requires a passphrase to be passed ... and we're circular again.
>   

Yes, this is a fundamental limitation of public-key cryptography:  to 
decrypt a message or generate a signature, the private key must be 
available in cleartext.  Some would say that that is the point.

If you are trying to have some semblance of security with an unattended 
application, have you considered using a smartcard or HSM to store the key?


-- Jacob



More information about the Gnupg-users mailing list