<div dir="ltr"><div dir="ltr">Hi Robert,<div><br></div><div>Many thanks for your email.</div><div>I will try to give you the background of the problem that led me to this approach.</div><div><br></div><div><b><u>Problem:</u></b></div><div>------------------------------------------------------------------------------------------------------------ <b><u><br></u></b></div><div><span style="color:rgb(0,0,0);font-family:"Helvetica Neue",Arial,sans-serif">I have a situation where the password-protected PGP/GPG encrypted files need to be decrypted, processed through ETL operations and loaded in HIVE. I had a generic Korn Shell script which executes below command.</span><br></div><div><span style="color:rgb(0,0,0);font-family:"Helvetica Neue",Arial,sans-serif"><br></span></div><div><span style="color:rgb(0,0,0);font-family:"Helvetica Neue",Arial,sans-serif">cmd 1:</span></div><div><span style="color:rgb(0,0,0);font-family:"Helvetica Neue",Arial,sans-serif"><b>gpg --batch --yes --quite --always-trust -o $OUTPUT_FILE --passphrase $PASSPHRASE -d $ENCRYPTED_SOURCE_FILE</b></span></div><div><br></div><div>But, this command had a risk of exposing <b>$PASSPHRASE</b> to the UNIX console if any user executes <b>ps -ef</b> command while the code is running. This was a huge security breach so I chose the <b>--passphrase-file</b> option to read the decryption password from a file.</div><div><br></div><div>Now, all I need is to place the file, which stores the decryption password, with strict user permissions.</div><div><br></div><div>Having said that, just to add a little bit of more security I was thinking of encrypting the above mentioned file (which stores the Decryption password) and within my shell script, decrypt it, read it and pass the password to the "<b>gpg</b>" command. </div><div>This encryption needs to be passwordless using 7za utility otherwise we will be stuck in a loop of storing the new password securely.</div><div><br></div><div>Below 7za command was used to encrypt without password.</div><div>cmd 2:</div><div><b>7za a -mx=9 -mhe -t7z $ENCRYPTED_OUTPUT_FILE $SOURCE_FILE</b></div><div><br></div><div>Now "cmd 1" has been updated to the below command, which UNIX shell script will use to read the above file and pass on the passphrase to the gpg decryption command.</div><div><br></div><div>cmd 3:</div><div><b>echo `7za -x -so $FILE_WITH_DECRYPTION_PASSWORD` | gpg
--batch --yes --quite --always-trust -o $OUTPUT_FILE
-d $ENCRYPTED_SOURCE_FILE
</b></div><div>------------------------------------------------------------------------------------------------------------</div><div><br></div><div>The problem I mentioned in my original post starts from here.</div><div>The above command doesn't run and fails for "No secret Key found" issue and runs fine if it is executed immediately after the second part of command i.e.
<b>gpg
--batch --yes --quite --always-trust -o $OUTPUT_FILE
-d $ENCRYPTED_SOURCE_FILE</b></div><div><br></div><div>There is a similar command as mentioned below, which runs fine.</div><div><br></div><div>cmd 4:</div><div><b>echo `7za x -so
$FILE_WITH_DECRYPTION_PASSWORD` | 7za x -o$OUTPUT_FILE $7Z_ENCRYPTED_FILE</b></div><div><br></div><div>Please note that in the above command (cmd 4) the source files are encrypted with 7z utility (or compressed with password, as many people say).</div><div><br></div><div>The whole intention of doing all of this is just to avoid any possible PASSWORD security breach.</div><div><br></div><div>I hope I was able to give you a clearer picture of the requirement.</div><div><br></div><div>I am even open for any new design approach, if you experts can suggest.</div><div>Please let me know in case of any queries.</div><div><br></div><div>-regards,</div><div>Abhisht Sharma</div><div><br></div><div><br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Tue, 8 Jun 2021 at 20:10, Robert J. Hansen <<a href="mailto:rjh@sixdemonbag.org">rjh@sixdemonbag.org</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Please do not send HTML to this mailing list. Many of our members <br>
refuse to open HTML emails from unknown parties, so when you send HTML <br>
email to this list you're limiting the number of people who can see your <br>
question -- and maybe be able to help you!<br>
<br>
> Step 2. Instead, I have thought of storing the passphrase in a file <br>
> (passphrase.dat.pgp), encrypted that file without password and passing <br>
> the password to do the work using below command.<br>
<br>
How exactly do you "encrypt that file without password"?<br>
<br>
At any rate, this is probably a bad idea. Often the best way to proceed <br>
for scripting GnuPG tasks is to remove the passphrase from the certificate.<br>
<br>
> Step 3. To my wonder, when I execute Step 1 first and then Step 2 <br>
> (within a short span), it works, but if I directly run Step 2 ( which <br>
> actually will be happening as a part of solution), then it doesn't and <br>
> fails for "No secret key" error.<br>
<br>
This tells me that GnuPG is caching your passphrase with gpg-agent. <br>
When you run it the second time GnuPG sees the passphrase is in the <br>
cache and uses that, without ever needing to ask you for the passphrase.<br>
</blockquote></div><br clear="all"><div><br></div>-- <br><div dir="ltr" class="gmail_signature"><div dir="ltr"><div><div dir="ltr">With Regards,<br>Abhisht Sharma<br>+353 899875624<br></div></div></div></div></div>