I wasn't thinking of encrypting the passphrase with gpg. I have on
occasion embedded a password in a perl script and then encyrpted that
portion of the script via Perl module Filter::CBC. The script upon
execution decrypts on-the-fly w/o the need for a passphrase. A user can
never decrypt it though so you have to keep a nonencrypted backup of
your script (w/o the password of course).
John_inDenver
Benjamin Mord wrote:
(Don't encrypt the passphrase - if you do, then you still need a
passphrase to decrypt the passphrase, etc... etc...)
Asymmetric cryptography can be extremely handy for automated
encryption/decryption scenarios. For example, I sometimes have a
somewhat vulnerable general-purpose machine encrypt data using only a
public key, and write it somewhere shared. Then I'll have a tightly
secured single-purpose machine later read and decrypt that data for some
purpose. This is analogous to a one-way mail drop, where you trust the
mailman more than the general public. I use this technique in scenarios
where although both machines are somewhat trusted, one is machine is
more trusted than the other. This way the machine that does the
encryption has no knowledge of how to decrypt, so that if compromised,
only the data that it processes from point of compromise going forward
is in any kind of danger. (At this point you've reduced the security
problem to one of monitoring or periodic cleaning, e.g. periodic reboots
while running off read-only media.) The second machine is entrusted with
knowledge of how to decrypt, but in exchange it is tightly secured and
specialized for a single task.
Ben
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of John M Church
Sent: Friday, April 07, 2006 10:16 AM
To: [EMAIL PROTECTED]; GnuPG Users List
Subject: Re: Automated processes
I think it's simplistic to just brush-off this request as a user who
wants convenience. There are very valid reasons for automated
decryption. I'm working a similar project (and have my own issue - see
"Automated Decryption via Script Running Setuid" written 4/5/06). Seems
to me if you protect your script and you are behind a firewall you're
not 'trading security for convenience'. You can even encrypt the
passphrase in your script if you're afraid someone with sudo or root
priveldges could open your script.
John_inDenver
John W. Moore III wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
jkaye wrote:
I know that for PGP, there's an environment setting that
can be used to prevent this. Is there a similar thing for
GnuPG, or do I have to jump through some hoops?
Hmm.....Let me see if I've understood you. You desire to use GPG for
security 'Point to Point' then swap security for convenience on your
end?
My suggestion would be to either switch to Thunderbird w/Enigmail as
your MUA. You can set Enigmail to 'remember' your passphrase for a
specified length of time or until you Close the program.
JOHN ;)
Timestamp: Thursday 06 Apr 2006, 19:42 --400 (Eastern Daylight Time)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4-4094cvs: (MingW32)
Comment: Public Key at: http://tinyurl.com/8cpho
Comment: Gossamer Spider Web of Trust (US26): http://www.gswot.org
Comment: Homepage: http://tinyurl.com/9ubue
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iQEcBAEBCAAGBQJENadvAAoJEBCGy9eAtCsPcecIAKLnkCbOlXQR7sWASIE0oaD7
8Kf7rMw+Me2CSNujNCG6hqPOr4Uh9fhrfAtSVnqoSuq9t96SR5XRpfm7b46K+P3j
1wLoYlwvEhpflhQaMe4x9awWEZDL4LUWswFU2Q9R/h3eDGyxAbXK1CR5vJ22XewJ
25aUAlvYyndcN9G9LPDM6ypOgjKE/+/WAZ06Jegqh9oFQc7tENR0NwfQvi192411
prOXFa3y8A46gswtffdK16FPDJiGiSmFgO+iq+tgWGYkMndH9mtHkY/r2vgBHoPZ
xB/j9IWw33baG5Qe+XqZl8hkr5C8AVKZE+1KJjmx0lFM/SBSboYChDgPrJadAnA=
=++kk
-----END PGP SIGNATURE-----
_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
