(Don't encrypt the passphrase - if you do, then you still need a passphrase to decrypt the passphrase, etc... etc...)
Asymmetric cryptography can be extremely handy for automated encryption/decryption scenarios. For example, I sometimes have a somewhat vulnerable general-purpose machine encrypt data using only a public key, and write it somewhere shared. Then I'll have a tightly secured single-purpose machine later read and decrypt that data for some purpose. This is analogous to a one-way mail drop, where you trust the mailman more than the general public. I use this technique in scenarios where although both machines are somewhat trusted, one is machine is more trusted than the other. This way the machine that does the encryption has no knowledge of how to decrypt, so that if compromised, only the data that it processes from point of compromise going forward is in any kind of danger. (At this point you've reduced the security problem to one of monitoring or periodic cleaning, e.g. periodic reboots while running off read-only media.) The second machine is entrusted with knowledge of how to decrypt, but in exchange it is tightly secured and specialized for a single task. Ben -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John M Church Sent: Friday, April 07, 2006 10:16 AM To: [EMAIL PROTECTED]; GnuPG Users List Subject: Re: Automated processes I think it's simplistic to just brush-off this request as a user who wants convenience. There are very valid reasons for automated decryption. I'm working a similar project (and have my own issue - see "Automated Decryption via Script Running Setuid" written 4/5/06). Seems to me if you protect your script and you are behind a firewall you're not 'trading security for convenience'. You can even encrypt the passphrase in your script if you're afraid someone with sudo or root priveldges could open your script. John_inDenver John W. Moore III wrote: >-----BEGIN PGP SIGNED MESSAGE----- >Hash: SHA256 > >jkaye wrote: > > > >>I know that for PGP, there's an environment setting that >>can be used to prevent this. Is there a similar thing for >>GnuPG, or do I have to jump through some hoops? >> >> > >Hmm.....Let me see if I've understood you. You desire to use GPG for >security 'Point to Point' then swap security for convenience on your end? > >My suggestion would be to either switch to Thunderbird w/Enigmail as >your MUA. You can set Enigmail to 'remember' your passphrase for a >specified length of time or until you Close the program. > >JOHN ;) >Timestamp: Thursday 06 Apr 2006, 19:42 --400 (Eastern Daylight Time) >-----BEGIN PGP SIGNATURE----- >Version: GnuPG v1.4.4-4094cvs: (MingW32) >Comment: Public Key at: http://tinyurl.com/8cpho >Comment: Gossamer Spider Web of Trust (US26): http://www.gswot.org >Comment: Homepage: http://tinyurl.com/9ubue >Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org > >iQEcBAEBCAAGBQJENadvAAoJEBCGy9eAtCsPcecIAKLnkCbOlXQR7sWASIE0oaD7 >8Kf7rMw+Me2CSNujNCG6hqPOr4Uh9fhrfAtSVnqoSuq9t96SR5XRpfm7b46K+P3j >1wLoYlwvEhpflhQaMe4x9awWEZDL4LUWswFU2Q9R/h3eDGyxAbXK1CR5vJ22XewJ >25aUAlvYyndcN9G9LPDM6ypOgjKE/+/WAZ06Jegqh9oFQc7tENR0NwfQvi192411 >prOXFa3y8A46gswtffdK16FPDJiGiSmFgO+iq+tgWGYkMndH9mtHkY/r2vgBHoPZ >xB/j9IWw33baG5Qe+XqZl8hkr5C8AVKZE+1KJjmx0lFM/SBSboYChDgPrJadAnA= >=++kk >-----END PGP SIGNATURE----- > >_______________________________________________ >Gnupg-users mailing list >Gnupg-users@gnupg.org >http://lists.gnupg.org/mailman/listinfo/gnupg-users > > > _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
