Thanks for your response, Robert! On Sun, Sep 10, 2006 at 05:36:33PM -0500, Robert J. Hansen wrote: > Josef Wolf wrote: > > 1. It locks the keyring. --lock-never will avoid this. Is it safe > > to use --lock-never as long as it is guaranteed that _only_ "gpg -e" > > is ever run? No key generation, no imports, no signung. Only > > "gpg -e". Is this safe? > > Locking is a concurrency mechanism. As such, as long as you can > guarantee that only one process will ever use the keyring, you should be > fine regardless of what you do. > > Concurrent encryptions should be safe as well.
OK. > > 2. There's the random_seed file. It is modified at every run. > > With good reason. Random number generation is important, and if you > keep the same seed values it's possible for the same values to be > generated, in which case it's not very random at all. I wondered why /dev/random is not used. It seems that "gpg -e --no-random-seed-file --lock-never -r foobar" does what I want. With this, only a warning about trustdb not beeing writable is issued. Can I safely ignore this warning? Does --no-random-seed-file force /dev/random to be used? > > Any ideas? > > My first idea, and I think the best suggestion, is to look into > rearchitecting your solution so that this kind of lockdown isn't > necessary. I think my architecture should be OK. But I'm open for suggestions. Here's a (simplified, bacause it is OT on this list) description of what I try to do: The goal is to make backups over the network (similar to amanda). For this I set up an account named "backupserver" on the server and a "backupclient" on the client. Backupserver's public key is copied to [EMAIL PROTECTED]:~/.ssh/authorized_keys. Backupserver initiates a backup via $ ssh [EMAIL PROTECTED] sudo /usr/local/bin/sendbackup >out sendbackup runs gnutar as root and gpg as backupclient. To make sure that [EMAIL PROTECTED] is not able to request unencrypted data, I need to make sure that backupclient is not able to modify the keyring. Please drop me a note if you see any flaws in such a setup. _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
