On Fri, 29 Aug 2008 19:24, [EMAIL PROTECTED] said:
> It will be a server doing the work. I want it completely automated, so
> there will be no human interaction.
To avoid having your keys or a passphrase stored somewhere on the disk
you have two choices:
1. Use gpg-agent and gpg-preset-passphrase along with a script to ask
the operator at boot time to enter the passphrase. That will keep
the passphrase only in memory and thus make it a little bit harder
for attackers to get it. Note that gpg-preset-passphrase has a bug
but that will be fixed soon.
2. Use a HSM, like a smartcard to store the key and have it decrypt the
key. This way an attacker won't be able to get the key.
One attack you can't avoid is an attacker using your system to decrypt
files. I doubt that this is a real threat because the attacker could
just get the plaintext after gpg decrypted it.
Shalom-Salam,
Werner
--
Linux-Kongress 2008 + Hamburg + October 7-10 + www.linux-kongress.org
Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz.
_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
