reflum,
On Tue, 2012-06-05 at 10:20 +0530, Amol Patil wrote:
> Currenlty I am having problem with the decryption of the file my code
> is like this
>
> echo shell_exec("echo $passphrase | $gpg --passphrase-fd 0 -o
> $unencrypted_file -d $encrypted_file"); If you do this the passphrase can be shown by any user on the system (for example using the ps(1) command). The window for this is small yet this adds an attack vector. This attack becomes more easy as you may trigger it via your web application (don't know what kind of webapplication this is so just gussing here). Also if you store the passphrase in your scripts it is plain on your FS. Anyone with FS access can read it. This also includes explits in your and other software running on your webserver. Even worse: of your webserver's config is broken at some point it may handle your files as plain text or something and allowing remote users to just read your passphrase with a web browser. I suggest you to drop the passphrase from the key as it does not add any security in this case but makes stuff like this more complex. You can actually improve the security by only storing the needed subkey(s) on your server and have the primary key protected off-side (for example on your work/devel system). If you need only decrypting on-side this will perfectly protect you from attacks doing signatures or certificates (sigs on other keys) or changing the key's crypto material or options. So if there was a successfull attack somewhere in the future you can just revoke this subkey and add a new one so your clients can update using normal keyservers/... without needing to pass fingerprints around again. Hope I was of at least some help :) PS: another attack which is fully off-topic to this list is injecting something in $unencrypted_file or $encrypted_file. You need to fully trust the content of those vars. -- Philipp. (Rah of PH2)
signature.asc
Description: This is a digitally signed message part
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
