On 2014-03-27 14:35, David Shaw wrote:
Limitations of the method
Plus that it has the same problems as
$ echo mysecret|gpg --passphrase-fd 0
That is, it ends up in your history if your shell keeps a history and
you don't prevent it, and other users on a multi-user system can see the
passphrase / the specific file used as a passphrase in the process list.
These issues wouldn't exist if GnuPG actually *supported* key files,
and would prompt for the key file as it does for a passphrase. That's
why I simply said "no", as in "it is not supported". But you can hack it
together.
Also, key files easily lead to security-by-obscurity implementations
where people think "an attacker doesn't know which file I use", whereas
the attacker thinks "let's try all files, that's computationally
feasible". But obviously that depends on the way you use it, it's just
something to be aware of.
it's not really using the binary file as a key, but rather as a
passphrase
I would consider this an advantage: the actual session key has good
entropy, and the file is just used to encrypt the session key. Even if a
"key file" would be properly supported by GnuPG, I would still prefer
this two-step approach.
HTH,
Peter.
--
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at
<http://digitalbrains.com/2012/openpgp-key-peter>
_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
