Josh Clearihan: > Hi, > > Thanks, but our requirement is that the key is secured with a passphrase. > > Any other ideas into what is wrong with my coding?
> echo "mypassphrase"| gpg2.exe ... In my opinion it makes little sense to use a passphrase in this way: the passphrase is supposed to be entered interactively since in case someone gets access to the script with hardcoded passphrase, then she gets the passphrase, too. If you don't want to store the secret key unencrypted on disk, maybe you could use a disk encryption layer below the file system (like dm-crypt/LUKS on GNU/Linux). As a result, you have a passphrase for the disk that is entered only once on reboot, then - when the system is running - you use the secret OpenPGP key without passphrase, but the key material is still not stored unencrypted on disk and protected in case an adversary just takes the disks with her. Of course, this does not protect from cold-boot attacks, but (IMHO) should be better than hardcoding the passphrase in a script on an unencrypted disk, just to meet the requirement that the key should be encrypted with a passphrase.
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
