Am 18.09.2017 um 23:45 schrieb Daniel Kahn Gillmor: > I don't know how much smartcard interaction gpgme supports, though.
None, as it seems. I have started developing with python-gpg and gpgme some weeks ago, but haven't yet done anything with smartcards yet. But as far as I can tell from the docs, gpgme completely hides the internals of key storage, to gpgme it doesn't matter whether the key is located on disk or stored in a smartcard or token. Having said that, I must say that your goal is somewhat difficult to achieve. Handling of the passphrase is about one of the most sensitive tasks when dealing with encryption. I currently can think of no way you could handle passphrases on your own in python which I would call 'secure'. Don't pass it on the command line to a gpg subprocess, that will be readable in the process list for everyone. But even if you pass it along with e.g. gpgme, it might be possible to read the memory of that python process and steal the passphrase. That part of the memory might also be swapped out. Read the relevant part of the FAQ: https://www.gnupg.org/faq/gnupg-faq.html#insecure_memory Furthermore, for me one of the best reasons for using smartcards is that you don't enter the PIN/passphrase on the (potentially compromised) computer at all, but use a class 2 or 3 smartcard reader for that. Using a class 1 reader and juggling around the PIN in scripts defeats 50% of the purpose of a smartcard to me (the other 50% being that you can't copy the secret key from the card, this stays untouched). I guess you just have no choice when you say you are "required to", but keep that in mind. If you must use python and cannot use gpgme, your best bet might be to write the passphrase out to a file which only you can read, and pass it to the gpg command line using '--passphrase-file' or "--passphrase-fd'. You will need to trust root on that machine in any case. Andreas
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
