gpg from cronjobs

Frank Tobin ftobin@uiuc.edu
Tue, 21 Dec 1999 22:57:51 -0600 (CST) 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Dave Harvill, at 22:36 on Tue, 21 Dec 1999, wrote:


> I believe there is a batch mode which can read the passphrase from a file.

> I suppose you could also tie some scripts together to accomplish this.

> Perl by itself might be able to, or perhaps you can use excpect.  Either

> of these, in fact any solution, will involve either putting the passphrase

> in one kind of file or another, or leaving no passphrase on the key.


Personally, I just say go for the key without a passphrase.

Here's thoughts on the issue:

Normally, the security of your secret keys relies on the usage two things,
the security of your system, and the security of the passphrase in your
head.  The passphrase you use for your key really isn't necessary to the
use of OpenPGP; it's just a security mechanism for your protecting your
secret key.  Regardless, abiding by convention and using a passphrase to
encrypt your secret key requires that two different things be compromised
before your OpenPGP communication is compromised, and having layring in
security like this gives people a warm feeling all over.

In your case, you are trying to achieve communication using OpenPGP
without securing your private key withou a passphrase.  Now, assuming you
were just communicating between two points, this could be just as bad as
using a human-generated secret passphrase; in this example, the secret of
the communication is probably more easily broken by brute-forcing the
shared secret passphrase or breaking into the system.  However, in your
case, the security of your OpenPGP communication is reliant soley on the
security of your system, and this could be a very, very, very bad thing,
especially if you have any idea how often various vulnerabilities become
exposed for virtutally ever operating system.

If this is sensitive information, the only hope of really keeping your
system secure is for no users to be on the system, and no daemons are run
on the system; get your information from a 'suck' (e.g., wget), and hope
your wget program is secure; preferably, run it in a tight, tight
environment (I smell chroot).

Of course, if this really isn't that sensitive sensitive enough of
information, you are free to use it on your normal machine without all the
lockdowns of disabling your daemons and users; however, your vunerability
points skyrocket when doing so (especially whlie having local
users).  Just keep in mind the security of your communications is is
solely reliant on the ability of someone not being able to break your
system.

- -- 
Frank Tobin		http://www.neverending.org/~ftobin/

"To learn what is good and what is to be valued,
those truths which cannot be shaken or changed."  Myst: The Book of Atrus

OpenPGP:  4F86 3BBB A816 6F0A 340F  6003 56FF D10A 260C 4FA3
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.1 (FreeBSD)
Comment: pgpenvelope - http://www.uiuc.edu/ph/www/ftobin/resources.html

iEYEARECAAYFAjhgWl0ACgkQVv/RCiYMT6MHawCfaMnBEQrnZtBv4kkLMd+zB/Xe
jfgAn3Ziu+VgvHrF63EKPXAd59fYGfia
=Lueu
-----END PGP SIGNATURE-----