How To: Create a batch mode, signed, encryted file on AIX?
Ken T Takusagawa
kenta at MIT.EDU
Wed Apr 21 20:19:34 CEST 2004
Unfortunately this is beyond my knowledge. I know 0=stdin,
1=stdout, 2=stderr (so 0 is the only one immediately useful
for passphrase). There may be higher numbers, but I don't
know how to use them.
Have you tried:
gpg -passphrase-fd 0 etc. << EOF
password
EOF
--ken
On Wed, 21 Apr 2004 Jon.Morisey at serono.com wrote:
> Dear Ken,
>
> What does the number represent? I know you pass "0" which means stdin,
> but are there other #'s that your can pass to make it point to a file at a
> specified location? Is there a way to compile the passphrase in some code
> that makes the correct call the gpg?
>
> Regards,
>
>
> **********************************************************************************
> * *
> * Jon Morisey, OCP E-mail:
> jon.morisey at serono.com *
> * Serono, Project Manager Office: 781-681-2336
> *
> * One Technology Place Cellular: 781-308-9295
> *
> * Rockland, MA 02370 Fax: 781-681-2922
> *
> * *
>
> **********************************************************************************
>
>
>
>
>
>
>
>
> Ken T Takusagawa <kenta at MIT.EDU>
> 04/21/2004 10:28 AM
>
>
> To: Alexander Komarov <toor at izardsnest.org>
> cc: gnupg-users at gnupg.org, Jon.Morisey at serono.com
> Subject: Re: How To: Create a batch mode, signed, encryted file on AIX?
>
>
> Someone running the "ps" command at just the right time will
> see the command "echo password" in the list of processes,
> thereby learning your password.
>
> Maybe if you are the only user of your machine, and you
> aren't too paranoid, then it's an OK thing to do.
>
> The point about --passphrase-fd is that it expects a number,
> not a file name.
>
> --ken
>
> On Tue, 20 Apr 2004, Alexander Komarov wrote:
>
> > I am using this:
> > echo password | gpg .... --passphrase-fd 0
> > Could anybody suggest if it is secure?
> >
> > Quoting Jon.Morisey at serono.com:
> > > Hi all,
> > >
> > > I am new to GNU and have a question regarding their encryption tools?
> I
> > > have an options file in place. How can I encrypt and sign a file in
> batch
> > > mode in the most secure way?
> > >
> > > I have considered:
> > > GPG=`/usr/local/bin/gpg --encrypt ${FILE_TO_ENCRYPT}<<EOF
> > > ${GNUGPPASS}
> > > EOF`
> > > that doesn't work
> > >
> > > I also checked:
> > > /usr/local/bin/gpg --encrypt --passphrase-fd ${GNUPASSFILE}
> > > ${FILE_TO_ENCRYPT}
> > > this one is always waiting for input, I have not been able to get
> it
> > > to read from the file containing the passphrase. Does anyone know how
> to
> > > make it accept the passphrase from the file descriptor parameter?
> > >
> > > I know that is not so secure anyway so I also found:
> > > http://www.gnupg.org/(en)/documentation/faqs.html
> > > this one fails for me on step 3. The command errors out. Does
> anyone
> > > know how to make this one work?
> > >
> > >
> > >
> > > 4.14) How can I use GnuPG in an automated environment?
> > > You should use the option --batch and don't use passphrases as there
> is
> > > usually no way to store it more securely than on the secret keyring
> > > itself. The suggested way to create keys for an automated environment
> is:
> > > On a secure machine:
> > > 1. If you want to do automatic signing, create a signing subkey
> for your
> > > key
> > > (use the interactive key editing menu by issueing the command 'gpg
> > > --edit-key keyID', enter "addkey" and select the DSA key type).
> > > 2. Make sure that you use a passphrase (needed by the current
> > > implementation).
> > > 3. gpg --export-secret-subkeys --no-comment foo >secring.auto
> > > 4. Copy secring.auto and the public keyring to a test directory.
> > > 5. Change to this directory.
> > > 6. gpg --homedir . --edit foo and use "passwd" to remove the
> passphrase
> > > from
> > > the subkeys. You may also want to remove all unused subkeys.
> > > 7. Copy secring.auto to a floppy and carry it to the target box.
> > > On the target machine:
> > > 1. Install secring.auto as the secret keyring.
> > > 2. Now you can start your new service. It's also a good idea to
> install
> > > an
> > > intrusion detection system so that you hopefully get a notice of an
> > > successful intrusion, so that you in turn can revoke all the subkeys
> > > installed on that machine and install new subkeys.
> > >
> > >
> > > Regards,
> > >
> > >
> > >
> **********************************************************************************
> > >
> > > * *
> > > * Jon Morisey, OCP E-mail:
> > > jon.morisey at serono.com *
> > > * Serono, Project Manager Office: 781-681-2336
> > > *
> > > * One Technology Place Cellular: 781-308-9295
> > > *
> > > * Rockland, MA 02370 Fax: 781-681-2922
> > > *
> > > * *
> > >
> > >
> **********************************************************************************
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> >
> ********************************************************************************************
> > > S - This message contains confidential information and is intended
> only for
> > > the individual
> > > named. If you are not the named addressee, you should not disseminate,
> > > distribute or copy
> > > this e-mail. Please notify the sender immediately by e-mail if you
> have
> > > received this
> > > e-mail by mistake and delete this e-mail from your system.
> > > e-mail transmission cannot be guaranteed to be secure or error-free as
> > > information could be
> > > intercepted, corrupted, lost, destroyed, arrive late or incomplete, or
> > > contain malware. The
> > > presence of this disclaimer is not a proof that it was originated at
> Serono
> > > International S.A.
> > > or one of its affiliates. Serono International S.A and its affiliates
> > > therefore do not accept
> > > liability for any errors or omissions in the content of this message,
> which
> > > arise as a result
> > > of e-mail transmission. If verification is required, please request a
> > > hard-copy version.
> > > Serono International SA, 15bis Chemin Des Mines, Geneva, Switzerland,
> > > www.serono.com.
> > >
> >
> *********************************************************************************************
> >
> >
> >
> > _______________________________________________
> > Gnupg-users mailing list
> > Gnupg-users at gnupg.org
> > http://lists.gnupg.org/mailman/listinfo/gnupg-users
> >
>
>
>
>
> ********************************************************************************************
> S - This message contains confidential information and is intended only for the individual
> named. If you are not the named addressee, you should not disseminate, distribute or copy
> this e-mail. Please notify the sender immediately by e-mail if you have received this
> e-mail by mistake and delete this e-mail from your system.
> e-mail transmission cannot be guaranteed to be secure or error-free as information could be
> intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain malware. The
> presence of this disclaimer is not a proof that it was originated at Serono International S.A.
> or one of its affiliates. Serono International S.A and its affiliates therefore do not accept
> liability for any errors or omissions in the content of this message, which arise as a result
> of e-mail transmission. If verification is required, please request a hard-copy version.
> Serono International SA, 15bis Chemin Des Mines, Geneva, Switzerland, www.serono.com.
> *********************************************************************************************
>
>
More information about the Gnupg-users
mailing list