automation on UNIX and Windows platforms

Steve Butler sbutler at fchn.com
Mon Feb 9 09:10:48 CET 2004


1.  Realize that any automation where the pass phrase is known to the script
is a huge security leak.  You might as well not have a pass phrase at all!

2.  Not having a pass phrase is one method to allow automation.  No pass
phrase to enter means no prompt for one.

3.  Then there is the --passphrase-fd option that allows a pass phrase to be
piped to gpg.  


#3 is the mechanism I use knowing full well that anybody that has access to
the Linux box will figure out how to read my script.  The answer is obtuse,
but any persistent individual can figure it out and there goes my (the
company's) secret key.  The box is secure enough that the company is willing
to take the risk for the automation.  

Example: 

$(script to obtain pass-phrase and write it to $STDLIST) | gpg --homedir
$homedir --passphrase-fd 0 --no-tty --output $output_filename --decrypt
$input_filename



-----Original Message-----
From: Network Mail [mailto:network at ecweb.com]
Sent: Monday, February 09, 2004 8:49 AM
To: gnupg-users at gnupg.org
Subject: automation on UNIX and Windows platforms


Hi,
	I read the section in the gnupg FAQ about setting up automation
and it didn't seem to make sense - you still have to provide a
password.  Perhaps I am missing something here.  Anyways, my situation is
that I want to setup a way to simply encrypt and decrypt from the
commandline in both UNIX and DOS with simple scripting(i.e. don't have to
use expect or anything else of that matter - can, just being lazy) where
it doesn't prompt me for a password, yet I can still pass the password to
the program via either piping, feeding through a file, or an environment
variable.  We use an older version of PGP on our server right now(2.62),
and it supports passing of the password through the environment variable
PGPPASS.  I don't see why GNUPG would not support something like this -
I'm hoping it does, but can not find any document reference to it.  As a
result, the requirement to enter in the password by hand makes automation
extremely difficult.  Anyways, I'm hoping someone here knows of such a way
I mentioned above, or another equally simple way to achieve this.  If not,
what's the low down and dirty dirt on how to get this sucker to work in an
automated fashion?  Any help would be greatly appreciated.

						- Thanks,
						  Brian



_______________________________________________
Gnupg-users mailing list
Gnupg-users at gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

CONFIDENTIALITY NOTICE:  This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information.  Any unauthorized review, use, disclosure or distribution is prohibited.  If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message.





More information about the Gnupg-users mailing list