Need non-writable --homedir
Josef Wolf
jw at raven.inka.de
Mon Sep 11 00:16:50 CEST 2006
Hello!
I need a setup where the user running "gpg -e -r foobar" is not able to
modify keyring contents. I tried:
# chown -R root:user ~user/.gnupg
# chmod -R o=rwX,g=rX,o= ~user/.gnupg
Unfortunately, this don't work because gpg does some write operations
in its .gnupg directory:
1. It locks the keyring. --lock-never will avoid this. Is it safe
to use --lock-never as long as it is guaranteed that _only_ "gpg -e"
is ever run? No key generation, no imports, no signung. Only
"gpg -e". Is this safe?
2. There's the random_seed file. It is modified at every run. How can
I handle this? I bet it would be a security problem should someone
be able to read this file. Would it be possible to put it into a
different directory?
3. gpg writes temporary files into ~/.gnupg while encrypting.
Any ideas?
More information about the Gnupg-users
mailing list