Batch Mode and decrypt

Joseph Oreste Bruni jbruni at mac.com
Tue Apr 17 18:02:31 CEST 2007 

The 0 in "--passphrase-fd 0" is the number of the file descriptor  
from which gpg will read the passphrase. In this case, 0, is stdin.  
Since you didn't attach stdin to a pipe or a file through  
redirection, stdin is still attached to your terminal. You aren't  
being "prompted" for your passphrase, gpg is just reading from your  
terminal (a pipe) which doesn't have any data to read until you type  
it in.

You can redirect stdin two ways, either a pipe:

$ cat passphrase_file | gpg --passphrase-fd 0 ...

or from the stdin redirection

$ gpg --passphrase-fd 0 ... < passphrase_file.

Reading from stdin doesn't necessarily mean it must come from a file.  
Your passphrase can come from a program that writes the passphrase to  
stdout:

$ my_agent | gpg --passphrase-fd 0 ...

And however "my_agent" securely stores your passphrase is left as an  
exercise to the reader (e.g database).


On Apr 17, 2007, at 8:27 AM, jane grove wrote:

> Thanks, David.  I still have a question though:
>
> In my script, I used the command
> "gpg --batch --passphrase-fd 0 -d [INPUTFILE]"
> to decrypt my "INPUTFILE".  When I run the script, it pauses and wait
> for the passphrase.  If I enter the passphrase, the script goes
> through well.  If I hit enter without the right passphrase, the script
> complains about not having the right passphrase.
>
> How can I run this script in silent mode, feed the passphrase to it
> automatically?  I am trying not to interact with the script during its
> running.
>
> Thanks - Jane
>
> On 4/14/07, David Shaw <dshaw at jabberwocky.com> wrote:
>> On Sat, Apr 14, 2007 at 10:23:24PM -0500, jane grove wrote:
>>> Hello,
>>> I am trying to use the GnuPG command "decrypt" in batch mode  
>>> (i.e. in a script).
>>> When I use the option "--batch", I don't have a way to enter the  
>>> user
>>> id or passphrase.
>>
>> Look at the --passphrase-fd, --passphrase-file, or --passphrase
>> options.  They are all in the manual, and can be used to provide a
>> passphrase during batch operation.
>>
>> However, if you are including the passphrase in a script, it is worth
>> asking yourself if there is any security benefit in having a
>> passphrase-protected key at all.  After all, an attacker who gets
>> access to the script needs merely to read it to know the passphrase.
>>
>> David
>>
>
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users at gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2508 bytes
Desc: not available
Url : /pipermail/attachments/20070417/101abf66/attachment.bin

More information about the Gnupg-users mailing list