GnuPG encryption with key file
Peter Lebbing
peter at digitalbrains.com
Thu Mar 27 16:52:46 CET 2014
On 2014-03-27 14:35, David Shaw wrote:
> Limitations of the method
Plus that it has the same problems as
$ echo mysecret|gpg --passphrase-fd 0
That is, it ends up in your history if your shell keeps a history and
you don't prevent it, and other users on a multi-user system can see the
passphrase / the specific file used as a passphrase in the process list.
These issues wouldn't exist if GnuPG actually *supported* key files,
and would prompt for the key file as it does for a passphrase. That's
why I simply said "no", as in "it is not supported". But you can hack it
together.
Also, key files easily lead to security-by-obscurity implementations
where people think "an attacker doesn't know which file I use", whereas
the attacker thinks "let's try all files, that's computationally
feasible". But obviously that depends on the way you use it, it's just
something to be aware of.
> it's not really using the binary file as a key, but rather as a
> passphrase
I would consider this an advantage: the actual session key has good
entropy, and the file is just used to encrypt the session key. Even if a
"key file" would be properly supported by GnuPG, I would still prefer
this two-step approach.
HTH,
Peter.
--
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at
<http://digitalbrains.com/2012/openpgp-key-peter>
More information about the Gnupg-users
mailing list