GnuPG encryption with key file

[Peter Lebbing]

On 27/03/14 16:52, Peter Lebbing wrote:
> Plus that it has the same problems as
> 
> $ echo mysecret|gpg --passphrase-fd 0
>
> [...]
> Also, key files easily lead to security-by-obscurity implementations where
> people think "an attacker doesn't know which file I use", whereas the attacker
> thinks "let's try all files, that's computationally feasible".

I suddenly realise that in the "problems" I mention I'm making the exact same
mistake as the one I'm warning for: I'm assuming that it is secret which file
you use, rather than that the contents of the file is secret.

If some other user on a multi-user system can see which file I'm using, but
doesn't have the rights to access the contents of that file, they are none the
wiser.

So the "key file" method /is/ better than echo passphrase. It's still a risky
thing to use, in my opinion, though. And the hack presented doesn't allow for
the common scenario: a key file *as well as* a password. It might be possible to
hack that in as well.

HTH,

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>