Hi again,
Firstly, as a Windows Outlook user, I've never figured out the correct
etiquette on formatting responses to list-server messages, so I'm just going to
post a new message without previous references.
Taking previous comments to heart, I've altered my "home directory" permissions
to remove write access to every other than the owner (755). I believe this
plugs the hole that would have allowed others to replace files as Peter
demonstrated.
The reason I allowed "write" was to overcome an error message users were
getting. Apparently, gpg needs to create some file in that location. Allowing
"write" permission was the first thing that came to mind when I first started
using gpg and it's stayed that way for several years.
I was not previously familiar with the --keyring and --secret-keyring options
and I believe that helps me a lot. So now, to encrypt files:
gpg --keyring /opt/app/apps/dbmprod/gpg/pubring.gpg --always-trust
--no-secmem-warning
--recipient <vendor-id? --encrypt <file-name>
I found I had to add the --always-trust option to prevent a prompt for "batch"
processes. The keys are all "trusted" in my "home directory, but I didn't find
an option to point to the "trustdb" file.
And to decrypt a file:
gpg --secret-keyring /opt/app/apps/dbmprod/gpg/secring.gpg
--keyring /opt/app/apps/dbmprod/gpg/pubring.gpg --no-secmem-warning
--output <file-name>
--decrypt <file-name>.gpg
It seems that since my "secring" only contains the private key used by vendors
to send files to us, I do not need to actually specify the key by name. My
initial testing shows it works well.
How does that look?
>From what I can tell, the remaining risk is that anyone can copy and use my
>private key because I do not have it passphrase protected. I'd be happy to add
>a passphrase, as long as I can figure out how to make the key easily used by
>any user.
A couple folks (Diego and Johannes) mentioned using a smartcard or a token. I
think a smartcard refers to a piece of hardware, but I don't know what a
"token" means. Our server is in a datacenter and I'm sure I cannot attach any
sort of hardware. I might be able to use a software only solution; I've heard
something about "agents", but don't really understand any details. Can such an
agent be used, one that I can start and load the key with passphrase at system
startup?
Thanks again for the comments; very helpful so far!
Bob
_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
