RE: Use of --passphrase-file
Thanks Brian. I think I tried this but I couldn’t figure out how to completely hide the passphrase so no one could get to it. Maybe I was using it incorrectly. Since this is an unattended operation that runs day and night, I wanted to secure the passphrase so gpg could get to it without human intervention, but not let anyone else see or know where it was stored. Mike Michael W. Harman, MIT | Senior Application Architect, Information Services | UHS of Delaware, Inc. | a subsidiary of Universal Health Services | Phone 610.768.3416 From: Brian Minton [mailto:br...@minton.name] Sent: Thursday, February 18, 2016 3:10 PM To: Harman, Michael; gnupg-users@gnupg.org Subject: Re: Use of --passphrase-file A pretty good option is to use gpg-agent. It can keep your passphrase /secret key in (secure) memory for a few minutes so you can use the key in scripted tasks. On Thu, Feb 18, 2016, 4:24 PM Harman, Michael mailto:michael.har...@uhsinc.com>> wrote: I am attempting to automate a process that decrypts files. The files are encrypted with my key which has a passphrase. I have determined I can use the “--passphrase-file” option to get the passphrase of my key. In the gpg documentation at https://www.gnupg.org/documentation/manuals/gnupg/GPG-Esoteric-Options.html, under “--passphrase-file file” it says “Don't use this option if you can avoid it”, but I can’t find any alternative solution in the documentation. I found one blog that says to just remove the passphrase, however I’d like to preserve the passphrase. Do you have any recommendations where I can have a passphrase but still use it in an unattended fashion that is secure? Michael W. Harman, MIT | Senior Application Architect, Information Services | UHS of Delaware, Inc. | a subsidiary of Universal Health Services | Phone 610.768.3416 UHS of Delaware, Inc. Confidentiality Notice: This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution of this information is prohibited, and may be punishable by law. If this was sent to you in error, please notify the sender by reply e-mail and destroy all copies of the original message. ___ Gnupg-users mailing list Gnupg-users@gnupg.org<mailto:Gnupg-users@gnupg.org> http://lists.gnupg.org/mailman/listinfo/gnupg-users UHS of Delaware, Inc. Confidentiality Notice: This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution of this information is prohibited, and may be punishable by law. If this was sent to you in error, please notify the sender by reply e-mail and destroy all copies of the original message. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
RE: Use of --passphrase-file
Thanks Steve for your feedback! I spent a lot of time jotting down all the different ways to do this, including encrypting the passphrase file, adding some kind of trust to the key if possible or putting the passphrase inline in the code and then locking down the code itself. As you point out, any solution does not prevent someone from finding the passphrase if they really know how and where to look. I'll hide the passphrase and then lock it down with security. Thanks again, Mike Michael W. Harman, MIT | Senior Application Architect, Information Services | UHS of Delaware, Inc. | a subsidiary of Universal Health Services | Phone 610.768.3416 From: Steve Butler [mailto:sbut...@fchn.com] Sent: Thursday, February 18, 2016 2:56 PM To: Harman, Michael; gnupg-users@gnupg.org Subject: RE: Use of --passphrase-file Any "secure" storage for the passphrase will itself need a mechanism to "unlock". This only digs the hole one more level down. Only you can decide when to stop digging. But remember, whatever the automated script can do, a human following the script can also do. [Note to self, use "hacker" instead of "human" next time.] After wrestling with this for some time several years ago, I came to the conclusion that I could only delay the inevitable and could not prevent it. I my case I chose to "hide" the plaintext passphrase in a fashion that kept the casual looker (non-hacker) at bay (1 level down) but was real easy to implement and didn't require another password/phrase. Any serious programmer could easily read the code and reveal the passphrase. Then I limit who has access to that particular box. Stephen M. Butler, PMP, PSM IT Manager - Software Engineering First Choice Health Network Email: sbut...@fchn.com<mailto:sbut...@fchn.com> Voice: 206-268-2309 Fax: 206-268-6173 From: Gnupg-users [mailto:gnupg-users-boun...@gnupg.org] On Behalf Of Harman, Michael Sent: Wednesday, February 17, 2016 8:34 AM To: gnupg-users@gnupg.org<mailto:gnupg-users@gnupg.org> Subject: Use of --passphrase-file I am attempting to automate a process that decrypts files. The files are encrypted with my key which has a passphrase. I have determined I can use the "--passphrase-file" option to get the passphrase of my key. In the gpg documentation at https://www.gnupg.org/documentation/manuals/gnupg/GPG-Esoteric-Options.html, under "--passphrase-file file" it says "Don't use this option if you can avoid it", but I can't find any alternative solution in the documentation. I found one blog that says to just remove the passphrase, however I'd like to preserve the passphrase. Do you have any recommendations where I can have a passphrase but still use it in an unattended fashion that is secure? Michael W. Harman, MIT | Senior Application Architect, Information Services | UHS of Delaware, Inc. | a subsidiary of Universal Health Services | Phone 610.768.3416 UHS of Delaware, Inc. Confidentiality Notice: This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution of this information is prohibited, and may be punishable by law. If this was sent to you in error, please notify the sender by reply e-mail and destroy all copies of the original message. CONFIDENTIALITY NOTICE: This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. UHS of Delaware, Inc. Confidentiality Notice: This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution of this information is prohibited, and may be punishable by law. If this was sent to you in error, please notify the sender by reply e-mail and destroy all copies of the original message. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Use of --passphrase-file
I am attempting to automate a process that decrypts files. The files are encrypted with my key which has a passphrase. I have determined I can use the "--passphrase-file" option to get the passphrase of my key. In the gpg documentation at https://www.gnupg.org/documentation/manuals/gnupg/GPG-Esoteric-Options.html, under "--passphrase-file file" it says "Don't use this option if you can avoid it", but I can't find any alternative solution in the documentation. I found one blog that says to just remove the passphrase, however I'd like to preserve the passphrase. Do you have any recommendations where I can have a passphrase but still use it in an unattended fashion that is secure? Michael W. Harman, MIT | Senior Application Architect, Information Services | UHS of Delaware, Inc. | a subsidiary of Universal Health Services | Phone 610.768.3416 UHS of Delaware, Inc. Confidentiality Notice: This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution of this information is prohibited, and may be punishable by law. If this was sent to you in error, please notify the sender by reply e-mail and destroy all copies of the original message. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users