GPG Config File - PGP

This is a discussion on GPG Config File - PGP ; Can I stick the passphase in the gnupg.conf file? What is the syntax? Thanks, Scott...

+ Reply to Thread
Results 1 to 10 of 10

Thread: GPG Config File

  1. GPG Config File

    Can I stick the passphase in the gnupg.conf file?

    What is the syntax?

    Thanks,
    Scott



  2. Re: GPG Config File

    "Scott Johnson" writes:

    > Can I stick the passphase in the gnupg.conf file?


    No, that would obviously be completely insecure. If you want to do
    that, why do you use cryptography in the first place? What are you
    trying to achieve?

    If you are sure you understand the implications, you can generate
    a key with an empty passphrase.

    Martin


    --
    ,--. ,= ,-_-. =.
    / ,- ) Martin Dickopp, Dresden, Germany ((_/)o o(\_))
    \ `-' http://www.zero-based.org/ `-'(. .)`-'
    `-. \_/

  3. Re: GPG Config File

    Understood.

    I'm trying to batch process file to be sent offsite. When generating a sig
    (--detach-sig) the process stops and asks for passphrase.

    I'm new to gpg and looking for ways to automate the process.

    "Martin Dickopp" wrote in message
    news:cunr7qdbkcq.fsf@zero-based.org...
    > "Scott Johnson" writes:
    >
    > > Can I stick the passphase in the gnupg.conf file?

    >
    > No, that would obviously be completely insecure. If you want to do
    > that, why do you use cryptography in the first place? What are you
    > trying to achieve?
    >
    > If you are sure you understand the implications, you can generate
    > a key with an empty passphrase.
    >
    > Martin
    >
    >
    > --
    > ,--. ,= ,-_-. =.
    > / ,- ) Martin Dickopp, Dresden, Germany ((_/)o o(\_))
    > \ `-' http://www.zero-based.org/ `-'(. .)`-'
    > `-. \_/




  4. Re: GPG Config File

    "Scott Johnson" writes:
    > "Martin Dickopp" wrote in message
    > news:cunr7qdbkcq.fsf@zero-based.org...
    >> "Scott Johnson" writes:
    >>
    >> > Can I stick the passphase in the gnupg.conf file?

    >>
    >> No, that would obviously be completely insecure. If you want to do
    >> that, why do you use cryptography in the first place? What are you
    >> trying to achieve?
    >>
    >> If you are sure you understand the implications, you can generate
    >> a key with an empty passphrase.

    >
    > Understood.
    >
    > I'm trying to batch process file to be sent offsite. When generating
    > a sig (--detach-sig) the process stops and asks for passphrase.
    >
    > I'm new to gpg and looking for ways to automate the process.


    Instead of using an empty passphrase, you could also use the
    --passphrase-fd option. This is for example used by some MUAs
    which read the passphrase from the user once and then cache it.

    Martin


    --
    ,--. ,= ,-_-. =.
    / ,- ) Martin Dickopp, Dresden, Germany ((_/)o o(\_))
    \ `-' http://www.zero-based.org/ `-'(. .)`-'
    `-. \_/

  5. Re: GPG Config File

    "Scott Johnson" wrote in
    news:411a6a00$0$14497$bb8e7a08@news.usenetcompany. com:

    > I'm trying to batch process file to be sent offsite. When
    > generating a sig (--detach-sig) the process stops and asks
    > for passphrase.
    >
    > I'm new to gpg and looking for ways to automate the
    > process.
    >
    >


    Try
    ECHO youpassphrase| gpg (etc.)

    J
    --
    Replies to: Njk04s_130_p(at)Ojuno(dot)Tcom

  6. Re: GPG Config File

    me wrote:
    > "Scott Johnson" wrote in
    > news:411a6a00$0$14497$bb8e7a08@news.usenetcompany. com:


    > > I'm trying to batch process file to be sent offsite. When
    > > generating a sig (--detach-sig) the process stops and asks
    > > for passphrase.


    > Try
    > ECHO youpassphrase| gpg (etc.)


    You have to tell gpg where to look for the passphrase. Use
    --passphrase-fd in addition (like pointed out in another posting). Or
    do it like the GnuPG FAQ tells you under 4.14).

    Follow-up set to alt.security.pgp only.

    --
    Stefan Bellon

  7. Re: GPG Config File

    On Wed, 11 Aug 2004, Martin Dickopp
    wrote:
    >"Scott Johnson" writes:
    >
    >> Can I stick the passphase in the gnupg.conf file?

    >
    >No, that would obviously be completely insecure. If you want to do
    >that, why do you use cryptography in the first place? What are you
    >trying to achieve?


    Just a thought, but while in the military I used hardware based encryption
    that required no human intervention at all. We generally secured such
    systems with large caliber handguns. I think you can probably realize
    there's many real life variations on this theme.

    If a PC is physically secure, there's less need for procedural security. Of
    course for the vast majority, having pass phrases entered automatically is
    a bad thing. A potentially severe breach just begging to happen.

    >If you are sure you understand the implications, you can generate
    >a key with an empty passphrase.


    I see two problems with this:

    1. I don't believe it automates the process. I believe you still have to
    enter this "null" pass phrase by hitting the ENTER key. And I assume the
    OP's goal was avoiding this.

    2. I'd also assume that an intelligent attacker would have a "null" pass
    phrase as one of the entries in a "dictionary" file, and/or it would be one
    of the first things they'd try. In this respect, a "null" pass phrase is
    considerably less secure than having a proper pass phrase entered
    automatically.

    Thoughts? Corrections?


  8. Re: GPG Config File

    Max Mustermann wrote:

    > I see two problems with this:


    > 1. I don't believe it automates the process. I believe you still have
    > to enter this "null" pass phrase by hitting the ENTER key. And I
    > assume the OP's goal was avoiding this.


    > 2. I'd also assume that an intelligent attacker would have a "null"
    > pass phrase as one of the entries in a "dictionary" file, and/or it
    > would be one of the first things they'd try. In this respect, a
    > "null" pass phrase is considerably less secure than having a proper
    > pass phrase entered automatically.


    > Thoughts? Corrections?


    Yes, two wrongs:

    1. If you specify an empty passphrase with GnuPG then you don't have to
    enter it, i.e. GnuPG doesn't ask for the passphrase and you can
    automate signing and decryption.

    2. If an attacker can get hold of your secret keyring in order to mount
    a dictionary attack, then he most likely can get hold of your script
    that automates the process. And the password is inside that script.
    So, both methods are critical, but using an empty passphrase is not
    less secure than putting the passphrase in clear text in a script.

    Setting follow-up to alt.security.pgp.

    --
    Stefan Bellon

  9. Re: GPG Config File

    Max Mustermann writes:

    > On Wed, 11 Aug 2004, Martin Dickopp
    > wrote:
    >>"Scott Johnson" writes:
    >>
    >>> Can I stick the passphase in the gnupg.conf file?

    >>
    >>No, that would obviously be completely insecure. If you want to do
    >>that, why do you use cryptography in the first place? What are you
    >>trying to achieve?

    >
    > Just a thought, but while in the military I used hardware based
    > encryption that required no human intervention at all. We generally
    > secured such systems with large caliber handguns. I think you can
    > probably realize there's many real life variations on this theme.


    Sure, there are valid reasons to do this. I just wanted to make sure
    that the OP understands the security implications first.

    Martin


    --
    ,--. ,= ,-_-. =.
    / ,- ) Martin Dickopp, Dresden, Germany ((_/)o o(\_))
    \ `-' http://www.zero-based.org/ `-'(. .)`-'
    `-. \_/

  10. Re: GPG Config File

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    Scott Johnson wrote:
    | Understood.
    |
    | I'm trying to batch process file to be sent offsite. When generating a sig
    | (--detach-sig) the process stops and asks for passphrase.
    |
    | I'm new to gpg and looking for ways to automate the process.

    Scott,

    When sending your files offsite, do you need them to be signed or just
    encrypted? If you need to know that the files actually originated from a
    particular machine, you do need them signed. However, if you are only
    concerned about protecting the files en route maybee you just need to
    encrypt the files to your public key, which does not require a password.

    Just a thought.

    Ylan
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.2.4 (MingW32)
    Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

    iD8DBQFBG3i3rG0/NdVQ/fsRAlgHAKC1U0rwXd230khKs+ZtEnuocyPRDQCfSGYB
    7NaO3F9027GEKW7EbAqyX88=
    =uQ/T
    -----END PGP SIGNATURE-----

+ Reply to Thread