LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 09-30-2013, 04:46 AM   #1
ilesterg
Member
 
Registered: Jul 2012
Location: Kuala Lumpur
Distribution: Debian, CentOS/RHEL
Posts: 582

Rep: Reputation: 61
Wink gpg decrypt without using passphrase


Hi all,

I'm working on this project, wherein a gpg-encrypted file is being generated and transmitted from one end and is being received and processed on another end. I work on the receiving end, and I already have the decryption part working by entering a passphrase.

Code:
gpg --output targetfilename --decrypt encryptedfile --recipient recipientemail
However, since things should work automatically, I will be creating a script to do the decryption of the file, hence, no way of entering a passphrase.

Can I configure the recipient machine (perhaps gpg setup) to not require passphrase when decrypting files?

Your feedback would be very much appreciated.

Thank you!
 
Old 09-30-2013, 06:53 AM   #2
MCD555
Member
 
Registered: May 2009
Location: Milan, Italy
Distribution: Ubuntu, Debian, Fedora, Oracle Linux
Posts: 109

Rep: Reputation: 10
HI,

I think you have two choices:

1 - do not set a password to protect your private GPG key worste?)
2 - use gpg-agent to cache the GPG key password for the automa-user (better)
 
Old 09-30-2013, 08:28 AM   #3
ilesterg
Member
 
Registered: Jul 2012
Location: Kuala Lumpur
Distribution: Debian, CentOS/RHEL
Posts: 582

Original Poster
Rep: Reputation: 61
Thank you very much.

But, what really would be the problem if I don't put passphrase to my private key? It sounds like a security concern to me, but I don't understand why in a technical way.

Cheers.
 
Old 09-30-2013, 08:41 AM   #4
MCD555
Member
 
Registered: May 2009
Location: Milan, Italy
Distribution: Ubuntu, Debian, Fedora, Oracle Linux
Posts: 109

Rep: Reputation: 10
The password protect your (private) key encryting it.
This to prevent extraction|access|use to your protected content.

For example, someone (with access to your box) could get your private key (gpg --export-secret-key [keyId]) and do what you can do with that ... it would not be a great scenario :-(
 
Old 09-30-2013, 08:45 AM   #5
ilesterg
Member
 
Registered: Jul 2012
Location: Kuala Lumpur
Distribution: Debian, CentOS/RHEL
Posts: 582

Original Poster
Rep: Reputation: 61
Quote:
Originally Posted by MCD555 View Post
The password protect your (private) key encryting it.
This to prevent extraction|access|use to your protected content.

For example, someone (with access to your box) could get your private key (gpg --export-secret-key [keyId]) and do what you can do with that ... it would not be a great scenario :-(
But, if the key is only in my keyring, the other user would not be able to see and export the private key, right?

I mean, when the other user does [gpg --list-secret-keys] and does not see my privkey001, he would not be able to export the key using [gpg --export-secret-key privkey001], right?

Cheers!
 
Old 09-30-2013, 10:00 AM   #6
MCD555
Member
 
Registered: May 2009
Location: Milan, Italy
Distribution: Ubuntu, Debian, Fedora, Oracle Linux
Posts: 109

Rep: Reputation: 10
Yes, sure, you're right ... she/he would be able in case you set up correctly the directory grants of your .gnupg directory (and contained files) or she/he cannot be root onto your box.... ;-)
 
Old 09-30-2013, 09:18 PM   #7
sundialsvcs
LQ Guru
 
Registered: Feb 2004
Location: SE Tennessee, USA
Distribution: Gentoo, LFS
Posts: 9,078
Blog Entries: 4

Rep: Reputation: 3177Reputation: 3177Reputation: 3177Reputation: 3177Reputation: 3177Reputation: 3177Reputation: 3177Reputation: 3177Reputation: 3177Reputation: 3177Reputation: 3177
It really is "up to you." You might, for example, be dealing strictly with an "internal-only" connection between two systems that are well-known to one another and fairly easy for you to control. Passphrases (encryption ...) might truly be superfluous in such a case.

The primary layer of protection is simply that ... "you must possess the key." The key should be unique, and installed on exactly one machine, and it should be impossible to make a connection to that box without possession of that key. If you do all of these things, and judge that you truly are able to control physical possession of the key, then you might well conclude that a passphrase is of no real added-value.
 
Old 09-30-2013, 10:20 PM   #8
ilesterg
Member
 
Registered: Jul 2012
Location: Kuala Lumpur
Distribution: Debian, CentOS/RHEL
Posts: 582

Original Poster
Rep: Reputation: 61
Nice. Thank you very much. Marking this as solved for now. Comments are still welcome though.

Cheers!
 
  


Reply

Tags
gpg


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Unable to decrypt GPG with PHP when using passphrase geekbynature Linux - Software 0 06-01-2012 04:51 PM
GPG : Failed to decrypt the file Ashish Sood Linux - General 1 05-07-2012 04:02 PM
decrypt pgp file using gpg and passphrase learn.dw29 Linux - Security 2 10-10-2011 02:50 PM
gpg decrypt problems bic Linux - Newbie 2 09-08-2009 11:03 PM
Can't decrypt anything with GPG Jorophose Linux - Security 2 12-06-2007 05:57 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 11:55 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration