LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   gpg passphrase automation (https://www.linuxquestions.org/questions/linux-security-4/gpg-passphrase-automation-4175680198/)

vinmansbrew 08-10-2020 11:52 AM
gpg passphrase automation
 
I am looking to try and automate a gpg decryption, the problem I run into is when it asks for a passphrase. I am having trouble finding a variable to allow the passphrase to run with the command.

I am aware of the security concerns, of having a clear text password. Ideally, I'd like to have a script file that is limited to only the user that would run it. Which would be the same user that is doing the decryption.

I've tried a couple commands:
gpg -d "file-name" --passphrase="phrase" , --passphrase "phrase" , --passphrase-file "file with passphrase in it"
And a couple other variations.

pan64 08-10-2020 01:01 PM
you ought to read the man page of gpg. There is an option: --passphrase-file (for example)
Quote:
Read the passphrase from file file. Only the first line will be read from file file. This can only be used if only one passphrase is supplied. Obviously, a passphrase stored in a file
is of questionable security if other users can read this file. Don't use this option if you can avoid it. Note that this passphrase is only used if the option --batch has also been given.

vinmansbrew 08-11-2020 03:06 PM
The only option listed that I find is passphrase-fd, which doesn't seem to help.

shruggy 08-11-2020 03:57 PM
Quote:
Originally Posted by vinmansbrew (Post 6154450)
I've tried a couple commands:
gpg -d "file-name" --passphrase="phrase" , --passphrase "phrase" , --passphrase-file "file with passphrase in it"
From the manpage:
Quote:
Note that since Version 2.0 this passphrase is only used if the option --batch has also been given. Since Version 2.1 the --pinentry-mode also needs to be set to loopback.
The same paragraph in version 2.0.x reads
Quote:
Note that this passphrase is only used if the option --batch has also been given. This is different from gpg.

vinmansbrew 08-12-2020 09:47 AM
I'll have to check those out. The manpage I found didn't have any of that.

vinmansbrew 08-25-2020 11:34 AM
Well, I found how to do almost everything. I can get the file to output where I want, and use a passphrase, though it is clear text. I should be able to make a cron that calls the script which I should be able to secure.
gpg -d --output "output directory" --batch --passphrase "passphrase" "file name"

It's a start.

Now, I have been trying to see how I add other users that are allowed to use the gpg key. I made the key as root, and root can use it. But I'd like another user to be able to do it, as well.


All times are GMT -5. The time now is 12:21 PM.