Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I am looking to try and automate a gpg decryption, the problem I run into is when it asks for a passphrase. I am having trouble finding a variable to allow the passphrase to run with the command.
I am aware of the security concerns, of having a clear text password. Ideally, I'd like to have a script file that is limited to only the user that would run it. Which would be the same user that is doing the decryption.
I've tried a couple commands:
gpg -d "file-name" --passphrase="phrase" , --passphrase "phrase" , --passphrase-file "file with passphrase in it"
And a couple other variations.
you ought to read the man page of gpg. There is an option: --passphrase-file (for example)
Quote:
Read the passphrase from file file. Only the first line will be read from file file. This can only be used if only one passphrase is supplied. Obviously, a passphrase stored in a file
is of questionable security if other users can read this file. Don't use this option if you can avoid it. Note that this passphrase is only used if the option --batch has also been given.
I've tried a couple commands:
gpg -d "file-name" --passphrase="phrase" , --passphrase "phrase" , --passphrase-file "file with passphrase in it"
From the manpage:
Quote:
Note that since Version 2.0 this passphrase is only used if the option --batch has also been given. Since Version 2.1 the --pinentry-mode also needs to be set to loopback.
The same paragraph in version 2.0.x reads
Quote:
Note that this passphrase is only used if the option --batch has also been given. This is different from gpg.
Well, I found how to do almost everything. I can get the file to output where I want, and use a passphrase, though it is clear text. I should be able to make a cron that calls the script which I should be able to secure.
gpg -d --output "output directory" --batch --passphrase "passphrase" "file name"
It's a start.
Now, I have been trying to see how I add other users that are allowed to use the gpg key. I made the key as root, and root can use it. But I'd like another user to be able to do it, as well.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.