[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Security of piping unencrypted keyfile through named pipe
Phil H wrote:
> In order for the terminal user to enter the passphrase
> to encrypt the keyfile, I want to open an rxvt window
> running gpg from the script (unless there's another
> way). Since the -e option to rxvt only seems to take
> one command argument, I seem to be stuck with this:
>
> mkfifo -m 600 npipe
> head -c 2925 /dev/random | uuencode -m - | head -n 65
> | tail -n 64 >npipe &
> rxvt +sb -geometry 80x1 -fn fixed -cr blue -T
> "Password" -e gpg -c -a -o ${KEYFILE} npipe
> wait
> rm -f npipe
# cat ./encrypt65keys
#!/bin/sh
if [ x$1 = x ] ; then
exit 1
fi
head -c 2925 /dev/random | uuencode -m - | head -n 65 | tail -n 64 | gpg -c -a --yes -o $1
# chmod a+rx ./encrypt65keys
# KEYFILE=test1.gpg
# xterm -geometry 30x1 -T "Password" -e ./encrypt65keys ${KEYFILE}
> Is there any particular reason(s) the examples in the
> loop-aes README use "dd" to overwrite the device with
> encrypted zeros (in order to mask how much cyphertext
> is subsequently written there), instead of (say) using
> shred eg..
I prefer to use dd to read and write non-file devices because it is easier
to control the size of read and write requests with bs= option. Use shred if
you like.
--
Jari Ruusu 1024R/3A220F51 5B 4B F9 BB D3 3F 52 E9 DB 1D EB E3 24 0E A9 DD
-
Linux-crypto: cryptography in and on the Linux system
Archive: http://mail.nl.linux.org/linux-crypto/