[opensuse-buildservice] Scripting encryption (little bit offtopic)
Hello, sorry for asking that question here, but I have no better place. I need an encrypted backup file. I used gpg to make this file. As gpg for idiotic reasons does not allow passwords in commandline (I know, I must be protected against myself) I used expect to do this job. This failed for openSUSE 10.3 due to the pinentry program changes. Now I adapted the code and it works from a normal shell opened in KDE. Still I get no result, when run as cron job. Can anyone help me. I know I need not ask gpg guys, as they will tell me, what I do is evil. Is there another way to get a password protect TAR.GZ file? I used mcrypt in the past, but this is no longer developed and has security holes. The current Perl code is: use Expect; $ENV{LANG} = "C"; system("killall gpg-agent 2>/dev/null"); delete $ENV{KDE_FULL_SESSION}; delete $ENV{DISPLAY}; my $cmd = "(tar -cz$EXCLUDE $INCLUDE |gpg --batch -c >$FILE) 2>&1"; if((my $exp = Expect->spawn($cmd))) { $exp->log_file(sub { $a .= $_[0]; }); $exp->log_stdout(undef); if($exp->expect(1, "Passphrase ")) { $exp->send("$PW\r"); if($exp->expect(1, "Passphrase ")) { $exp->send("$PW\r"); } } $exp->expect(86400, "This is the end we never reach"); $exp->soft_close(); } $a =~ s/.*?\r//g; # remove GPG output Ciao -- http://www.dstoecker.eu/ (PGP key available) --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-buildservice+help@opensuse.org
Dirk Stoecker wrote:
Hello,
sorry for asking that question here, but I have no better place.
I need an encrypted backup file. I used gpg to make this file. As gpg for idiotic reasons does not allow passwords in commandline (I know, I must be protected against myself) I used expect to do this job. This failed for openSUSE 10.3 due to the pinentry program changes. Now I adapted the code and it works from a normal shell opened in KDE. Still I get no result, when run as cron job.
Can anyone help me. I know I need not ask gpg guys, as they will tell me, what I do is evil.
Not neccessarily, but I'm just mainting it... :) It's perfectly ok for encrypting data on a *safe* system for unsafe transfer.
Is there another way to get a password protect TAR.GZ file? I used mcrypt in the past, but this is no longer developed and has security holes.
What about openssl? You can feed it the passphrase in many different ways (stdin, command line, fd, path, envvar). openssl enc <-cipher> -pass pass:<password> -in <plain> -out <crypt> openssl enc <-cipher> -d -pass pass:<password> -in <crypt> -out <plain> (man openssl, man enc) Best regards Petr --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-buildservice+help@opensuse.org
On Mon, Mar 03, 2008 at 05:40:41PM +0100, Dirk Stoecker wrote:
sorry for asking that question here, but I have no better place.
I need an encrypted backup file. I used gpg to make this file. As gpg for idiotic reasons does not allow passwords in commandline (I know, I must be protected against myself) I used expect to do this job.
Doesn't "--batch --passphrase-fd=0" work anymore? We used this to feed the password via stdin. Cheers, Michael. -- Michael Schroeder mls@suse.de SUSE LINUX Products GmbH, GF Markus Rex, HRB 16746 AG Nuernberg main(_){while(_=~getchar())putchar(~_-1/(~(_|32)/13*2-11)*13);} --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-buildservice+help@opensuse.org
On Mon, 3 Mar 2008, Michael Schroeder wrote:
On Mon, Mar 03, 2008 at 05:40:41PM +0100, Dirk Stoecker wrote:
sorry for asking that question here, but I have no better place.
I need an encrypted backup file. I used gpg to make this file. As gpg for idiotic reasons does not allow passwords in commandline (I know, I must be protected against myself) I used expect to do this job.
Doesn't "--batch --passphrase-fd=0" work anymore? We used this to feed the password via stdin.
After looking for the usage of --passphrase-fd (can't use your above example, as stdin is the input channel) I have seen that there is an option "--passphrase", where I can give the passphrase on commandline. Seems the evil things aren't so evil any more. Thanks a lot for the hint. Ciao -- http://www.dstoecker.eu/ (PGP key available) --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-buildservice+help@opensuse.org
On Tue, Mar 04, 2008 at 09:26:08AM +0100, Dirk Stoecker wrote:
After looking for the usage of --passphrase-fd (can't use your above example, as stdin is the input channel) I have seen that there is an option "--passphrase", where I can give the passphrase on commandline. Seems the evil things aren't so evil any more.
Passphrase on the command line has the disadvantage that anybody who does a 'ps -edaf' can see it. Feeding it via some file descriptor is much safer. Cheers, Michael. -- Michael Schroeder mls@suse.de SUSE LINUX Products GmbH, GF Markus Rex, HRB 16746 AG Nuernberg main(_){while(_=~getchar())putchar(~_-1/(~(_|32)/13*2-11)*13);} --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-buildservice+help@opensuse.org
Hello,
Passphrase on the command line has the disadvantage that anybody who does a 'ps -edaf' can see it. Feeding it via some file descriptor is much safer.
If there is someone, who can do a "ps" on my system, this password is one of the least significant problems. :-) Ciao -- http://www.dstoecker.eu/ (PGP key available) --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-buildservice+help@opensuse.org
* Dirk Stoecker
Hello,
Passphrase on the command line has the disadvantage that anybody who does a 'ps -edaf' can see it. Feeding it via some file descriptor is much safer.
If there is someone, who can do a "ps" on my system, this password is one of the least significant problems. :-)
Well, usually if you have some script in place you also us it at work or university where you usually have muliple users that can do this ... So it's not _that_ stupid to implement a minimum on security also if you just use the script initially on your single user workstation. But, we're getting off topic here, I know. :) Bernhard --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-buildservice+help@opensuse.org
On Mon, Mar 03, 2008 at 05:40:41PM +0100, Dirk Stoecker wrote:
sorry for asking that question here, but I have no better place.
I need an encrypted backup file. I used gpg to make this file. As gpg for
I'd recommend to use public key encryption :-)
idiotic reasons does not allow passwords in commandline (I know, I must be protected against myself) I used expect to do this job. This failed for openSUSE 10.3 due to the pinentry program changes. Now I adapted the code and it works from a normal shell opened in KDE. Still I get no result, when run as cron job.
Can anyone help me. I know I need not ask gpg guys, as they will tell me, what I do is evil.
Peter -- "WARNING: This bug is visible to non-employees. Please be respectful!" SUSE LINUX Products GmbH Research & Development
participants (5)
-
Bernhard Walle -
Dirk Stoecker -
Dr. Peter Poeml -
Michael Schroeder -
Petr Cerny