diff options
| author | Daniel Kahn Gillmor <[email protected]> | 2018-09-23 18:10:17 +0000 |
|---|---|---|
| committer | Daniel Kahn Gillmor <[email protected]> | 2018-09-23 18:25:01 +0000 |
| commit | 07c19981da0607dc442fadc4079b1d71fbef8f83 (patch) | |
| tree | 27f9623a71189b8aac8dd7896f5ca75794dea23e /doc/gpg.texi | |
| parent | g10: Fix memory leak for --card-status. (diff) | |
| download | gnupg-dkg/passphrase-env.tar.gz gnupg-dkg/passphrase-env.zip | |
gpg: add --passphrase-env VARNAME to read passphrase from environmentdkg/passphrase-env
* g10/keydb.h: declare set_passphrase_from_environment_variable()
* g10/passphrase.c: set_passphrase_from_environment_variable() new
function
* g10/gpg.c: add new --passphrase-env argument, handle it.
--
There are problems or difficulties (to varying degrees) with all of
the techniques available for sending a passphrase directly to the
GnuPG process when --pinentry-mode=loopback:
* Passphrases on the command line often leak into the process table.
* Passphrases in a file often leak into the disk.
* Using an extra file descriptor to send a passphrase works well on
platforms that make it easy to allocate and use extra file
descriptors, but is pretty awkward on platforms that don't
facilitate this.
So this patch adds a new form of passphrase-passing, using an
environment variable. In POSIX shell, this looks like (for example):
mypass="IUuKctdEhH8' gpg --batch --pinentry-mode=loopback\
--passphrase-env=mypass --decrypt < message.txt
Hopefully, this is easier to use than --passphrase-fd on platforms or
language toolkits that don't facilitate file descriptor manipulation.
Signed-off-by: Daniel Kahn Gillmor <[email protected]>
Diffstat (limited to '')
| -rw-r--r-- | doc/gpg.texi | 11 |
1 files changed, 10 insertions, 1 deletions
diff --git a/doc/gpg.texi b/doc/gpg.texi index 7f55cc7e3..55e31d2e7 100644 --- a/doc/gpg.texi +++ b/doc/gpg.texi @@ -670,7 +670,8 @@ used for no expiration date. If this command is used with @option{--batch}, @option{--pinentry-mode} has been set to @code{loopback}, and one of the passphrase options (@option{--passphrase}, -@option{--passphrase-fd}, or @option{passphrase-file}) is used, the +@option{--passphrase-fd}, @option{--passphrase-env}, or +@option{passphrase-file}) is used, the supplied passphrase is used for the new key and the agent does not ask for it. To create a key without any protection @code{--passphrase ''} may be used. @@ -3172,6 +3173,14 @@ Note that since Version 2.0 this passphrase is only used if the option @option{--batch} has also been given. Since Version 2.1 the @option{--pinentry-mode} also needs to be set to @code{loopback}. +@item --passphrase-env @var{string} +@opindex passphrase-env +Use the value of the environment variable @var{string} as the passphrase. +This can only be used if only one passphrase is supplied. + +This passphrase is only used if the option @option{--batch} has also +been given, and if @option{--pinentry-mode} is set to @code{loopback}. + @item --pinentry-mode @var{mode} @opindex pinentry-mode Set the pinentry mode to @var{mode}. Allowed values for @var{mode} |