How can I automate gpg decryption which uses a passphrase while keeping it secret?
Store the passphrase in a file which is only readable by the cron job’s user, and use the --passphrase-file
option to tell gpg
to read the passphrase there.
This will ensure that the passphrase isn’t visible in process information in memory. The level of security will be determined by the level of access to the file storing the passphrase (as well as the level of access to the file containing the key), including anywhere its contents end up copied to (so take care with backups), and off-line accessibility (pulling the disk out of the server). Whether this level of security is sufficient will depend on your access controls to the server holding the file, physically and in software, and on the scenarios you’re trying to mitigate.
If you want great security standards, you need to use a hardware security module instead of storing your key (and passphrase) locally. This won’t prevent the key from being used in situ, but it will prevent it from being copied and used elsewhere.
Automating decryption means you have to store the passphrase somewhere, or not use a passphrase (unless you use additional options as pointed out in the other answer submitted by Stephen while I was typing mine)! Neither of those match your requirement for good or great security standards.
i.e. your requirement is not compatible with it being secure.
You can rely on things like - you have to be root, I've given the file in which my passphrase is stored a really confusing name, I've encrypted the underlying file systems, etc., etc. but they're all layers which are trivial to circumvent once you are root in the first place.
The option which prevents the passphrase showing up in the process list is --passphrase-file <file-name>
.
However, that's no more secure than just removing the passphrase in the first place.