[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: GPG Config File

From: Max Mustermann
Subject: Re: GPG Config File
Date: Wed, 11 Aug 2004 23:52:40 +0200

On Wed, 11 Aug 2004, Martin Dickopp <>
>"Scott Johnson" <> writes:
>> Can I stick the passphase in the gnupg.conf file?
>No, that would obviously be completely insecure.  If you want to do
>that, why do you use cryptography in the first place?  What are you
>trying to achieve?

Just a thought, but while in the military I used hardware based encryption
that required no human intervention at all. We generally secured such
systems with large caliber handguns. ;) I think you can probably realize
there's many real life variations on this theme.

If a PC is physically secure, there's less need for procedural security. Of
course for the vast majority, having pass phrases entered automatically is
a bad thing. A potentially severe breach just begging to happen.

>If you are sure you understand the implications, you can generate
>a key with an empty passphrase.

I see two problems with this:

1. I don't believe it automates the process. I believe you still have to
enter this "null" pass phrase by hitting the ENTER key. And I assume the
OP's goal was avoiding this.

2. I'd also assume that an intelligent attacker would have a "null" pass
phrase as one of the entries in a "dictionary" file, and/or it would be one
of the first things they'd try. In this respect, a "null" pass phrase is
considerably less secure than having a proper pass phrase entered

Thoughts? Corrections?

reply via email to

[Prev in Thread] Current Thread [Next in Thread]