NYCPHP Meetup

[nycphp-talk] cookbook: gpg (was Re: empty string as array key)

David Sklar sklar at sklar.com
Mon Aug 11 09:12:56 EDT 2003


> If you're an ordinary user on a shared server, what is the best
> strategy for GPG-encrypting data? I have figured out (stolen) one way
> to do it, but it requires wrapping the script with php-cgiwrap and
> doing something like
>
> $encrypted = shell_exec( "echo 'secret stuff'|/usr/bin/gpg
> --no-secmem-warning --homedir /my/.gnupg -ear recipient at example.com");
>
> It doesn't work when run as nobody, I presume because nobody doesn't
> have permission to get into my .gnupg directory. Perhaps php-cgiwrap
> is the answer... ?

gpg has to run as a user that has access to your secret key ring.

Doing gpg encryption with a passphrase-protected key on a shared server has
many risks: can anyone else on the server (through misadministration or a
hole in pages on your site) alter any of your cgi-wrapped scripts and do
their own encryption/decryption/steal your key? Separately, putting your
passphrase in a file readable by other users is no better than just having a
passphraseless key.

What are you trying to encrypt?

David




More information about the talk mailing list