[nycphp-talk] cookbook: gpg

Analysis & Solutions danielc at
Mon Aug 11 13:19:56 EDT 2003

On Mon, Aug 11, 2003 at 10:13:52AM -0400, David Mintz wrote:
> $encrypted = shell_exec( "echo 'secret stuff'|/usr/bin/gpg
> --no-secmem-warning --homedir /my/.gnupg -ear recipient at");
> from the command line or as a wrapped script, it does not require a
> passphrase in order to encrypt. Since gpg needs the user's secret key in
> order to encrypt and sign, a copy of that secret key has to live on the
> server -- is there any way around that?

I think you're on the right track.  Encrypting data for a designated user 
doesn't require a password.  Here's something I in a PHP shell script on 
my office computer to encrypt backups:

   exec('c:/progra~1/gnupg/gpg.exe -e -r usr at file.');

Such procedures use the public key ring, right?  As long as you set the
file permissions so only you can write to it... and you know how to
compose secure web applications -- meaning in this case scripts that don't
allow user input to pick the name of the files they're going to write to,
then everything is fine.

In regards to your last question, I don't believe the secret keyring has
to exist on the server.  So, if you want to tighten things up further, you
can make a separate public key file just for this purpose, chmod it to 444
and then use a flag in your gpg call (--keyring, I believe) to use that
special keyring.



     FREE scripts that make web and database programming easier
 T H E   A N A L Y S I S   A N D   S O L U T I O N S   C O M P A N Y
 4015 7th Ave #4AJ, Brooklyn NY    v: 718-854-0335   f: 718-854-0409

More information about the talk mailing list