diff options
author | forbytten <108727302+forbytten@users.noreply.github.com> | 2024-10-26 02:51:35 +0000 |
---|---|---|
committer | forbytten <108727302+forbytten@users.noreply.github.com> | 2024-10-26 02:51:35 +0000 |
commit | 32e58e122ffc399bafa20c66b6de609d686215ec (patch) | |
tree | 19daab823cf9afc57084749ad7ef5a80814dd5f3 | |
parent | Merge pull request #458 from drduh/18aug24 (diff) | |
download | YubiKey-Guide-32e58e122ffc399bafa20c66b6de609d686215ec.tar.gz |
Passphrase now passed to gpg from stdin via the --passphrase-fd 0 option instead of via the --passphrase option. The latter exposes the passphrase to observation by other processes on the system and the gpg man page includes a disclaimer for it: Don't use this option if you can avoid it. Although the README recommends a single user, ephemeral Debian Live environment, users may choose to ignore that recommendation so it seems best to protect them from themselves where possible.
Diffstat (limited to '')
-rw-r--r-- | README.md | 16 |
1 files changed, 8 insertions, 8 deletions
@@ -393,7 +393,7 @@ Do not set an expiration date on the Certify key. Generate the Certify key: ```console -gpg --batch --passphrase "$CERTIFY_PASS" \ +echo "$CERTIFY_PASS" | gpg --batch --passphrase-fd 0 \ --quick-generate-key "$IDENTITY" "$KEY_TYPE" cert never ``` @@ -413,7 +413,7 @@ Use the following command to generate Signature, Encryption and Authentication S ```console for SUBKEY in sign encrypt auth ; do \ - gpg --batch --pinentry-mode=loopback --passphrase "$CERTIFY_PASS" \ + echo "$CERTIFY_PASS" | gpg --batch --pinentry-mode=loopback --passphrase-fd 0 \ --quick-add-key "$KEYFP" "$KEY_TYPE" "$SUBKEY" "$EXPIRATION" done ``` @@ -442,12 +442,12 @@ ssb rsa4096/0xAD9E24E1B8CB9600 2024-01-01 [A] [expires: 2026-05-01] Save a copy of the Certify key, Subkeys and public key: ```console -gpg --output $GNUPGHOME/$KEYID-Certify.key \ - --batch --pinentry-mode=loopback --passphrase "$CERTIFY_PASS" \ +echo "$CERTIFY_PASS" | gpg --output $GNUPGHOME/$KEYID-Certify.key \ + --batch --pinentry-mode=loopback --passphrase-fd 0 \ --armor --export-secret-keys $KEYID -gpg --output $GNUPGHOME/$KEYID-Subkeys.key \ - --batch --pinentry-mode=loopback --passphrase "$CERTIFY_PASS" \ +echo "$CERTIFY_PASS" | gpg --output $GNUPGHOME/$KEYID-Subkeys.key \ + --batch --pinentry-mode=loopback --passphrase-fd 0 \ --armor --export-secret-subkeys $KEYID gpg --output $GNUPGHOME/$KEYID-$(date +%F).asc \ @@ -1825,8 +1825,8 @@ export EXPIRATION=2y Renew the Subkeys: ```console -gpg --batch --pinentry-mode=loopback \ - --passphrase "$CERTIFY_PASS" --quick-set-expire "$KEYFP" "$EXPIRATION" \ +echo "$CERTIFY_PASS" | gpg --batch --pinentry-mode=loopback \ + --passphrase-fd 0 --quick-set-expire "$KEYFP" "$EXPIRATION" \ $(gpg -K --with-colons | awk -F: '/^fpr:/ { print $10 }' | tail -n "+2" | tr "\n" " ") ``` |