Passphrase FAQ: PGP and passphrases
The popular encryption program PGP uses a passphrase to secure the secret keys. There are various ways to automate inputting of the passphrase. This section explains how secure (or rather: how insecure) these methods are.
Table of contents
Old versions of PGP had the command-line option -zPassphrase that would tell PGP to use the passphrase "Passphrase" automatically.
Another option is to set the environment variable PGPPASS equal to the passphrase to be used.
Yet another option is to set the environment variable PGPPASSFD that tells PGP from which file descriptor the passphrase should be read. By setting this variable to 0, the passphrase is read from standard input.
It is recommended that you don't use these methods. The reason is that it becomes a huge security hole unless you are extremely careful. Misusing them or making common mistakes will leave you vulnerable to single word dictionary searches or hand your passphrase to an attacker. Double check using PGP in manual mode and a test case to be sure your batch process is working correctly before using it on sensitive data.
The primary system for this section is an MSDOS PC. UNIX, Mac, and others will be different. The primary purpose here is to show you the possible risks. It is highly recommended that you read the PGP manual and the operating system manual for your system before using these methods. Even that isn't enough sometimes. Some manuals are pretty obscure or just don't have the information.
Many people have developed some good and some bad methods to try to limit the security risk involved with using PGPPASS. My method for running serious batch programs is setting a dummy passphrase to allocate more environment space than you need in the autoexec.bat. If you don't allocate enough space then you may get an out of environment space error later. Then the batch program, usually QBASIC, changes the environment setting from the program through user prompts. The program process runs, and then resets PGPPASS to filler space. The security in this is that everything gets over written in memory. Your passphrase is never written to disk.
The command line switch is a convenience for some users and batch processing. Under MSDOS, you are limited to a 128 character command line. A good passphrase can be over 80 characters in length and limits the usefulness of this. Additionally, if you have spaces in your passphrase, you will only get the first word or up to the first space if you don't enclose it in quotes. Many have found that their perfect passphrase was completely useless when PGP was only getting the first word.
The best recommendation is don't do it. If the batch file is found,
then they have your passphrase. It gets kind of complex keeping this
method secure. Set a dummy passphrase in your
autoexec.bat. Now in
a batch file, prompt for user input of the passphrase, set the real
passphrase, execute the PGP commands, overwrite the passphrase, and
then exit the batch file. Always make sure the real passphrase gets
overwritten before you exit the batch file. Be careful about using
quotes around passphrases with spaces in them and test everything.