S S

CITY LINUX ®

Linux support on-site, on-line and in the cloud.

0793 572 8612

Systems Administration Notes.

Symetric encryption on a remote host without exposing thepassphrase.


Symetric encryption on a remote host without exposing thepassphrase.

I am rather surprised that this isn’t such a common requirement that solutions are all over the net, but they arn’t, or if they are, I can’t find them.

What I needed to do was create a zipped archive on a remote server and then encrypt the archive before transferring it to a 1and1 repository.

Everything I found on the net recommend using the --passphrase-fd option or --passphrase like this

echo <passphrase>|gpg -c --batch --passphrase-fd 0 <filename>
or
gpg -c --batch --passphrase <passphrase> <filename>

The problem is of course that the passphrase then shows up in ps and as this is a pretty large file I’m handling is visible for an hour or more. NB the --batch option is necessary or gpg gets twitchy about the lack of a terminal.

The solution I’ve adopted is to create a file containing the passphrase on the remote box, use the file to carry out the encryption and then delete it.

cat <passphrase_file>|ssh <host> "sudo dd of=<filename>;\
gpg -c -batch --passphrase-fn "

Clifford W Fulford
6 May 2014.



The layout and associated style sheets for this page are taken from the World Wide Web Consortium and used here under the W3C software licence.