4

I have cron job running a script in the cron of "USER A" that encrypts many files in a loop using the gpg command below:

gpg --batch --cipher-algo AES256 --passphrase "PASSWORDISHERE" -c FILENAME

"USER A" has elevated permissions, can not be SSH'ed to, and is only logged in by normal users when needed. So, when I SSH in as myself (Bob), I can decrypt the encrypted files. However, when I "su -" over to USER A and try to decrypt I get the error below:

gpg: AES256 encrypted data
can't connect to `/home/USERA/.gnupg/S.gpg-agent': No such file or directory
gpg-agent[27859]: command get_passphrase failed: Operation cancelled
gpg: cancelled by user
gpg: encrypted with 1 passphrase
gpg: decryption failed: No secret key

I have done a bunch of research and found many things relating to tty and pinentry. The only solution I found was to use chmod o+rw $(tty), but this is not a good long term solution for me not to mention I don't want to use this method anyway. Does anybody have any better ideas?

Gilles 'SO- stop being evil'
  • 807,993
  • 194
  • 1,674
  • 2,175
Dude
  • 41
  • 2
  • 2
    Note that unless you have a very recent kernel and the right setting (whose name I forget), the passphrase will be visible by all users while the `gpg` command is running, simply by running `ps`. To avoid this, use some other method of passing the passphrase, such as `--passphrase-file` (which will otherwise be just as secure, since the passphrase is stored in the crontab file anyway — and in fact more secure since the passphrase won't be exposed to shoulder surfing while you edit the crontab). – Gilles 'SO- stop being evil' Apr 29 '15 at 23:05

0 Answers0