I'm on a Windows 2003 server and I need to write a batch file to automate decryption using GnuPG. The decryption command requires a passphrase to use the private key.
Here are some workable options that don't entirely satisfy me :
echo thisIsMyPassphrase|gpg.exe --passphrase-fd 0 --output %1 --decrypt %2
Such an hardcoded passphrase doesn't look like a secure approach ! Also, it is not convenient to change (as directly embeded within the .cmd file).Store the passphrase in a distinct file and make sure only the windows user running the decryption process can access it (using NTFS security settings).
gpg.exe --passphrase-file X:\passphrase.txt --output %1 --decrypt %2
What I don't like much here.. is that we'd have a naked file somewhere just containing this highly sensitive information. odd to maintain ? easy to find ? ..I don't feel like storing the passphrase in an environment variable sounds good (looks quite exposed)..
echo %MY_PASSPHRASE%|gpg.exe --passphrase-fd 0 --output %1 --decrypt %2
Well, what's you opinion about the best (or "least bad") solution to achieve this ?