0

I want to use gpg from another user (user2), so that the primary user (user1) does not have access to the encrypted file, but only to the part the script will output.

Added a sudo rule for user1 to run /bin/gpg as user2. When I try to execute user1@host: sudo -u user2 gpg /home/user2/pass.gpg an error gpg: decryption failed: No secret key appears (symmetric encryption).

I add the --pinentry-mode loopback parameter, the password is requested directly in the console (without any "Enter password" or input field, just on a new line) and decryption takes place.

From what I've read, using the pinentry-mode loopback option reduces security because the password is transferred without using gpg-agent, but directly with gpg. Did I get it right or is this parameter safe to use? Or is there another way to achieve your goal?

NewLinux
  • 625
  • 3
  • 8
  • 1
    Instead of playing with *fake* user, you could play with `GNUPGHOME=$HOME/.alternate-gnupg gpg ...` to store *other pseudo user* profile under **your** private permissions. – F. Hauri - Give Up GitHub Jan 23 '22 at 08:04
  • @F.Hauri I'm sorry, but I don't quite get it. There is a `file.gpg` that should not be readable from *user1*. If I specify `.alternate-gnupg` from under *user2*, there is a `error with agent gpg` when I try to decrypt it. And if I decrypt from *user1* I have no permissions for `file.gpg`. – NewLinux Jan 23 '22 at 14:52

0 Answers0