What are the best practice to use passphrase in a batch?

Question

I'm on a Windows 2003 server and I need to write a batch file to automate decryption using GnuPG. The decryption command requires a passphrase to use the private key.

Here are some workable options that don't entirely satisfy me :

1. echo thisIsMyPassphrase|gpg.exe --passphrase-fd 0 --output %1 --decrypt %2 Such an hardcoded passphrase doesn't look like a secure approach ! Also, it is not convenient to change (as directly embeded within the .cmd file).

2. Store the passphrase in a distinct file and make sure only the windows user running the decryption process can access it (using NTFS security settings).
   gpg.exe --passphrase-file X:\passphrase.txt --output %1 --decrypt %2
   What I don't like much here.. is that we'd have a naked file somewhere just containing this highly sensitive information. odd to maintain ? easy to find ? ..
   

3. I don't feel like storing the passphrase in an environment variable sounds good (looks quite exposed)..
   echo %MY_PASSPHRASE%|gpg.exe --passphrase-fd 0 --output %1 --decrypt %2

Well, what's you opinion about the best (or "least bad") solution to achieve this ?

Answer 1

I think your second (password file) option seems to be a fairly reasonable approach for the majority of use cases. And using the Windows 2003 Encrypted filesystem may mitigate some level of concern about physical server theft. You can certainly jump through hoops to further obfuscate the password, but it would be just that - obfuscation. Your true security lies within the NTFS filesystem security.

It almost laughable to mention, but with the "proper" security implementation being a balancing act between solution cost and data value, if the data is sensitive enough and you're willing to throw some cash at the problem there are hardware security modules (nCipher comes to mind) that might be able to assist with this type of problem.

Here's a link to a similiar SO discussion if you're interested: Storing passwords for batch jobs