Thanks for the response. I have had a bit of a play with the --passphrase-fd command, specifically with the standard input (--passphrase-fd 0).
Basically I have used the Runtime.exec operation available in Java to provide the passphrase to the pgp command as standard input. By setting the output of the PGP command to be to standard out "--output -" I can then also capture the decrypted data line by line using a BufferedReader on the output stream.
Some example code below:
// Execute the decryption command
// This uses standard input to supply the passphrase and the resulting decrypted data is
// output to the standard output rather than a file.
Process p = Runtime.getRuntime().exec("pgp --decrypt TestFile.txt.pgp --output - --passphrase-fd 0");
// Write the passphrase out to the std input of the exec command
BufferedWriter out = new BufferedWriter(new OutputStreamWriter(p.getOutputStream()));
try
{
out.write("TestPassphrase");
out.close();
}
catch(IOException io)
{
System.out.println("Exception at write! " + io.getMessage ());
}
// Read the result from the standard output
BufferedReader in = new BufferedReader(
new InputStreamReader(p.getInputStream()));
String line = null;
while ((line = in.readLine()) != null) {
System.out.println(line);
}
// Wait for the process to finish
p.waitFor();
System.out.println("Exit Code from command: " + p.exitValue() );
// Ensure that the child process is terminated properly
p.destroy();
This seems to work fine anyway. I'm just trying to see if there is anything that would appear on the process stack or tracing on the server that can see the content of these streams but it's looking so far that the runtime.exec process may be secure enough to do this.
Because the java process created isn't actually a shell or console command none of this appears in the ps output or in the shell history which is good. It's just a question of could an admnistrator (or intruder) to the server trace the JVM and see the data or not.
At the moment this means that I can then store the passphrase wherever I need for the application to access it AND read the decrypted data straight into my app.
I just need to worry about what I do to manage the periodic change of keys (decrypt a file encrypted with and older key after the private key has been replaced) or whether I need to rename the file somehow to show which key was used to generate it.
What does happen to encrypted data in PGP when you regenerate/replace/change your key (which is a requirement every 6 months)?
Back to the PGP manual for that I guess.