Mailing List Archive

logrotate, cron and gpg
Hi,

We are trying to encrypt log files via logrotate & cron, and I hope
someone here can help out a bit.

Our logrotate configuration file contains:

> olddir gpg/
> compress
> compresscmd /usr/bin/gpg
> compressoptions -vv --verbose --encrypt --default-key A4DB7xxxD98
> compressext .gpg

Now, when logrotates runs the above from cron, we're getting:

> gpg: cannot open '/dev/tty': No such device or address
> error: failed to compress log /logrotate/gpg//test.log.1

We know --no-tty exists, but it doesn't help in this case, because when
using that:

> gpg: Sorry, no terminal at all requested - can't get input

I do see various howto's that use gpg to encrypt their logfiles this
way, for example: https://www.ctrl.blog/entry/gdpr-web-server-logs.html

So, we're asking the experts here: What could be our issue, and how to
make this work..?

This is on debian 10.9

Thanks for any pointers!

MJ

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: logrotate, cron and gpg [ In reply to ]
Hi mj.

Thus spoke mj:
> We are trying to encrypt log files via logrotate & cron, and I hope
> someone here can help out a bit.
>
> Our logrotate configuration file contains:
>
>> olddir gpg/
>> compress
>> compresscmd /usr/bin/gpg
>> compressoptions -vv --verbose --encrypt --default-key A4DB7xxxD98
>> compressext .gpg
>
> Now, when logrotates runs the above from cron, we're getting:
>
>> gpg: cannot open '/dev/tty': No such device or address
>> error: failed to compress log /logrotate/gpg//test.log.1

When I run the command

gpg -vv --verbose --encrypt --default-key 0x... < /dev/null

GnuPG prompts me for a recipient. Without a TTY, such a prompt would
fail, of course. So presumably, instead of --default-key, you actually
want -r instead...?

Also: why are you using both -vv and --verbose at the same time?

> We know --no-tty exists, but it doesn't help in this case, because
> when using that:
>
>> gpg: Sorry, no terminal at all requested - can't get input

See above. You probably also want --batch as well.

Cheers,
Marco
Re: logrotate, cron and gpg [ In reply to ]
On Thu, 8 Apr 2021 13:51, Marco Ricci said:

> See above. You probably also want --batch as well.

Definitely. It might also be a good idea to use a dedicated homedir (or
user) for GnuPG or lacking this to add --no-options and give all args on
the command line.


Shalom-Salam,

Werner

--
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.
Re: logrotate, cron and gpg [ In reply to ]
Hi Werner and Marco,

Thank you very much for both your kind responses. Have adjusted my
config, and in my brief testing it seems to work.

Curious to checkout my server tomorrow morning, after cron did it's
nightly thing.

Thank you!

On 4/8/21 3:06 PM, Werner Koch via Gnupg-users wrote:
> On Thu, 8 Apr 2021 13:51, Marco Ricci said:
>
>> See above. You probably also want --batch as well.
>
> Definitely. It might also be a good idea to use a dedicated homedir (or
> user) for GnuPG or lacking this to add --no-options and give all args on
> the command line.
>
>
> Shalom-Salam,
>
> Werner
>
>
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
>

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users