I am trying to encrypt and sign a file with gpg and loopback pinentry option, with the below command:
gpg --pinentry-mode=loopback --passphrase ="mypws" \
--ignore-time-conflict --ignore-valid-from \
--cipher-algo AES256 --symmetric --ignore-time-conflict \
--passphrase-file ~/.gnupg/PG/p-enckey --trust-model always -q --batch --yes --local-user "UserID" \
--sign --force-mdc \
--output /var/psigner/2 \
/var/psigner/1
however i got the below error message:
gpg: signing failed: Too much data for IPC layer
gpg: /var/psigner/1: sign+symmetric failed: Too much data for IPC layer
but with the below command, which a dialoge pops up to ask for the key passpharse, everything works fine.
gpg \
--ignore-time-conflict --ignore-valid-from \
--cipher-algo AES256 --symmetric --ignore-time-conflict \
--passphrase-file ~/.gnupg/PG/patch-enckey --trust-model always -q --batch --yes --local-user "UserID" \
--sign --force-mdc \
--output /var/psigner/2 \
/var/psigner/1
can anyone give me a advice to solve the problem?
Related
I am following this documentation (https://www.vaultproject.io/api-docs/secret/consul) for creating consul secret engine, create role and get a token. But I am getting a bit of misleading error when trying to get the token. Any ideas or similar issues?
here are the steps that I execute:
list roles
curl \
--header "X-Vault-Token: s.xxx" \
--request LIST \
https://vault.service.brain.consul:8200/v1/consul/roles \
--key /opt/vault/tls/vault.key \
--cert /opt/vault/tls/vault.pem \
--cacert /opt/vault/tls/cachain.pem
output
{"request_id":"a9a892e9-dba0-f6ca-b181-b16718db281d","lease_id":"","renewable":false,"lease_duration":0,"data":{"keys":["consul-worker"]},"wrap_info":null,"warnings":null,"auth":null}
show role
curl \
--header "X-Vault-Token: s.xxx" \
https://vault.service.brain.consul:8200/v1/consul/roles/consul-worker \
--key /opt/vault/tls/vault.key \
--cert /opt/vault/tls/vault.pem \
--cacert /opt/vault/tls/cachain.pem
output
{"request_id":"6b3b6dd8-ff30-eb91-20c6-3c0bd105be30","lease_id":"","renewable":false,"lease_duration":0,"data":{"lease":0,"local":false,"max_ttl":0,"policies":["agent"],"token_type":"client","ttl":0},"wrap_info":null,"warnings":null,"auth":null}
get role token
curl \
--header "X-Vault-Token: s.xxx" \
https://vault.service.brain.consul:8200/v1/consul/creds/consul-worker \
--key /opt/vault/tls/vault.key \
--cert /opt/vault/tls/vault.pem \
--cacert /opt/vault/tls/cachain.pem
output
{"errors":["1 error occurred:\n\t* tls: failed to find any PEM data in certificate input\n\n"]}
I have a script that uses gpg to encrypt a file and upload it to Google Drive:
cat backup.tar.gz \
| gpg --symmetric --batch --status-fd 1 --with-colons --cipher-algo AES256 --passphrase ${5} \
| gdrive upload - backup.tar.gz.gpg
When trying to decrypt backup.tar.gz.gpg:
gpg backup.tar.gz.gpg
I get this error:
gpg: no valid OpenPGP data found.
gpg: processing message failed: Unknown system error
I think the problem is in using --status-fd 1.
Can anybody advice how to decrypt this existing file?
I want to make a symmetric encryption for the file /tmp/public.txt.
gpg --symmetric /tmp/public.txt
The command will invoke the enter passphrase window,i want to send the password automatically.
My try here:
echo "mylongpasswordhere" | gpg --passphrase-fd 0 --symmetric /tmp/public.txt
The enter passphrase window still pop up, How to send the password automatically in gpg's symmetric encryption ?
Since I stumbled on this question having the same problem, I'll post the answer that actually helped me (from other SE question). The key options here are --batch --yes:
$ gpg --passphrase hunter2 --batch --yes --symmetric file_to_enc
(Taken from this question )
That way you can actually encrypt a file symmetrically supplying the key as commandline argument, although this might mean that other users of the system might see the passphrase used.
Depending on your GnuPG version (>= 2.1.0 ) you need to add "--pinentry-mode loopback" to the command.
For GnuPG version >= 2.1.0 but < 2.1.12 you also need to add: "allow-loopback-pinentry" to the ~/.gnupg/gpg-agent.conf
Your command would then be:
echo "mylongpasswordhere" | gpg --pinentry-mode loopback --passphrase-fd 0 --symmetric /tmp/public.txt
Alternatively you don't have to use passphrase-fd and the echo but can directly provide the passphrase:
gpg --pinentry-mode loopback --passphrase "somepass" --symmetric /tmp/public.txt
key="it is a long password to encrypt and decrypt my file in symmetric encryption
"
Encypt public.txt.
openssl enc -des3 -a -salt -in public.txt -k ${key} -out public.asc
Decrypt public.asc.
openssl enc -d -des3 -a -salt -k ${key} -in public.asc -out public.out
Can i draw a conclusion that openssl is a more powerful tool for encryption than gpg?
I'm writing a script that uses gpg to encrypt a file. During testing/experimentation with gpg from the command-line, I found some odd behavior. This works perfectly fine:
$ cat myFile.txt | gpg --encrypt -r 'jdoe#gmail.com'
gpg: B2D17635: There is no assurance this key belongs to the named user
pub 4096R/B2D17635 2016-01-31 John Doe (I am now a real person.) <jdoe#gmail.com>
Primary key fingerprint: B17F 98BA 1DA9 3FE1 A08F 1443 509D 87ED 32AF 2078
Subkey fingerprint: BB63 42DA 8FAD 194A E1C9 1F6D 39BA 73B9 B2D1 7635
It is NOT certain that the key belongs to the person named
in the user ID. If you *really* know what you are doing,
you may answer the next question with yes.
Use this key anyway? (y/N) y
�
Nϴ��[�mDZ.#�Bc���J������z�{p���%
<GIBBERISH SNIPPED>
i�)��/&N��t�Z�8�#�I<�Bq�!�K?�vQ�I�H6&+��(
But I don’t like that because I interactively had to type ‘y’. I would like it to assume “yes” and do the encryption without requiring any interactivity. So I ran the following command with the --batch and --yes switches. Why did it fail?
$ cat myFile.txt | gpg --encrypt --batch --yes -r 'jdoe#gmail.com'
gpg: B2D17635: There is no assurance this key belongs to the named user
gpg: [stdin]: encryption failed: unusable public key
The error you're receiving from GnuPG is because the public key isn't trusted/verified within your keyring. Because your OP stated that your running tests you may want to check out the code within a helper script written for my own experiments, GnuPG_Gen_Key.sh, specifically the functions copied/modded below.
#!/usr/bin/env bash
Var_gnupg_import_key="${1}"
Var_gnupg_import_key_trust="${2}"
Func_import_gnupg_key_edit_trust(){
_gnupg_import_key="${1:-${Var_gnupg_import_key}}"
gpg --no-tty --command-fd 0 --edit-key ${_gnupg_import_key} <<EOF
trust
${Var_gnupg_import_key_trust}
quit
EOF
}
Func_import_gnupg_key(){
_gnupg_import_key="${1:-${Var_gnupg_import_key}}"
if [ -f "${_gnupg_import_key}" ]; then
echo "# ${Var_script_name} reports: importing key file [${_gnupg_import_key}]"
gpg --no-tty --command-fd 0 --import ${_gnupg_import_key} <<EOF
trust
${Var_gnupg_import_key_trust}
quit
EOF
else
_grep_string='not found on keyserver'
gpg --dry-run --batch --search-keys ${_gnupg_import_key} --keyserver ${Var_gnupg_key_server} | grep -qE "${_grep_string}"
_exit_status=$?
if [ "${_exit_status}" != "0" ]; then
_key_fingerprint="$(gpg --no-tty --batch --dry-run --search-keys ${_gnupg_import_key} | awk '/key /{print $5}' | tail -n1)"
_key_fingerprint="${_key_fingerprint//,/}"
if [ "${#_key_fingerprint}" != "0" ]; then
echo "# ${Var_script_name} reports: importing key [${_key_fingerprint}] from keyserver [${Var_gnupg_key_server}]"
gpg --keyserver ${Var_gnupg_key_server} --recv-keys ${_key_fingerprint}
Func_import_gnupg_key_edit_trust "${_gnupg_import_key}"
else
echo "# ${Var_script_name} reports: error no public key [${_gnupg_import_key}] as file or on key server [${Var_gnupg_key_server}]"
fi
else
echo "# ${Var_script_name} reports: error no public key [${_gnupg_import_key}] as file or on key server [${Var_gnupg_key_server}]"
fi
fi
}
One can either trust the public key with above or use the following command to have GnuPG ignore trust issues.
gpg --armor --always-trust -r 'jdoe#gmail.com' -e myFile.txt -o myFile.txt.gpg
Note I've added the --armor option because the output in the OP looks to have missed that based off the snipped output.
You have to add --always-trust to your command:
echo "test" | gpg --batch --yes --always-trust --encrypt --armor -r "mail#example.com"
Probably better than using --always-trust is to sign the keys your are relying on once with your private key.
Then gpg won't ask again.
Also you encrypted standard input, so the ciphertext will be sent to standard output.
In most cases you want to use option --armor to produce ASCII output.
I'm reading this article about how to allow a self-signed cert to be used by an android client:
http://blog.crazybob.org/2010/02/android-trusting-ssl-certificates.html#comment-form
On step 2, I have to run a few commands, but I'm not too familiar with the shell and am getting a syntax error when trying to run the following:
export CLASSPATH="/Users/me/Desktop/lib/java/bouncycastle/bcprov-jdk16-145.jar"
CERTSTORE=res/raw/mystore.bks
if [ -a $CERTSTORE ]; then
rm $CERTSTORE || exit 1
fi
keytool \
-import \
-v \
-trustcacerts \
-alias 0 \
-file <(openssl x509 -in mycert.pem) \
-keystore $CERTSTORE \
-storetype BKS \
-provider org.bouncycastle.jce.provider.BouncyCastleProvider \
-providerpath /usr/share/java/bcprov.jar \
-storepass mypassword
The error I get when I run:
./test.sh: line 11: syntax error near unexpected token `('
./test.sh: line 11: ` -file <(openssl x509 -in mycert.pem) \'
So the -file syntax is problematic, but I'm not sure what to change this to, because I don't know what syntax the -file param can handle.
Anyone have any idea? I'm on mac 10.6,
Thanks
--------- Update ---------------
If I replace the "<" character with "$", I get the following exception when executed:
java.lang.RuntimeException: Usage error, CERTIFICATE----- is not a legal command
at sun.security.tools.KeyTool.parseArgs(KeyTool.java:375)
at sun.security.tools.KeyTool.run(KeyTool.java:171)
at sun.security.tools.KeyTool.main(KeyTool.java:166)
hmm I'm not understanding which arg the exception is telling me is bad though. Script updated looks like:
export CLASSPATH="/Users/me/Desktop/lib/java/bouncycastle/bcprov-jdk16-145.jar"
CERTSTORE=res/raw/mystore.bks
if [ -a $CERTSTORE ]; then
rm $CERTSTORE || exit 1
fi
keytool \
-import \
-v \
-trustcacerts \
-alias 0 \
-file $(openssl x509 -in mycert.pem) \
-keystore $CERTSTORE \
-storetype BKS \
-provider org.bouncycastle.jce.provider.BouncyCastleProvider \
-providerpath /usr/share/java/bcprov.jar \
-storepass mypassword
Thanks!
You may not be running Bash. The <() is called process substitution. Some other shells support it, but the Bourne shell does not.
It creates an anonymous named pipe, so the -file sees a filename, but the file contents are really the output of openssl x509 command.
You can probably solve the problem by making sure that the first line in the script is:
#!/bin/bash