I use gpg for encrypting a file storing my passwords in Windows. This file is an MS Excel file, which I use for convenience. Every time I want to check or update my passwords (> once per day on average), I execute the following batch script, which decodes the encrypted file and encodes the updated xlsx file again when I close the application.
call gpg --output pass.xlsx --decrypt pass.xlsx.gpg
call "%ProgramFiles%\Microsoft Office\Office14\excel.exe" pass.xlsx
call gpg --batch --yes --recipient myName --encrypt pass.xlsx
del pass.xlsx
Obviously, this is a suboptimal solution as it creates a decrypted file, which in case of an interruption (e.g. accidentally closing the command line window or a system crash), the file remains unencrypted. Anyone with something better, e.g. using in-memory pipes or the like (in Windows)?
Related
I had a requirement to compress a folder/directory and also encrypt it. And when needed i've to decrypt it. I did browse a lot to find a working answer on a MacOs. And i just manage to use the below steps to make it working.
Zip or tar zip the file/directory using zip or tar czf linux command
use "gpg --encrypt sample-file-or-folder.zip" Prompts you to enter the passphrase
Outcome of step 2, should result in sample-file-or-folder.zip.gpg
For decrypting .zip.gpg file use "gpg --output sample-file-or-folder.zip --decrypt sample-file-or-folder.zip.gpg" --> This prompts you to enter the passphrase. Please note that if you don't mention "--output" it will not get the desired output.
Is there any other better way to get the desired result ?
I want to decrypt and move a file safely.
What would be the safest way to do this?
My current approach:
echo "what's the passphrase?"
read -s -r key
gpg --decrypt --batch --passphrase "$key" "file.gpg" > file
mv -f "./file" "/location/file"
Are there any security issues that might occur this way?
I think your approach is ok, but it depends on what you want to achieve. Although:
"As long as you don't move the file across file-system borders, the operation should be safe" - ref.
If your priority is safety, and you don't own the system you are working on, I would consider not saving content in the file, rather copying the content directly to the clipboard (using xclip ref or clipboard-cli, if you can install it). Then you could safely store your data in a desired secure destination. In the end, emptying the buffer's cache would be a final step.
For larger files (measured in GB or more), I think saving the file on the system would be required. Then after a successful copying of it across file-system borders, you would need to clean it up - shred or wipe (ref) would be your friends here.
I have the following files Cert.pem, Key.pem, CACert.pem
I have been told that I need to decrypt the key.pem.
1) What is the windows OpenSSL command to do this?
I need to combine the decrypted key.pem file with the cert.pem file to produce a new cert.pem file.
2) What is the windows OpenSSL command to do this?
Thanks
Unix installations of OpenSSL should include man pages, but Windows versions often do not because Windows doesn't usually have any way of finding and displaying them. man pages for the currently supported releases, plus 'master' which is the development head, are available on the OpenSSL website at https://www.openssl.org/docs/manpages.html . All OpenSSL 'commands' are actually run by the (single) program openssl, thus you execute pkey some args by running
openssl pkey some args
rem if openssl.exe is on your PATH or in the current directory, otherwise
x:\path\to\openssl pkey some args
You don't mention having the password for the encrypted key file; I hope you do because you can't decrypt (or do anything else) without it.
For 1.0.0 up, pkey is the preferred way to convert private keys, including encrypting and decrypting; see its man page. In brief you simply tell pkey to read from the input file and write to the output file, and omit any specification of a cipher; that omission will cause it to write an unencrypted key. Note pkey will write the output in PKCS8 format, which is preferred for most purposes, but if you actually need a 'legacy' or 'traditional' format for some reason -- ask whoever 'told' you what software this file will be used with -- 1.1.0 pkey can do this but earlier cannot.
If you are stuck with a 0.9.x release, usually only on obsolete systems, use pkcs8 -topk8 -nocrypt for PCKS8 output; see that.
If you need legacy/traditional format (on a release below 1.1.0) you must use the 'legacy' per-algorithm commands, so you need to know what algorithm your key(file) is. Look at the first line where it says -----BEGIN something PRIVATE KEY----- . If something is RSA, use rsa; for DSA dsa; for EC ec; see the respective pages. If something is ENCRYPTED you must decrypt it to PkCS8 as above first, then look at it with asn1parse to determine which algorithm it is, but I expect it's not very likely someone who want a legacy unencrypted key will start with an PKCS8 encrypted one.
OpenSSL does not provide any special operation to combine PEM files, since concatenating files of many types is a common operation. On Unix this is canonically done with the cat program; on Windows it can be done by using the (builtin) copy command with plus-sign(s) in the source; on both Unix and Windows it can be done by creating a file and then appending to it like:
copy decryptedkey.pem combined.pem
type certificate.pem >> combined.pem
rem >> means redirect the output from that command ('type')
rem normally on the console to _the end of_ the named file.
In this case you want to modify cert.pem by adding the contents of decryptedkey.pem, so just do
type decryptedkey.pem >> cert.pem
Alternatively you can use a plaintext editor like notepad. Open both files; select all the text in the second file and copy (or cut) and paste it at the end of the first file; save the modified first file.
I have seen a situation many a times where i have to work on VDI desktop/RDP through my laptop where only copy to clipboard option is available.
So if i want to copy a zip file,i cant.
I think one of the option could be convert file to binary and copy to clipboard but how to paste the same on my laptops clipboard and retrieve the the file?
If you use Windows you can use following procedure:
to get your file prepared for the transfer run:
certutil.exe -encode file.zip filezip.txt
next, open the filezip.txt with Notepad and mark all and copy it to the clipboard
Open Notepad on the server with the same file name
notepad.exe filezip.txt
and paste the content from the clipboard. Save the file.
Last step is to convert the file back to binary using certutil again:
certutil.exe -decode filezip.txt file.zip
Now you can extract your files from the file.zip on the server.
As far as I know, if you are using microsoft's remote desktop, you can copy and paste file between local and remote machine.
It's very difficult to implement the copy and paste between two machine. If you can use the web browser in the remote machine, you can try convert the binary to base64 content, then convert it back to binary using some online base64 converter.
I have a sequence of scripts which downloads PGP files from a FTP server. I then unzip these files with a private key using PGPKeys. The unzipped files are then picked up by a SQL Server job which appends the data onto our database. I'd like to automate the entire process. Is there anyway to unzip a PGP locked file using shell scripting (either Linux or Windows)?
That's a perfect task to automize, I can help you in Linux.
First you can use wget to download a file
wget ftp://website.com/yourpgparchive.zip
If your ftp website requires authenticated access use
wget --ftp-user=USER --ftp-password=PASSWORD ftp://ftp.site/archive.zip.pgp
Then you need gpg (the open source PGP implementation) to decrypt the file
gpg -o file.zip -d file.zip.gpg
(If you need some suggestion on how to import keys and get started with gpg check here)
Then you can just unzip the file with
unzip file.zip
You may need to install gnupg and unzip from your package manager.
Yes, GPG. In your case, it's just gpg -d filename (or just gpg -d to read from stdin).
And, what you probably wanted to say is decrypt instead of unzip and encrypted instead of locked.