How do you pass a passphrase via the GPG command-line? Even when the "--passphrase" parameter is used, the GNOME agent still pops-up.
People have suggested a "--no-agent", but this isn't a valid option. You might be able to set this via the config-file, but this isn't a valid approach for me. I can't use a pipe, because I'll have data on STDIN.
It's "--no-use-agent":
$ echo "cleartext" | gpg --passphrase "some-passphrase" -c --no-use-agent > text.encrypted
$ cat text.encrypted | gpg --passphrase "passphrase" --no-use-agent 2>/dev/null
$ cat text.encrypted | gpg --passphrase "some-passphrase" --no-use-agent 2>/dev/null
cleartext
Related
i have a bash script to dump mysql and making tar and protect it with openssl
tar -cf ${DB}_${DATE}.tar *.sql | openssl enc -aes-256-cbc -pbkdf2 -e > ${DB}_${DATE}.tar.gz.enc > /dev/null 2>&1
but my bash script will stop because of ask password
how can i fill the passwords in bash script ?
As the manual tells you, -pass source specifies a location from which openssl will read the password to use.
Assuming this is a bash script instead of a sh script, you can use process substitution:
tar -czf "${DB}_${DATE}.tar" *.sql |
openssl enc -aes-256-cbc -pbkdf2 -e -pass file:<(echo "password") \
>"${DB}_${DATE}.tar.gz.enc" 2>/dev/null
Note that redirecting stderr to /dev/null is a bad idea -- I'm doing it because it's what your original code did, but it makes it impossible to troubleshoot failures.
Context: I have a backup script that tars a specified directory then pipes it to gpg to symmetrically encrypt and compress the archive. I then redirect stderr to stdout and pipe both to tee to log it to a file and save the output to a shell variable.
RESULT=$(tar -c "$BACKUPPATH" |
gpg --batch --passphrase 1234 --yes \
-o "$FILELOC" -c --bzip2-compress-level 9 \
2>&1 |
tee -a "$LOG")
However, tar has been failing, so I want to capture tar's stderr in the same manner (so it shows up in $RESULT and also in the log file).
What's the best way to do this?
I tried this:
RESULT=$(tar -c "$BACKUPPATH" 3<&2 |
gpg --cipher-algo AES256 --batch --passphrase 1234 --yes \
-o "$FILELOC" -c --bzip2-compress-level 9 \
2>&1 3>&1 |
tee -a "$LOG");
But it doesn't seem to work when I pass a bogus path to tar. It doesn't show up in the log or variable. Maybe I need a fifo?
RESULT=$(
{
tar -c "$BACKUPPATH" |
gpg --batch --passphrase 1234 --yes \
-o "$FILELOC" -c --bzip2-compress-level 9; \
} 2>&1 | tee -a "$LOG"
)
Redirect the stderr of both commands by putting them inside curly braces and having the 2>&1 redirection apply to the whole compound command.
I'm writing a script that uses gpg to encrypt a file. During testing/experimentation with gpg from the command-line, I found some odd behavior. This works perfectly fine:
$ cat myFile.txt | gpg --encrypt -r 'jdoe#gmail.com'
gpg: B2D17635: There is no assurance this key belongs to the named user
pub 4096R/B2D17635 2016-01-31 John Doe (I am now a real person.) <jdoe#gmail.com>
Primary key fingerprint: B17F 98BA 1DA9 3FE1 A08F 1443 509D 87ED 32AF 2078
Subkey fingerprint: BB63 42DA 8FAD 194A E1C9 1F6D 39BA 73B9 B2D1 7635
It is NOT certain that the key belongs to the person named
in the user ID. If you *really* know what you are doing,
you may answer the next question with yes.
Use this key anyway? (y/N) y
�
Nϴ��[�mDZ.#�Bc���J������z�{p���%
<GIBBERISH SNIPPED>
i�)��/&N��t�Z�8�#�I<�Bq�!�K?�vQ�I�H6&+��(
But I don’t like that because I interactively had to type ‘y’. I would like it to assume “yes” and do the encryption without requiring any interactivity. So I ran the following command with the --batch and --yes switches. Why did it fail?
$ cat myFile.txt | gpg --encrypt --batch --yes -r 'jdoe#gmail.com'
gpg: B2D17635: There is no assurance this key belongs to the named user
gpg: [stdin]: encryption failed: unusable public key
The error you're receiving from GnuPG is because the public key isn't trusted/verified within your keyring. Because your OP stated that your running tests you may want to check out the code within a helper script written for my own experiments, GnuPG_Gen_Key.sh, specifically the functions copied/modded below.
#!/usr/bin/env bash
Var_gnupg_import_key="${1}"
Var_gnupg_import_key_trust="${2}"
Func_import_gnupg_key_edit_trust(){
_gnupg_import_key="${1:-${Var_gnupg_import_key}}"
gpg --no-tty --command-fd 0 --edit-key ${_gnupg_import_key} <<EOF
trust
${Var_gnupg_import_key_trust}
quit
EOF
}
Func_import_gnupg_key(){
_gnupg_import_key="${1:-${Var_gnupg_import_key}}"
if [ -f "${_gnupg_import_key}" ]; then
echo "# ${Var_script_name} reports: importing key file [${_gnupg_import_key}]"
gpg --no-tty --command-fd 0 --import ${_gnupg_import_key} <<EOF
trust
${Var_gnupg_import_key_trust}
quit
EOF
else
_grep_string='not found on keyserver'
gpg --dry-run --batch --search-keys ${_gnupg_import_key} --keyserver ${Var_gnupg_key_server} | grep -qE "${_grep_string}"
_exit_status=$?
if [ "${_exit_status}" != "0" ]; then
_key_fingerprint="$(gpg --no-tty --batch --dry-run --search-keys ${_gnupg_import_key} | awk '/key /{print $5}' | tail -n1)"
_key_fingerprint="${_key_fingerprint//,/}"
if [ "${#_key_fingerprint}" != "0" ]; then
echo "# ${Var_script_name} reports: importing key [${_key_fingerprint}] from keyserver [${Var_gnupg_key_server}]"
gpg --keyserver ${Var_gnupg_key_server} --recv-keys ${_key_fingerprint}
Func_import_gnupg_key_edit_trust "${_gnupg_import_key}"
else
echo "# ${Var_script_name} reports: error no public key [${_gnupg_import_key}] as file or on key server [${Var_gnupg_key_server}]"
fi
else
echo "# ${Var_script_name} reports: error no public key [${_gnupg_import_key}] as file or on key server [${Var_gnupg_key_server}]"
fi
fi
}
One can either trust the public key with above or use the following command to have GnuPG ignore trust issues.
gpg --armor --always-trust -r 'jdoe#gmail.com' -e myFile.txt -o myFile.txt.gpg
Note I've added the --armor option because the output in the OP looks to have missed that based off the snipped output.
You have to add --always-trust to your command:
echo "test" | gpg --batch --yes --always-trust --encrypt --armor -r "mail#example.com"
Probably better than using --always-trust is to sign the keys your are relying on once with your private key.
Then gpg won't ask again.
Also you encrypted standard input, so the ciphertext will be sent to standard output.
In most cases you want to use option --armor to produce ASCII output.
I have several hundred gpg encrypted files in a directory, of the format filename.xyz.gpg where "xyz" is some arbitrary extension. I need to decrypt all of the files to generate filename.xyz decrypted in such a way that I don't have to manually enter the password for each file.
I have tried the following for directory "Testing":
for file in 'ls Testing'; do (echo <password>|gpg --passphrase-fd 0 -d $file
--output $file.decrypted);
I just wind up with a command prompt >, and nothing happens.
What is the matter with my syntax? Is there some more efficient way to do this without a bash shell loop?
gpg can decrypt multiple files so you shouldn't need to write a loop.
Try the following. You will need to enter your password once.
gpg --passphrase-fd 0 --decrypt-files *.gpg
As it is said in the manual you need to add --batch option:
--passphrase-fd n
Read the passphrase from file descriptor n. Only the first line will be read from file descriptor n. If you use 0 for n, the passphrase will be read from
STDIN. This can only be used if only one passphrase is supplied. Note that this passphrase is only used if the option --batch has also been given. This is
different from gpg.
--passphrase string
Use string as the passphrase. This can only be used if only one passphrase is supplied. Obviously, this is of very questionable security on a multi-user sys‐
tem. Don't use this option if you can avoid it. Note that this passphrase is only used if the option --batch has also been given. This is different from
gpg.
You can have either of these two forms:
echo "passphrase" | gpg --passphrase-fd 0 --batch -d --output "decrypted.file" "file.gpg"
Or simpler:
gpg --passphrase "passphrase" --batch -d --output "decrypted.file" "file.gpg"
You can try a script like this to extract your files:
#!/bin/bash
read -rsp "Enter passphrase: " PASSPHRASE
for FILE in *.*.gpg; do
echo "Extracting $FILE to ${FILE%.gpg}."
echo "$PASSPHRASE" | gpg --passphrase-fd 0 --batch -d --output "${FILE%.gpg}" "$FILE"
done
I had success with
gpg --decrypt-files *.gpg
cf. https://serverfault.com/a/388068/103585
I had success with gpg --decrypt-files *
but not *.gpg
It worked with below commands for me:
For single file:
gpg --decrypt --input C:\PGPFiles\[encryptedfilename.pgp] --passphrase [yourpassphrase]
For multiple files:
gpg --decrypt --input C:\PGPFiles\* --passphrase [yourpassphrase]
The script below used to work on Mac OS X, but, since moving it to Ubuntu, it doesn't seem to read from the password file at all. Even when I run it from the command line, no matter what I do, I get a popup prompt asking me for the password. As this will run via cron, I don't want this to happen... I want it to read the password from the file with no prompt. To note, I did try using passphrase-fd and passphrase-file, neither of which worked...
#!/bin/sh
p=$(<pass.txt)
set -- $p
pass_phrase=$1
destination="/var/www/decrypted"
cd /var/sl_bin/
for FILE in *.pgp;
do
FILENAME=${FILE%.pgp}
gpg --passphrase "$pass_phrase" --output "$destination/$FILENAME" --decrypt "$FILE"
rm -f $FILE
done
This works:
gpg --no-use-agent --batch --passphrase-file pass.txt --output kkkk.tar.bz2 --decrypt kkk-data.tar.bz2.gpg
The --passphrase-file option seems to be broken / not honored. I had to use --passphrase-fd 0 instead, like so:
cat .password | gpg --passphrase-fd 0 --output foo --decrypt foo.gpg
Use option --no-use-agent. It won't prompt you using option --passphrase.
If you don't want to supply the file via standard input (eg, because you're plugging this into another command like git, which wants to supply the content to sign via standard input), then you can use another file descriptor:
gpg --passphrase-fd 3 <your command here> 3< pass.txt
Your problem is probably that $passphrase is null. On Ubuntu sh is symlinked to dash which doesn't understand $(<file_name) in the same way that Bash does (but doesn't issue an error either).
You can change your shebang to:
#!/bin/bash
or use $(cat pass.txt)
Also, why not combine the second, third and fourth lines?: pass_phrase=$(<pass.txt) (or pass_phrase=($(<pass.txt)) if you're trying to strip off all but the first "word" in the file).
Your previous question
use
#!/bin/bash
or
#!/usr/bin/env bash
as your first line instead of #!/bin/sh
As for your pass phrase problem, you should probably try to use some automatic mechanism. check the gpg documentation for information. I don't use gpg, but you can check out gpg-agent.
Two solutions (the first one solved my problem ;-))
http://www.roguedaemon.net/rephrase/
gpg uses --passphrase-fd not --passphrase
echo yourpw|gpg --passphrase-fd 0 --output out.txt -d file.txt
You're getting password prompt because you have DISPLAY variable set (if you click cancel the script will continue decrypting files). DISPLAY shouldn't be set in the cron environment, so you can probably ignore it, but to be sure or be able to test the script from command prompt add
unset DISPLAY
to the beginning of the script or run it before executing.
Also to be able to use $(<file) syntax you need to change
#!/bin/sh
to
#!/bin/bash
You should avoid using --passphrase option which could lead to revealing your password on multi-user system. You can use --passphrase-file instead. Here's how I would change your script:
#!/bin/sh
PASSFILE=$(pwd)/pass.txt
destination="/var/www/decrypted"
cd /var/sl_bin/
for FILE in *.pgp;
do
FILENAME=${FILE%.pgp}
gpg --passphrase-file $PASSFILE --output "$destination/$FILENAME" --decrypt "$FILE"
rm -f $FILE
done
To save location of the password file before changing current directory, I saved it in PASSFILE variable.
add --archive to read password from --passphrase-file
You must to use:
gpg --batch --passphrase-fd 1 --passphrase-file your_password_file -c your_file_to_encript.txt
Use below script
#! /bin/sh
gpg --pinentry-mode loopback --passphrase='PASSWORD' --output /output/outputFileName /input/inputFileName