I am using the below code to encrypt the text file. I need to read the encrypted text back and need to send in email. But for this its needs to be encoded without any special characters.
But When I encrypt using the below code, it is encrypting with special chracters.
gpg --output test.txt.gpg --encrypt --recipient test#test.com test.txt
Any Ideas?
You need to add the "-a" (ASCII armor) argument to gpg:
gpg -a --output test.txt.gpg --encrypt --recipient test#test.com test.txt
This tells gpg to format it's output in base 64 encoding.
Sample:
-----BEGIN PGP MESSAGE-----
Version: GnuPG v1
hIwDpFCQLAnT5k0BBACOZhkGWUAAtVcY8KwyjbslRapH/82fltm6KrR4ZnA7DU34
6iLc92Zsv0+2NU7R3QANd0n+iNyiuKEpcmtD8Z+i3t1t3mBo8ZkwOKK2HbluVS/y
g3zeaJlK3J+PjY34F3Tgtjy30Tpw2mETMW9T9alzV+6K4LR5YLVGf1Y4E3bMLYUC
DgMN7kGkEsZTmBAH/0ijsp+dZ3A5UkmNva/mF9Xbl+9M40Sn9Z/vFH+h6dLOqYb5
z2Ixe6bxggEXmBpi/dmEIeOdqkOzj7PWeBLyLyFpIg926HheqTSH6Z4P4OPbXyCK
PlkoAwVzIv1xzc7Go3jnVylXzFAjsgDlDl6BLdN0U9x3yHa6vMHpigjUOSSLTtVH
urcabsjVTushn7VHzqgAIt/GldbyV8/NJlstI+0eB6x2nQ4If6nPcNLYl1s+oCDG
eO+beFYhT68wzAfRGbhCPBmB7ILojEMUM6rj7+efR6JxgAS8rRH/lH3zZhWPtz12
+vzlhT3ZJMS71yiluT/gnOTIlFid21l9R+JtcHAIALYrIsyKrPyzMw7sranvnATy
dHbDe1L2DC4SyAyA5SCDAzGhbwDWs7Td9/64bRDDtB3DUp3KG+ZaE/13K9CRIcUp
XRKvagklAfkTqQzPshC//xnHZeOw5kMBscNk5bvP/CZlcuPTgFOz/BNbFW0ooTPM
5RoEcl7V/h5OfUl38+aJGXP7rU/njBENQJDGM4s4ouFt6x3UC0KEL1BAGAu1fLyF
XMSVF40rezxavXuAYYw+pEtaotx7OAlp0tCkEX1AoobULhjtDNJ7FrWiN9e29noD
P5Dzk9RedKpr9ZKC22KeSpHZkpEiM82751HRHXpD3g0VYpAbxBWANO+QWqXnxqXJ
IqvU5Gjq5NGACOdMjQWnGiBvqwkCq4fI6lXNNNVNrTgMOpM=
=etE5
-----END PGP MESSAGE-----
Related
I could not find any good example of signing and verifying a file using PGP, I hope the following example could be useful.
I will use Bob and Alice to explain it.
1.Bob install Alice’s PGP Public key in his machine:
$ gpg --import <Key_Alice>-pub-sub.asc
2.Alice signs and encrypts a document (TestMessage.txt) using her PGP Private key :
$ gpg --output TestMessageSignedByAlice.txt -a --sign ./TestMessage.txt
--output : write output to FILE (TestMessageSignedByAlice.txt)
-a, --armor :output file should be in ascii format
--sign : document to sign and encrypt (TestMessage.txt)
The result is a document signed and encrypted (TestMessageSignedByAlice.txt) by Alice using her PGP private key.
3.Finally Bob verifies Alice’s signed document and decrypts document using Alice’s PGP Public Key. The original document content will be found in document TestMessageDecrypt.txt .
$ gpg --output TestMessageDecrypt.txt --decrypt ./TestMessageSignedByAlice.txt
--decrypt: file to verify signature and to decrypt (TestMessageSignedByAlice.txt)
--output : write output to FILE (TestMessageDecrypt.txt)
I used documentation from :
https://www.gnupg.org/gph/en/manual/x135.html
It works in a bit different way:
Alice uses her secret (private) key to sign a document, and Bob's public key to encrypt a document.
Bob uses his secret (private) key to decrypt document, and then Alice's public key to verify signature.
I'm trying to decrypt a file but I get the following:
gpg <file name>
gpg: encrypted with 2048-bit RSA key, ID 4A83B612, created 2018-02-19
"user <email>"
gpg: decryption failed: secret key not available
When I list my keys using:
gpg --list-keys
Here is the result:
pub 2048R/0BBBBDB3 2018-02-19
uid user <email>
sub 2048R/4A83B612 2018-02-19
I understand that the sub key doesn't seem to be recognized.
To decrypt you need the private key. Have a look at https://www.gnupg.org/gph/en/manual/x110.html:
If you want to encrypt a message to Alice, you encrypt it using Alice's public key, and she decrypts it with her private key. If Alice wants to send you a message, she encrypts it using your public key, and you decrypt it with your key.
As the documentation states, only the recipient you specify by --recipient when encrypting can decrypt the message.
So in summary:
Encrypting uses the public key of the recicipient
Decrypting uses the private key of the recipient
I managed to have an output of gpg --list-secret-keys
I still can't decrypt the file though. Here is the output of gpg --output doc --decrypt doc.gpg:
gpg: encrypted with 2048-bit RSA key, ID 4A83B612, created 2018-02-19
"user " gpg: decryption failed: secret key not available
I'm trying to get the fingerprints from the public OpenPGP keys of ActiveMQ. They are published at http://www.apache.org/dist/activemq/KEYS.
Unfortunately, not all the keys have fingerprints listed next to them. Do you have any idea how to proceed?
I used this command (tested with gpg 2.2.12):
gpg --show-keys file.pub
For old versions, see the answer from Jens Erat. With newer versions gpg --with-fingerprint does not work and returns:
gpg: WARNING: no command supplied. Trying to guess what you mean ...
The fingerprint is derived from the public key and creation timestamp -- both are contained in the public keys listed on the site.There are several ways of inspecting keys without importing them, which also makes sure you print the information of the very specific key you are considering right now. --with-fingerprint makes GnuPG always output the fingerprint when listing keys. One way to get the fingerprint would be:
$ gpg --with-fingerprint <<EOT
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.4.1 (Darwin)
mQGiBEPspSsRBADdguKAxMQbA32vTQrCyONR6Zs/YGdvau2Zrr3SSSSR0Ge4FMjZ
4tzwpf6+32m4Bsf7YIwdLl0H5hI1CgT5gDl9kXvfaFUehFnwR+FDyiBRiyHjUpGF
4dgkQfWy9diYeWGtsvszsvWHXtED4SXb322StX4MfJj+YesA1iEdTiXK6wCg1QDa
RucfjC+kx4zPsJwkJOgYpyMEAMTiXtNwQcke6nIFb/lb5374NjwwVAuuMTrRWLyq
5HodugEIHaw3EitQWtnFfXNkXTJZzS6t2HAGv29UTfhiBzKdkydgCkOk2MLWISOV
fqcg0tNIp5ZJCmUHg3s+OFNSH4oUi65u+FyDseUid3OKtPI+ZhIk8N+DjOIg2Kvo
/UALA/9q+WfBd7re+W3iUtU7TutUcwbKsjP+jpaJeUHg2ChOBxVfQKt4YlPHVdrR
iCrfNi90Z8qbsZ0iAXuqexrfMq20pAPmpHRpe54mmP1CMT5m+Gq71eKIfkUrb3LC
/zv08dLG2vm9oghd242wbcifaX+t7AhNAIpe/WTvQsB0gpdO4LQmSGlyYW0gQ2hp
cmlubyA8aGlyYW1AaGlyYW1jaGlyaW5vLmNvbT6IWwQTEQIAGwUCQ+ylKwYLCQgH
AwIDFQIDAxYCAQIeAQIXgAAKCRCf8lmA9bp+T/G/AKDM1QDs7il/CJhTycgDvE3c
EOgUBwCfelsVK4sgBCooZptoaCCDgVtt71G5AQ0EQ+ylLhAEAJD25AWgwcNgBFKY
svExQaGIojIGJyn4Cf/5U30cui/K7fIU7JtyNhKcfZdCrh2hKx+x3H/dTF6e0SrR
hzKV7Dx0j76yhHHB1Ak25kjRxoU4Jk+CG0m+bRNTF9xz9k1ALSm3Y+A5RqNU10K6
e/5KsPuXMGSGoQgJ1H6g/i80Wf8PAAMFA/9mIxu7lMaqE1OE7EeAsHgLslNbi0h9
pjDUVNv8bc1Os2gBPaJD8B89EeheTHw6NMNIe75HVOpKk4UA0gvOBrxJqCr18yFJ
BM5sIlaEmuJwZOW4dDGOR1oS5qgE9NzpmyKhE+fu/S1wmy0coL667+1xZcnrPbUF
D4i7/aD1r8qJhohGBBgRAgAGBQJD7KUuAAoJEJ/yWYD1un5Pth0An0QEUs5cxpl8
zL5kZCj7c8MN8YZDAKDR9LTb6woveul50+uGtUl2fIH1uA==
=RBPl
-----END PGP PUBLIC KEY BLOCK-----
EOT
gpg: WARNING: no command supplied. Trying to guess what you mean ...
pub dsa1024/0x9FF25980F5BA7E4F 2006-02-10 [SCA]
Key fingerprint = E5B8 247A F8A6 19A2 8F90 FDFC 9FF2 5980 F5BA 7E4F
uid Hiram Chirino <hiram#hiramchirino.com>
sub elg1024/0x10314D676733C080 2006-02-10 [E]
You can also provide the full page, then GnuPG will print all fingerprints, readily grepable.
Note, that this works only on old GnuPG, version 2.0.x. For newer versions, see the other answers describing the --show-keys option, which is not available in this version.
gpg --show-keys --fingerprint <<EOT
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.4.1 (Darwin)
mQGiBEPspSsRBADdguKAxMQbA32vTQrCyONR6Zs/YGdvau2Zrr3SSSSR0Ge4FMjZ
4tzwpf6+32m4Bsf7YIwdLl0H5hI1CgT5gDl9kXvfaFUehFnwR+FDyiBRiyHjUpGF
4dgkQfWy9diYeWGtsvszsvWHXtED4SXb322StX4MfJj+YesA1iEdTiXK6wCg1QDa
RucfjC+kx4zPsJwkJOgYpyMEAMTiXtNwQcke6nIFb/lb5374NjwwVAuuMTrRWLyq
5HodugEIHaw3EitQWtnFfXNkXTJZzS6t2HAGv29UTfhiBzKdkydgCkOk2MLWISOV
fqcg0tNIp5ZJCmUHg3s+OFNSH4oUi65u+FyDseUid3OKtPI+ZhIk8N+DjOIg2Kvo
/UALA/9q+WfBd7re+W3iUtU7TutUcwbKsjP+jpaJeUHg2ChOBxVfQKt4YlPHVdrR
iCrfNi90Z8qbsZ0iAXuqexrfMq20pAPmpHRpe54mmP1CMT5m+Gq71eKIfkUrb3LC
/zv08dLG2vm9oghd242wbcifaX+t7AhNAIpe/WTvQsB0gpdO4LQmSGlyYW0gQ2hp
cmlubyA8aGlyYW1AaGlyYW1jaGlyaW5vLmNvbT6IWwQTEQIAGwUCQ+ylKwYLCQgH
AwIDFQIDAxYCAQIeAQIXgAAKCRCf8lmA9bp+T/G/AKDM1QDs7il/CJhTycgDvE3c
EOgUBwCfelsVK4sgBCooZptoaCCDgVtt71G5AQ0EQ+ylLhAEAJD25AWgwcNgBFKY
svExQaGIojIGJyn4Cf/5U30cui/K7fIU7JtyNhKcfZdCrh2hKx+x3H/dTF6e0SrR
hzKV7Dx0j76yhHHB1Ak25kjRxoU4Jk+CG0m+bRNTF9xz9k1ALSm3Y+A5RqNU10K6
e/5KsPuXMGSGoQgJ1H6g/i80Wf8PAAMFA/9mIxu7lMaqE1OE7EeAsHgLslNbi0h9
pjDUVNv8bc1Os2gBPaJD8B89EeheTHw6NMNIe75HVOpKk4UA0gvOBrxJqCr18yFJ
BM5sIlaEmuJwZOW4dDGOR1oS5qgE9NzpmyKhE+fu/S1wmy0coL667+1xZcnrPbUF
D4i7/aD1r8qJhohGBBgRAgAGBQJD7KUuAAoJEJ/yWYD1un5Pth0An0QEUs5cxpl8
zL5kZCj7c8MN8YZDAKDR9LTb6woveul50+uGtUl2fIH1uA==
=RBPl
-----END PGP PUBLIC KEY BLOCK-----
EOT
pub dsa1024 2006-02-10 [SCA]
E5B8 247A F8A6 19A2 8F90 FDFC 9FF2 5980 F5BA 7E4F
uid Hiram Chirino <hiram#hiramchirino.com>
sub elg1024 2006-02-10 [E]
From GPG manual -
--show-keys
This commands takes OpenPGP keys as input and prints information about them
in the same way the command --list-keys does for locally stored key. In ad‐
dition the list options show-unusable-uids, show-unusable-subkeys, show-nota‐
tions and show-policy-urls are also enabled. As usual for automated process‐
ing, this command should be combined with the option --with-colons.
--fingerprint
List all keys (or the specified ones) along with their fingerprints. This is
the same output as --list-keys but with the additional output of a line with
the fingerprint. May also be combined with --check-signatures. If this com‐
mand is given twice, the fingerprints of all secondary keys are listed too.
This command also forces pretty printing of fingerprints if the keyid format
has been set to "none".
--with-fingerprint
Same as the command --fingerprint but changes only the format of the output
and may be used together with another command.
My GnuPG version is 2.2.20
References -
https://unix.stackexchange.com/a/694646/356166
I am using Mac OS X. I have the following files
key.rtf
cert.rtf
These files are PEM encoded and contain the key and the certificate in text form (-----BEGIN RSA PRIVATE KEY----- and -----END RSA PRIVATE KEY-----).
How can I:
decrypt the private key with the passphrase I used to encrypt it and get it back in text form?
get both files in PEM format as text (!) back?
The PEM encoding makes problems - if the files are stored as .key, .cert or anything like this, it works properly. But I need the text.
Thanks!
It is possible with this command: openssl rsa -in cert.pem -out server.key (I converted the files to a cert.pem file before).
I'm trying to convert a P12 file to a PEM file. When I execute the command, the terminal asks me for three things:
P12 passphrase (I type it in, hit enter)
PEM passphrase (type it in, hit enter)
PEM passphrase confirm (type it in, hit enter)
I know I can execute a sudo command all in one shot by using the following:
echo sudopassword | sudo rm -rf /file.p12;
How can I add all three values in one shot? Thanks
Can you explain what these P12 files are? I found this link which deals with the conversion of pkcs12 Cert/key files to .PEM format using openssl. (http://gridsite.org)
Key to the answer is:
Use -passin file:... and -passout file:... for unattended processing
It's my guess that you will have to specify the -passin file:P12passphrase and -passout file PEMpassphrase options for this case.
This little test confirms how an input passphrase can be specified through a file:<...> parameter. This helps to hide such phrases from any over the shoulder attacks. Don't forget to restrict access to such files. Even though it's a common feature of most openssl commands, it's not explicitly mentioned and it is key to the original question. The full list of options is below.
$ openssl pkcs12 -passin file:P12phrase
Can't open file P12phrase
Error getting passwords
(I leave it to the OP to construct the full command.)
Below are all supported options for the pkcs12 subcommand:
$ openssl pkcs12 help
Usage: pkcs12 [options]
where options are
-export output PKCS12 file
-chain add certificate chain
-inkey file private key if not infile
-certfile f add all certs in f
-CApath arg - PEM format directory of CA's
-CAfile arg - PEM format file of CA's
-name "name" use name as friendly name
-caname "nm" use nm as CA friendly name (can be used more than once).
-in infile input filename
-out outfile output filename
-noout don't output anything, just verify.
-nomacver don't verify MAC.
-nocerts don't output certificates.
-clcerts only output client certificates.
-cacerts only output CA certificates.
-nokeys don't output private keys.
-info give info about PKCS#12 structure.
-des encrypt private keys with DES
-des3 encrypt private keys with triple DES (default)
-aes128, -aes192, -aes256
encrypt PEM output with cbc aes
-nodes don't encrypt private keys
-noiter don't use encryption iteration
-maciter use MAC iteration
-twopass separate MAC, encryption passwords
-descert encrypt PKCS#12 certificates with triple DES (default RC2-40)
-certpbe alg specify certificate PBE algorithm (default RC2-40)
-keypbe alg specify private key PBE algorithm (default 3DES)
-keyex set MS key exchange type
-keysig set MS key signature type
-password p set import/export password source
-passin p input file pass phrase source
-passout p output file pass phrase source
-engine e use engine e, possibly a hardware device.
-rand file:file:...
load the file (or the files in the directory) into
the random number generator
-CSP name Microsoft CSP name
-LMK Add local machine keyset attribute to private key
It's unlikely that these commands are reading from stdin. It's more likely that they're reading directly from the terminal. This allows them to set a mode that doesn't echo the password to the screen. Try echoing your input to /dev/tty.
Beyond that, you'll need to use something like expect / pexect to control these. Those projects were build specifically for this purpose.
Openssl has a -stdin optoin to read its input from stdin. This works:
tmp=`mktemp`
cat > $tmp <<EOF
$1
EOF
cat $tmp | openssl req -out CSR.csr -new -newkey rsa:2048 -nodes -keyout privateKey.key
I've used cat and a here-document to avoid putting the password on the commandline.
I used openssl pkcs12 -in Certificates.p12 -out sampleCore.pem -nodes and it was working for me.
Have you tried just echoing three lines? It would probably work
echo $'P12 passphrase\nPEM passphrase\nPEM passphrase confirm' | cmd
Although I feel I must point out that echoing passwords like this is highly insecure. Not only does the password end up in your bash history file, but it's also visible to anyone else on the system who runs ps.