Develop Reference

gpg No such file or directory

I'm trying to run gpg from a Bash script designed to backup a website. The command that fails is
gpg --homedir /home/backupuser/.gnupg --verbose --no-tty --recipient {group-name} --trust-model always --output /home/backupuser/backup/{tar-file}.gpg --encrypt /mnt/ramdir/site-backup-backupuser/{tar-file}
It fails with return code 127. The gpg home directory exists, as does the {tar-file}. The output directory exists but the output file does not.
If I repeat the gpg command in the script it fails in exactly the same way. But if I execute it in shell immediately after it has failed in the script it works as expected. The output is:
gpg: using subkey {hhhhhhhhhhhhhhhh} instead of primary key {hhhhhhhhhhhhhhhh}
gpg: automatically retrieved '{email address1}' via Local
gpg: No trust check due to '--trust-model always' option
gpg: using subkey {hhhhhhhhhhhhhhhh} instead of primary key {hhhhhhhhhhhhhhhh}
gpg: automatically retrieved '{email address2}' via Local
gpg: No trust check due to '--trust-model always' option
gpg: reading from '/mnt/ramdir/site-backup-backupuser/{tar-file}'
gpg: writing to '/home/backupuser/backup/{tar-file}.gpg'
gpg: '/mnt/ramdir/site-backup-backupuser/{tar-file}' already compressed
gpg: RSA/AES256 encrypted for: "{hhhhhhhhhhhhhhhh} {Comment} <{email address1}>"
gpg: RSA/AES256 encrypted for: "{hhhhhhhhhhhhhhhh} {Comment} <{email address2}>"
This is Debian "bullseye" 11.6, gpg 2.2.27 and libgcrypt 1.8.8.
I have tried numerous combinations of parameters, always with the above result. With or without --homedir, with or without sudo (I was getting desperate), from a file on disk rather than in RAM, with or without --verbose and several others.

GPG --gen -key with password in a separate file

I want to encrypt a file using a passphrase, which I did using gpg --gen-key to create a key (I used the default options) in the command line, and I also go this to work in an "automated" way without user interaction.
But, I'd like to specify the passphrase stored in a separate file. This is what I'm running now:
gpg --batch --gen-key "D:\Staging\FileContainingKeySettings.txt"
And what's in the file called "FileContainingKeySettings.txt" is this:
%echo Generating a default key
Key-Type: default
Subkey-Type: default
Name-Real: PBJ
Name-Comment: test
Name-Email: PBJ#pbj.com
Expire-Date: 0
Passphrase:blah
%commit
%echo done
So that works and generates the key.
Then I call this:
gpg --batch --yes -r PBJ --output D:\Staging\newEncryptedFile.txt --encrypt
D:\Staging\textfiletobeencrypted.csv
And this works too.
So now I have 1 problem and 1 question. The problem is that I need to specify the passphrase to reference a file that looks like this (but much longer):
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: BCPG v1.47
[encoding]
-----END PGP PUBLIC KEY BLOCK-----
instead of using the password where I wrote "blah"^, and I haven't found a way to do this online or from any other team members around me. How can I do that?
Question: I also notice now that the file I was sent containing the encryption key reads at the top
" -----BEGIN PGP PUBLIC KEY BLOCK-----"
...which says it uses PGP (but I am using gpg). I know that gpg and pgp are different and read about them, but can I even do what I'm trying to do using gpg to encrypt a file with a key that was apparently generated with pgp?
(in Windows)

UPDATE: Now I may have gotten this working, although I still have to validate by having the other person decrypt the message (it works fine when I decrypt it). Silly I didn't think of this code change earlier when I've actually tried this before...I simply changed my cmd call from this part:
gpg --batch --gen-key "D:\Staging\FileContainingKeySettings.txt"
to this instead, specifying the passphrase file location here instead:
gpg --batch --passphrase "D:\Staging\FileWithActualKey.txt --gen-key
"D:\Staging\FileContainingKeySettings.txt"
and I took the password line out of the file "FileContainingKeySettings" altogether. I haven't tested this by having the other person decrypt it yet on their end...I hope it worked. At least I didn't get error. But now when I run this line again to actually do encryption, it works:
gpg --batch --yes -r PBJ --output D:\Staging\newEncryptedFile.txt --encrypt
D:\Staging\textfiletobeencrypted.csv

Message Authentication Code for gpg

The gpg software supports symmetric encryption out of the box. That means, it works with a password. But apart from protecting the content it is also important to ensure the Authentication of a message. The idea is to create a hashsum of the file itself together with the password used for encryption. According to [1] a popular “Message Authentication Code” is HMAC. After entering:
gpg --hmac --armor --symmetric --passphrase pwd1 file.txt
gpg: Invalid option "--hmac"
an error message occurs that the switch is not known by the software. How can i use the MAC authentication the right way?

You can't. The reason for the error message is that type of signature is not available with GPG. You'd be better off simply signing and encrypting the file with the standard GPG method. Even if you wanted to use symmetric encryption only, then the recipient would still need to use GPG to decrypt the file. The correct command would be:
gpg -o filename.txt.asc -sear $recipient_key filename.txt
This assumes you also always encrypt to your own key, otherwise the command would be:
gpg -o filename.txt.asc -sear $recipient_key -r $your_key filename.txt
If they don't have a key, you could still sign and encrypt to your own key only and then extract the session key so you could provide that for them to decrypt the file with it:
gpg -o filename.txt --show-session-key -d filename.txt.asc
Then the recipient would be able to decrypt with:
gpg -o filename.txt --override-session-key $session_key -d filename.txt.asc
If you really must use symmetric encryption only, however, you can do it in two setps.
First sign the file:
gpg -o filename.txt.asc -sa filename.txt
Then symmetrically encrypt that file:
gpg -o newfilename.asc -a -c filename.txt.asc
The recipient would then need to run the decryption command twice; first on the symmetrically encrypted file and then a second time on the file it decrypts.
The normal --verify option is only used for checking clearsigned files or files with detached signatures.

How to use Gnupg's passphrase-fd argument?

I would like to use GnuPG´s decrypt command without any user interation. The script's --passphrase-fd argument seems exactly what I need. But I don't know how it works - haven't found examples.
Could anyone give me an example of such a command, on both Windows and UNIX environments?
(FYI, I'm using GnuPG 2).
Thanks already :)

In order to use the gpg option --passphrase-fd in GnuPG v2, you must specify the --batch parameter. I will first explain how --passphrase-fd works, and then get to the examples.
--passphrase-fd tells GnuPG which file descriptor (-fd) to expect the passphrase to come from. The standard file descriptors are STDIN (0), STDOUT (1) and STDERR (2). For the context of this question, you would normally only be concerned about STDIN (0).
You didn't specify where you want the passphrase to come from, so I will demonstrate the usage of STDIN (standard in) in a variety of ways.
--passphrase-fd 0 tells GnuPG to retrieve the passphrase from input into the current shell; so for example if you want GnuPG to get the passphrase data in the very next line of console input, the command and output would be like so:
gpg2 --batch --passphrase-fd 0 --armor --decrypt /path/to/encrypted_file.pgp
<next line of input is passphrase followed by hitting enter>
gpg: encrypted with 1024-bit RSA key, ID EC18C175, created 2013-10-26
"testkey4321 (4321) <test#4321.com>"
this is a test... this is only a test...
In the above example, the passphrase was provided via file descriptor 0 (STDIN) - which we provided by entering it on the shells current standard input.
In the next example, we will tell GnuPG to retrieve the passphrase from input into the current shell that is actually the output of another command (echo, in this case, which merely "echos" what you tell it to):
echo "mypassphrase" | gpg2 --batch --passphrase-fd 0 --armor --decrypt /path/to/encrypted_file.pgp
gpg: encrypted with 1024-bit RSA key, ID EC18C175, created 2013-10-26
"testkey4321 (4321) <test#4321.com>"
this is a test... this is only a test...
Another example that dumps the contents of a file that contains the passphrase to STDIN -
cat /path/to/file_with_passphrase | gpg2 --batch --passphrase-fd 0 --armor --decrypt /path/to/encrypted_file.pgp
gpg: encrypted with 1024-bit RSA key, ID EC18C175, created 2013-10-26
"testkey4321 (4321) <test#4321.com>"
this is a test... this is only a test...
In summary, --passphrase-fd just tells GnuPG that you want to feed it the requisite passphrase via a standard file descriptor; the difference between GnuPG v2 and GnuPG is merely the --batch parameter.
The above examples should work the same in Windows and *nix environments, with the only difference being that in Windows - depending on your configuration and version - you will have to replace cat with type in order to dump the contents of a file to STDIN.

kylehuff's answer still wouldn't work for me, with gpupg still popping up a password prompt.
According to https://wiki.archlinux.org/index.php/GnuPG#Unattended_passphrase with gnupg version 2.1.0 and higher, you need to do additional steps to support --passphrase-fd
First, edit the gpg-agent configuration to allow loopback pinentry mode:
~/.gnupg/gpg-agent.conf
allow-loopback-pinentry
Restart the gpg-agent process if it is running to let the change take effect.
Second, either the application needs to be updated to include a commandline parameter to use loopback mode like so:
$ gpg --pinentry-mode loopback ...

Using GPG4win/gpg 2.2.3: to use the passphrase-fd 0 and bypass the prompt, I can confirm that the following works:
--pinentry-mode loopback

As I've had to recently figure this out myself I thought it might be worth chiming in.
The answer by kylehuff is very good if you're decryping files, however, if you've need of input/output redirection, such as piping, here's an example of using a non-0 file descriptor to pass the passphrase.
#!/usr/bin/env bash
# Set some variables for easy modding
Var_fd='9'
Var_pass_location="/path/to/passphrase.file"
Var_gpg_decrypt_opts="--passphrase-fd ${Var_fd} --decrypt"
Var_output_location="out.txt"
Arr_string=( "$#" )
# Open file descriptor and shove the passphrase file into it
exec ${Var_fd}<${Var_pass_location}
# Pipe input array though gpg and append to output file
cat <<<"${Arr_string[*]}" | $(which gpg) ${Var_gpg_decrypt_opts} >> ${Var_output_location}
# Do not forget to close the file descriptor
exec ${Var_fd}>&-
Do be warned, outside of special use cases, that saving your private keys passphrase is generally seen as a bad idea or bad security practice. -Also please don't forget to close the descriptor when finished so that your passphrase isn't accessible via that method anymore.- Often I've seen advised in these use cases to use specifically non-passphrase protected keys but that's totally your choose. If you like the above code then you may want to also checkout the script I debugged for key generation either unattended or attended because it covers even less commonly used gpg file descriptor options.
Edits/updates
So I've been debugging the bulk decryption operations and have evidence to show that file descriptors seem to close automatically or perhaps it's auto closed by GnuPG. Check build 152 all the way at the bottom of the raw logs, just before diff checks, you'll find that the first block of encrypted data ate the passphrase leaving the next two blocks of data without a valid passphrase. The related scripts in this operation are ; first the script_decrypt.sh build script sets the test key's passphrase to file descriptor 9 as shown in above examples, then the Helper script is called such that it'll make use of that file descriptor... it's a funky use case but the moral of the story seems to be that what ever bulk decryption operations you plan to implement with GnuPG file descriptors will likely need to follow the steps outlined above as a whole function to properly have the file descriptors reopened. I'll be rewriting the helper script over the next few pushes so check the Travis-CI build logs greater than 152 to find if I've a solution to where file descriptors get closed...
... so that only took two tries to get things working, see the difference in build 154 both the encrypted file and raw input log match. As hypothesised the file descriptors get dumped after first usage by either GnuPG or a sub shell, thus the passphrase needs to be assigned before every decrypt command for bulk decryption to happen.
Hope this was valuable to y'all.

GNUPG - stdin encrypted file and passphrase on windows

How can I pipe the passphrase and encrypted file in gpg.exe?
I have tried a few different combinations but I can't get it to work.
Here is my attempt,
C:\>gpg.exe --output [OUTPUT_FILE] --batch --passphrase-fd 0 --decrypt < [INPUT_FILE] < [PASSPHRASE_FILE]
from this I get error
gpg: decrypt_message failed: eof
Swapping the input and passphrase around I get the error
gpg: no valid OpenPGP data found.
gpg: decrypt_message failed: eof
If I don't try and send the encrypted file via stdin then the decryption works fine.
Ultimately what I want to do is decrypt a file based on a file mask with the date timestamp in the file name. Outlined below,
C:\>gpg.exe --output yyyyMMdd.csv --batch --passphrase-fd 0 --decrypt < *_yyyyMMdd_*.txt < [PASSPHRASE_FILE]
I'm not sure if this will work because I can't get the basic scenario working, I would also appreciate if someone could advise me of the best way to achieve this.

Don't use redirection for the file you want to decrypt, only for the file containing your passphrase:
C:\>gpg.exe --output [OUTPUT_FILE] --batch --passphrase-fd 0 --decrypt [INPUT_FILE] < [PASSPHRASE_FILE]
But honestly, it might be easier for you to remove the passphrase from your key. After all, storing your passphrase in a file is not very secure. Just change your passphrase to a blank and protect your gpg home directory to deny access to any process other than your own.