I try to decrypt file using following command:
gpg --batch --no-tty --yes --always-trust --primary-keyring /root/.gnupg/secring.gpg -o file.csv --passphrase -d file.csv.asc
It work fine, But when I run it in cron I get following error message:
gpg: expected public key but found secret key - must stop
What can I do to get it running in cron?
Don't point to a keyring, but a complete GnuPG home directory using --homedir /root/.gnupg. --homedir sets the directory GnuPG is searching all other files inside.
--primary-keyring file can only be used for public keyrings, which will not help you with decryption. From man gpg:
--primary-keyring file
Designate file as the primary public keyring. This means that newly
imported keys (via --import or keyserver --recv-from) will go to this
keyring.
Alternatively, you can use --secret-keyring file:
--secret-keyring file
Same as --keyring but for the secret keyrings.
I'm not sure whether you need this parameter anyway: if you're running this cron job as root user, $HOME should already be set to /root and GnuPG will find its home folder without further configuration. If you're not running the cron job as root, put the keys in another location (ie., the user's home directory); giving other users read- and possibly write access to /root is a potential security issue.
Related
I'm trying to run gpg from a Bash script designed to backup a website. The command that fails is
gpg --homedir /home/backupuser/.gnupg --verbose --no-tty --recipient {group-name} --trust-model always --output /home/backupuser/backup/{tar-file}.gpg --encrypt /mnt/ramdir/site-backup-backupuser/{tar-file}
It fails with return code 127. The gpg home directory exists, as does the {tar-file}. The output directory exists but the output file does not.
If I repeat the gpg command in the script it fails in exactly the same way. But if I execute it in shell immediately after it has failed in the script it works as expected. The output is:
gpg: using subkey {hhhhhhhhhhhhhhhh} instead of primary key {hhhhhhhhhhhhhhhh}
gpg: automatically retrieved '{email address1}' via Local
gpg: No trust check due to '--trust-model always' option
gpg: using subkey {hhhhhhhhhhhhhhhh} instead of primary key {hhhhhhhhhhhhhhhh}
gpg: automatically retrieved '{email address2}' via Local
gpg: No trust check due to '--trust-model always' option
gpg: reading from '/mnt/ramdir/site-backup-backupuser/{tar-file}'
gpg: writing to '/home/backupuser/backup/{tar-file}.gpg'
gpg: '/mnt/ramdir/site-backup-backupuser/{tar-file}' already compressed
gpg: RSA/AES256 encrypted for: "{hhhhhhhhhhhhhhhh} {Comment} <{email address1}>"
gpg: RSA/AES256 encrypted for: "{hhhhhhhhhhhhhhhh} {Comment} <{email address2}>"
This is Debian "bullseye" 11.6, gpg 2.2.27 and libgcrypt 1.8.8.
I have tried numerous combinations of parameters, always with the above result. With or without --homedir, with or without sudo (I was getting desperate), from a file on disk rather than in RAM, with or without --verbose and several others.
I want to encrypt a file using a passphrase, which I did using gpg --gen-key to create a key (I used the default options) in the command line, and I also go this to work in an "automated" way without user interaction.
But, I'd like to specify the passphrase stored in a separate file. This is what I'm running now:
gpg --batch --gen-key "D:\Staging\FileContainingKeySettings.txt"
And what's in the file called "FileContainingKeySettings.txt" is this:
%echo Generating a default key
Key-Type: default
Subkey-Type: default
Name-Real: PBJ
Name-Comment: test
Name-Email: PBJ#pbj.com
Expire-Date: 0
Passphrase:blah
%commit
%echo done
So that works and generates the key.
Then I call this:
gpg --batch --yes -r PBJ --output D:\Staging\newEncryptedFile.txt --encrypt
D:\Staging\textfiletobeencrypted.csv
And this works too.
So now I have 1 problem and 1 question. The problem is that I need to specify the passphrase to reference a file that looks like this (but much longer):
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: BCPG v1.47
[encoding]
-----END PGP PUBLIC KEY BLOCK-----
instead of using the password where I wrote "blah"^, and I haven't found a way to do this online or from any other team members around me. How can I do that?
Question: I also notice now that the file I was sent containing the encryption key reads at the top
" -----BEGIN PGP PUBLIC KEY BLOCK-----"
...which says it uses PGP (but I am using gpg). I know that gpg and pgp are different and read about them, but can I even do what I'm trying to do using gpg to encrypt a file with a key that was apparently generated with pgp?
(in Windows)
UPDATE: Now I may have gotten this working, although I still have to validate by having the other person decrypt the message (it works fine when I decrypt it). Silly I didn't think of this code change earlier when I've actually tried this before...I simply changed my cmd call from this part:
gpg --batch --gen-key "D:\Staging\FileContainingKeySettings.txt"
to this instead, specifying the passphrase file location here instead:
gpg --batch --passphrase "D:\Staging\FileWithActualKey.txt --gen-key
"D:\Staging\FileContainingKeySettings.txt"
and I took the password line out of the file "FileContainingKeySettings" altogether. I haven't tested this by having the other person decrypt it yet on their end...I hope it worked. At least I didn't get error. But now when I run this line again to actually do encryption, it works:
gpg --batch --yes -r PBJ --output D:\Staging\newEncryptedFile.txt --encrypt
D:\Staging\textfiletobeencrypted.csv
I have Debian, Fisheye and Git on my server.
My git repos are managed by Fisheye. There is no authentication at the Fisheye part. All authentication procedures are managed by git.
I would like to use SSH authentication, so that I do not need to provide username and password as I push my changes to the server. I know how to create an rsa key, but where do I copy my public key at the server?
The key part of the article "Git on the Server - Setting Up the Server" is:
you need to add some developer SSH public keys to the ~/.ssh/authorized_keys file for that user.
Let’s assume you’ve received a few keys by e-mail and saved them to temporary files. Again, the public keys look something like this:
$ cat /tmp/id_rsa.john.pub
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCB007n/ww+ouN4gSLKssMxXnBOvf9LGt4L
ojG6rs6hPB09j9R/T17/x4lhJA0F3FR1rP6kYBRsWj2aThGw6HXLm9/5zytK6Ztg3RPKK+4k
Yjh6541NYsnEAZuXz0jTTyAUfrtU3Z5E003C4oxOj6H0rfIF1kKI9MAQLMdpGW1GYEIgS9Ez
Sdfd8AcCIicTDWbqLAcU4UpkaX8KyGlLwsNuuGztobF8m72ALC/nLF6JLtPofwFBlgc+myiv
O7TCUSBdLQlgMVOFq1I2uPWQOkOWQAHukEOmfjy2jctxSDBQ220ymjaNsHT4kgtZg2AYYgPq
dAv8JggJICUvax2T9va5 gsg-keypair
(Note: make sure the key is displayed on one single line)
You just append them to your authorized_keys file:
$ cat /tmp/id_rsa.john.pub >> ~/.ssh/authorized_keys
If you don't have an authorized_keys file on your server, create it, but make sure to protect it correctly.
server$ mkdir ~/.ssh
server$ chmod 700 ~/.ssh
server$ cat ~/id_rsa.pub >> ~/.ssh/authorized_keys
server$ chmod 600 ~/.ssh/authorized_keys
server$ rm ~/id_rsa.pub
See "Creating SSH keys for Gerrit and Hudson" for a concrete example.
Make sure git is in the PATH used by your ssh daemon.
Make sure all parent directories of your ~/.ssh are not writable for the group (chmod 755 only).
You need to paste your public key inside ~/.ssh/authorized_keys. Create the file if it doesn't exist.
When I try to list my gpg keys I'm getting an error:
gpg --list-keys
gpg: NOTE: trustdb not writable
gpg: checking the trustdb
gpg: trustdb rec 56: write failed (n=-1): Bad file descriptor
gpg: trustdb: sync failed: Bad file descriptor
I tried doing a recursive chown on my user directory. But that didn't seem to solve the problem.
The volume is not read only:
[web1:~] bluethundr% touch test
[web1:~] bluethundr% echo hi > test
[web1:~] bluethundr% cat test
hi
So I'm wondering why the trustdb is not writable.
How can I solve this?
That seems to have been reported in bug 771976
I found this when running the command apt-key list on a machine where
the root filesystem is normally mounted read-only.
This results in running gpg with "--trustdb-name", "/etc/apt//trustdb.gpg", "--list-keys".
gpg in turn attempts to create "/etc/apt//trustdb.gpg.lock" in order to lock the trustdb, which fails.
Seeing how --list-keys is an operation which shouldn't require writing
to anything, having it fail in this situation is bad.
Even though the volume is not read-only, check (with an strace) where gpg --list-key is attempting to create its trustdb.gpg.lock file.
strace gpg --list-key | grep trustdb.gpg.lock
The OP bluethundr adds in the comments:
I changed to the .gnupg directory and did a list.
I saw that the files in there were owned by root! So I did a sudo chown -R myuser:myuser *.
Then I ran gpg --list-keys again and it worked!
The problem was that the files in .gnupg were owned by root for some reason.
I granted the permissions on the trustdb.gpg file present in the installation directory in C Drive, to the user I had logged on with. It worked thereafter.
I need to encrypt a backup file gzip.
I performed the following operation.,
tar -Pzcvf $dir/*.xml >/dev/null | gpg --yes --batch --passphrase PaSsW0rD -o "$bpath/$bfile".tar.gz
But it is failing with the following error.,
gpg: processing message failed: Unknown system error
I just need a simple passsord protected backup file. Any other alternative solutions are also welcome.
Thanks in advance
Option 1
Doing it your way :
tar -zcvf your_tar_file_name.tar.gz "$dir"/*.xml && gpg --symmetric --cipher-algo AES256 your_tar_file_name.tar.gz
Note that I do not wish to preserve absolute names, so I have stripped the P option from tar. The default output file in this case is your_tar_file_name.tar.gz.gpg.
To decrypt and get the files back you may do :
gpg -o my_tar_file.tar.gz -d your_tar_file_name.tar.gz.gpg && tar -xzf my_tar_file.tar.gz
This uses a symmetric encryption scheme, ie, we could use the same password to decrypt the file. The above command will ask you to enter the password for encryption and confirm it.
If you wish to do asymmetric encryption using gpg have a look at this tutorial.
Option 2
You may also use aescrypt
Download aescrypt from here
Once installed you may use the straight-forward GUI to encrypt the file.
If you need the command line tool, you could use the aescrypt command like below:
tar zcvf your_tar_file_name.tar.gz "$dir"/*.xml && aescrypt -e -p yourstrongpassword your_tar_file_name.tar.gz
Here e is for encryption and p is for password. The output will usually be stored in your_tar_file_name.tar.gz.aes.
You could decrypt the your_tar_file_name.tar.gz.aes file using
aescrypt -d -p yourstrongpassword your_tar_file_name.tar.gz.aes
Here d is for decryption.