How can I pipe the passphrase and encrypted file in gpg.exe?
I have tried a few different combinations but I can't get it to work.
Here is my attempt,
C:\>gpg.exe --output [OUTPUT_FILE] --batch --passphrase-fd 0 --decrypt < [INPUT_FILE] < [PASSPHRASE_FILE]
from this I get error
gpg: decrypt_message failed: eof
Swapping the input and passphrase around I get the error
gpg: no valid OpenPGP data found.
gpg: decrypt_message failed: eof
If I don't try and send the encrypted file via stdin then the decryption works fine.
Ultimately what I want to do is decrypt a file based on a file mask with the date timestamp in the file name. Outlined below,
C:\>gpg.exe --output yyyyMMdd.csv --batch --passphrase-fd 0 --decrypt < *_yyyyMMdd_*.txt < [PASSPHRASE_FILE]
I'm not sure if this will work because I can't get the basic scenario working, I would also appreciate if someone could advise me of the best way to achieve this.
Don't use redirection for the file you want to decrypt, only for the file containing your passphrase:
C:\>gpg.exe --output [OUTPUT_FILE] --batch --passphrase-fd 0 --decrypt [INPUT_FILE] < [PASSPHRASE_FILE]
But honestly, it might be easier for you to remove the passphrase from your key. After all, storing your passphrase in a file is not very secure. Just change your passphrase to a blank and protect your gpg home directory to deny access to any process other than your own.
Related
I have the file secret.txt.gpg which I would like to decrypt, such that the content is stored within a variable like that:
TXT=$(gpg --decrypt secret.txt.gpg)
But this way a lot of extra gpg: … lines are added, containing information about the key etc. like that:
gpg: encrypted with 4096-bit RSA key, ID xxxx, created xxxx
"xx xx (xx) <xx#xx.xx>"
gpg: Signature made xxx
gpg: using RSA key xxx
…
Secret Message
By the way:
gpg -d secret.txt.gpg > out.txt
is just writing the content into the file.
How can I capture the content only, without writing it to a file?
update
Even though #Roger Answer is better and explains the why, I could make it using this:
TXT=$(gpg --decrypt secret.txt.gpg > /dev/stdout)
The GPG messages are written to STDERR, which is why piping STDOUT to a file omits those messages.
If the encrypted file is not signed you usually suppress the messages about encryption by providing the --quiet switch. If the file is signed you will still get messages about the signature. Even if you provide the --skip-verify you will still get a message gently informing you that signature verification was suppressed.
In order to suppress all those message I suggest you pipe STDERR to /dev/null, e.g.:
TXT=$(gpg --decrypt secret.txt.gpg 2>/dev/null)
I want to encrypt a file using a passphrase, which I did using gpg --gen-key to create a key (I used the default options) in the command line, and I also go this to work in an "automated" way without user interaction.
But, I'd like to specify the passphrase stored in a separate file. This is what I'm running now:
gpg --batch --gen-key "D:\Staging\FileContainingKeySettings.txt"
And what's in the file called "FileContainingKeySettings.txt" is this:
%echo Generating a default key
Key-Type: default
Subkey-Type: default
Name-Real: PBJ
Name-Comment: test
Name-Email: PBJ#pbj.com
Expire-Date: 0
Passphrase:blah
%commit
%echo done
So that works and generates the key.
Then I call this:
gpg --batch --yes -r PBJ --output D:\Staging\newEncryptedFile.txt --encrypt
D:\Staging\textfiletobeencrypted.csv
And this works too.
So now I have 1 problem and 1 question. The problem is that I need to specify the passphrase to reference a file that looks like this (but much longer):
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: BCPG v1.47
[encoding]
-----END PGP PUBLIC KEY BLOCK-----
instead of using the password where I wrote "blah"^, and I haven't found a way to do this online or from any other team members around me. How can I do that?
Question: I also notice now that the file I was sent containing the encryption key reads at the top
" -----BEGIN PGP PUBLIC KEY BLOCK-----"
...which says it uses PGP (but I am using gpg). I know that gpg and pgp are different and read about them, but can I even do what I'm trying to do using gpg to encrypt a file with a key that was apparently generated with pgp?
(in Windows)
UPDATE: Now I may have gotten this working, although I still have to validate by having the other person decrypt the message (it works fine when I decrypt it). Silly I didn't think of this code change earlier when I've actually tried this before...I simply changed my cmd call from this part:
gpg --batch --gen-key "D:\Staging\FileContainingKeySettings.txt"
to this instead, specifying the passphrase file location here instead:
gpg --batch --passphrase "D:\Staging\FileWithActualKey.txt --gen-key
"D:\Staging\FileContainingKeySettings.txt"
and I took the password line out of the file "FileContainingKeySettings" altogether. I haven't tested this by having the other person decrypt it yet on their end...I hope it worked. At least I didn't get error. But now when I run this line again to actually do encryption, it works:
gpg --batch --yes -r PBJ --output D:\Staging\newEncryptedFile.txt --encrypt
D:\Staging\textfiletobeencrypted.csv
The gpg software supports symmetric encryption out of the box. That means, it works with a password. But apart from protecting the content it is also important to ensure the Authentication of a message. The idea is to create a hashsum of the file itself together with the password used for encryption. According to [1] a popular “Message Authentication Code” is HMAC. After entering:
gpg --hmac --armor --symmetric --passphrase pwd1 file.txt
gpg: Invalid option "--hmac"
an error message occurs that the switch is not known by the software. How can i use the MAC authentication the right way?
You can't. The reason for the error message is that type of signature is not available with GPG. You'd be better off simply signing and encrypting the file with the standard GPG method. Even if you wanted to use symmetric encryption only, then the recipient would still need to use GPG to decrypt the file. The correct command would be:
gpg -o filename.txt.asc -sear $recipient_key filename.txt
This assumes you also always encrypt to your own key, otherwise the command would be:
gpg -o filename.txt.asc -sear $recipient_key -r $your_key filename.txt
If they don't have a key, you could still sign and encrypt to your own key only and then extract the session key so you could provide that for them to decrypt the file with it:
gpg -o filename.txt --show-session-key -d filename.txt.asc
Then the recipient would be able to decrypt with:
gpg -o filename.txt --override-session-key $session_key -d filename.txt.asc
If you really must use symmetric encryption only, however, you can do it in two setps.
First sign the file:
gpg -o filename.txt.asc -sa filename.txt
Then symmetrically encrypt that file:
gpg -o newfilename.asc -a -c filename.txt.asc
The recipient would then need to run the decryption command twice; first on the symmetrically encrypted file and then a second time on the file it decrypts.
The normal --verify option is only used for checking clearsigned files or files with detached signatures.
I'm trying to decrypt a file using gpg and getting this error:
$ gpg --no-tty --batch --verbose --decrypt --passphrase foo file.enc
Version: GnuPG v1.4.11 (GNU/Linux)
gpg: armor header:
gpg: CAST5 encrypted data
gpg: encrypted with 1 passphrase
gpg: decryption failed: Bad session key
I tried to reload the gpg agent, no luck:
$ gpgconf --reload gpg-agent
How to solve that?
For the record, if somebody will encounter this problem, too:
The problem was, that the encryption was done using gpg version 1.4.11 and the decryption was using gpg version 2.0.22.
After upgrading the encryption to gpg2 (2.0.17), everything worked fine.
I found this, which seems to be the magic that I could not find anywhere else:
Try adding --pinentry-mode loopback to your command. Maybe there is a
problem with your installation / pinentry program so that it does not start or
you are accidentally using a dummy / test pinentry which provides the wrong
passphrase.
I encrypted my file with a passphrase file in batch mode. When I tried to decrypt my file I got the dreaded "bad session key" message.
I created a passphrase file with Vim for Windows, and Vim left \r\n at the end of the text line even though I did not hit carriage return. gpg ignored the \n but retained the \r as part of the passphrase!
Vim for Windows can be induced to not leave \r\n, but it is easier to just use Notepad without a carriage return at the end of line. Best to check your passphrase file with a hexdump to be sure. There are other ways to get hurt by \r\n issues when supplying the passphrase using the command line, so be alert to it.
Just wondering, how can I encrypt files with GPG with password under dot?
I have a file called test.txt and I want to encrypt this file into GPG with password, so this is the script I wrote to encrypt the file:
gpg - c test.txt
then it is asking for the Passphrase and I entered abc123. File test.txt.gpg was generated as a result.
Then I tried to decrypt the gpg file by using the following script under dot:
gpg -o testing.txt -d test.txt.gpg
It decrypted the file for me without asking for the password (abc123).
Does anyone know where is going wrong with my encrypt?