in GPG while we are doing encryption
gpg --cipher-algo AES256 --symmetric ./.abcd.csv
It open a prompt
Enter Passphrase
Can we change that too
Enter Passphrase for xyz:
The gpg PIN entry is handled by an external program or device, so there is no universal mean to control the prompt of a PIN, unless you force gpg into batch mode, and force PIN entry to loop back to the caller script, so you have full control of it.
Note that this is of questionable security, because while taking control of the pin entry, you are also responsible for all the security, and a shell script is the least secure environment to handle secret data like a PIN.
Here it is how you would control the PIN prompt.
(Know the security concerns before using this):
read -r -s -p 'Enter Passphrase for xyz: ' secret
gpg \
--cipher-algo AES256 \
--pinentry-mode loopback \
--batch \
--passphrase "$secret" \
--symmetric \
./.abcd.csv
printf '\n'
Related
I would like to automate a GPG private key export so it runs without user interaction.
gpg --export-secret-keys my#email.com
I tried providing --batch --passphrase-fd 0 arguments both with passphrase being passsed as:
an argument --passphrase 'my-passhrase'
from stdin echo 'my-passphrase' | gpg ...
It didn't work. Is it even possible to export private keys without user interaction?
You should add --pinentry-mode=loopback parameter, as well as --batch.
Full example from the RNP CLI tests suite:
gpg --batch --homedir .gpg ----pinentry-mode=loopback --yes --passphrase "password" --output keyfile.asc --export-secret-key userid
I'm using linux and I basically want to encrypt a file using a password.
I've tried using gpg -c myfile for encryption, and that works fine, it asks me for a password and encrypts it. But it only asks for a password when encrypting.
I want a way to encrypt a file and if you want to decrypt it you have to give the same password that it was encrypted with.
If there's a python library that would work too since I can put that on a script.
There are several alternatives to create passowrd protected files under Linux.
GnuPG
GnuPG can be used to encrypt data and create digital signatures.
To encrypt and decrypt a data.txt file, use gpg command as follows:
$ gpg -c data.txt
$ gpg data.txt.gpg
mcrypt
mcrypt allows you to create password protected files similarly to GnuPG
To encrypt and decrypt a data.txt file, use mcrypt command as follows:
$ mcrypt data.txt
$ mcrypt -d data.txt.nc
OpenSSL
The OpenSSl Cryptography Toolkit can also be used to encrypt and decrypt files and messages.
To encrypt and decrypt a data.txt file, use the openssl command as follows:
$ openssl enc -aes-256-cbc -salt -in data.txt -out data.txt.enc
$ openssl enc -aes-256-cbc -d -in data.txt.enc -out data.txt
That's because of gpg-agent, a daemon that manages private keys and which is used as a backend for gpg. It caches your passphrases for some time by default. You can configure that with the following options (from man gpg-agent):
--default-cache-ttl n
Set the time a cache entry is valid to n seconds. The default is 600 seconds. Each time a cache entry is accessed, the entry's timer is reset. To set an entry's maximum
lifetime, use max-cache-ttl. Note that a cached passphrase may not evicted immediately from memory if no client requests a cache operation. This is due to an internal
housekeeping function which is only run every few seconds.
--max-cache-ttl n
Set the maximum time a cache entry is valid to n seconds. After this time a cache entry will be expired even if it has been accessed recently or has been set using gpg-
preset-passphrase. The default is 2 hours (7200 seconds).
One way to clear the cache is to reload the gpg-agent : gpgconf --reload gpg-agent
You can use gpg -c myfile && gpgconf --reload gpg-agent to encrypt your file, after which the password will be asked if you try to decrypt it with gpg myfile.gpg
I want to modify this bash script to not ask for password for each file but look for password in the following file /home/user/Documents/pass.txt
I got this nice script on GIT hub and it works but it prompts me for passphrase for each file I want to encrypt, I would like to modify the script to seek password from a text file in /home/user/Documents/pass.txt and read the password in the pass.txt file and encrypt all files in the directory using siad password
Please Help I have been doing this manually for the past 2 weeks
#!/bin/bash
# This uses gpg to encrypt every file in a directory as separate
# encrypted files
# Usage
# ./encrypt-all.sh ./dir-of-files-to-encrypt "PASSPHRASE"
FILES="$1"
PASSPHRASE="$2"
pushd $FILES
for file_name in ./*; do
enc_name="$file_name.gpg"
echo "Encrypting $file_name"
gpg \
--passphrase "$PASSPHRASE" \
--batch \
--output "$file_name.gpg" \
--symmetric \
--cipher-algo AES256 \
"$file_name"
echo "Done! Output: $gpg_name"
done
popd
Use --passphrase-file instead of --passphrase, to indicate the name of the file whose first line is the passphrase to use.
I am very annoyed with the GPG encryption process in the Linux terminal, I encrypt files with GPG from the terminal with the following command:
gpg --output file_out --symmetric --cipher-algo AES256 file_in
This command has been recommended here since GPG is a reliable encryption package.
The problem is that after enter the password and encrypt the file, the password doesn't get deleted. So anyone who has access to the PC can decrypt this file, and it doesn't get deleted only after I restart the computer.
So if I enter the decryption command right after:
gpg --output file_in --decrypt file_out
It will give this message
gpg: AES256 encrypted data
gpg: encrypted with 1 passphrase
And it will decrypt this automatically. So the password is stored somewhere and it doesn't get deleted until I restart the computer.
Is there any way to clear/wipe the password right after the encryption is finished?
Simply reloading gpg-agent (instead of killing it) clears its passphrase cache. It exists different methods to reload gpg-agent:
echo RELOADAGENT | gpg-connect-agent
gpgconf --reload gpg-agent
pkill -SIGHUP gpg-agent
Passphrase is saved by gpg-agent. GPG tools like gpg start it automatically.
Use gpgconf --kill gpg-agent to stop agent.
Alternatively, you can add --no-symkey-cache option, which disable the passphrase cache used for symmetrical encryption and decryption.
gpg --no-symkey-cache --output file_out --symmetric --cipher-algo AES256 file_in
something like that.
When decrypting I get following error:
$ eyaml decrypt -s 'ENC and the key goes on here'
.gnupg --quiet --no-secmem-warning --no-permission-warning --no-tty --yes --decrypt)
failed with: gpg: Sorry, no terminal at all requested - can't get input
I have checked my keys, everything is in order. At this point I am out of options.
If you configured Automatic Git commit signing with GPG on macOS and you see this error comment out no-tty in ~/.gnupg/gpg.conf as suggested by Fahl-Design.
This will also allow you to generate new GPG keys following the GitHub instructions for new keys.
You need to remove the option --no-tty
--no-tty
Make sure that the TTY (terminal) is never used for any output. This option is needed in some cases because GnuPG sometimes
prints warnings to the TTY even if --batch is used.
For those who are encountering this error from scripts that are running with no TTY available, adding --batch to the GPG command line, or batch to a line in ~/.gnupg/gpg.conf can make the problem go away.
I had to update my git email so that it matched the email on my gpg key and the primary email on my Github.
$ git config --global user.email "myemailaddress#gmail.com"