in gpg, with the below command we can simply encrypt and create an attached signature for an input file:
gpg --batch --no-tty --default-key SIGNKEY_NAME --cipher-algo AES256 --symmetric --passphrase-file ENCRYPTIONKEY_FILE --sign --force-mdc --output out.bin
is there any way in the OpenSSL to encrypt and create an attached signature for a file like gpg?
Related
I want to sign RPM Packages with my GNU-GPG Key. I have done the following steps:
Generate key:
gpg --no-default-keyring --full-gen-key
create ~/.rpmmacros
%_topdir %(echo $HOME)/rpmbuild
%__arch_install_post \
[ "%{buildarch}" = "noarch" ] || QA_CHECK_RPATHS=1 ; \
case "${QA_CHECK_RPATHS:-}" in [1yY]*) /usr/lib/rpm/check-rpaths ;; esac \
/usr/lib/rpm/check-buildroot
%_signature gpg
%_gpg_path /root/.gnupg
%_gpg_name testuser
%_gpgbin /usr/bin/gpg2
%__gpg_sign_cmd %{__gpg} gpg --force-v3-sigs --batch --verbose --no-armor --passphrase-fd 0 --no-secmem-warning -u "%{_gpg_name}" -sbo %{__signature_filename} --digest-algo sha256 %{__plaintext_filename}'
export public key
gpg --export -a testuser > ~/public.asc
import key to rpm
rpm --import /root/public.asc
sign a package
rpm --addsign packetbeat-8.5.3-x86_64.rpm
packetbeat-8.5.3-x86_64.rpm:
gpg: WARNING: unsafe permissions on homedir '/root/.gnupg'
gpg: writing to 'packetbeat-8.5.3-x86_64.rpm.sig'
gpg: pinentry launched (1861 curses 1.2.1 /dev/pts/0 xterm - 20620/1000/5 0/0 0)
gpg: RSA/SHA256 signature from: "3AEA484FD5C227E4 Testuser (mycomment) <testuser#testuser.de>"
verify the package
[root#fedora opt]# rpm -Kv packetbeat-8.5.3-x86_64.rpm
packetbeat-8.5.3-x86_64.rpm:
Header V4 RSA/SHA256 Signature, key ID d5c227e4: BAD
Header SHA256 digest: OK
Header SHA1 digest: OK
Payload SHA256 digest: OK
MD5 digest: OK
check the imported key
The signature is not valid. Why? My RPM Version is 4.18.0
I would like to automate a GPG private key export so it runs without user interaction.
gpg --export-secret-keys my#email.com
I tried providing --batch --passphrase-fd 0 arguments both with passphrase being passsed as:
an argument --passphrase 'my-passhrase'
from stdin echo 'my-passphrase' | gpg ...
It didn't work. Is it even possible to export private keys without user interaction?
You should add --pinentry-mode=loopback parameter, as well as --batch.
Full example from the RNP CLI tests suite:
gpg --batch --homedir .gpg ----pinentry-mode=loopback --yes --passphrase "password" --output keyfile.asc --export-secret-key userid
There are answers I've found on Stack Overflow, Ask Ubuntu and Stack Exchange but none works for me.
I need to set up crontab in a Linux box with these:
$ lsb_release -a
Ubuntu 14.04.5 LTS
$ gpg --version
gpg (GnuPG) 1.4.16
$ gpg2 --version
gpg (GnuPG) 2.0.22
$ gpg-agent --version
gpg-agent (GnuPG) 2.0.22
I'm execute the bash command from Node.js
exec(`gpg --passphrase-file <path>passphrase.txt -d ${encryptedFile} > ${decryptedFile}`)
I need to set up the gpg/gpg2 command so it won't prompt for passphrase. I've tried these inside my exec():
gpg2 --batch --yes --no-tty
gpg --batch --yes
gpg2 --passphrase <passphrase>
with and without -d
const passphrase = fs.readFileSync(<passphrase-file>, (err, data)=>{})
`gpg --passphrase ${passphrase}...`
None of them works, even though:
$ gpg --import pubkey.txt
gpg: key ######: "Name <name#email>" not changed
gpg: Total number processed: 1
gpg: unchanged: 1
$ gpg --import privkey.txt
gpg: key ######: already in secret keyring
gpg: Total number processed: 1
gpg: secret keys read: 1
gpg: secret keys unchanged: 1
I've also added keys for gpg2.
I am very annoyed with the GPG encryption process in the Linux terminal, I encrypt files with GPG from the terminal with the following command:
gpg --output file_out --symmetric --cipher-algo AES256 file_in
This command has been recommended here since GPG is a reliable encryption package.
The problem is that after enter the password and encrypt the file, the password doesn't get deleted. So anyone who has access to the PC can decrypt this file, and it doesn't get deleted only after I restart the computer.
So if I enter the decryption command right after:
gpg --output file_in --decrypt file_out
It will give this message
gpg: AES256 encrypted data
gpg: encrypted with 1 passphrase
And it will decrypt this automatically. So the password is stored somewhere and it doesn't get deleted until I restart the computer.
Is there any way to clear/wipe the password right after the encryption is finished?
Simply reloading gpg-agent (instead of killing it) clears its passphrase cache. It exists different methods to reload gpg-agent:
echo RELOADAGENT | gpg-connect-agent
gpgconf --reload gpg-agent
pkill -SIGHUP gpg-agent
Passphrase is saved by gpg-agent. GPG tools like gpg start it automatically.
Use gpgconf --kill gpg-agent to stop agent.
Alternatively, you can add --no-symkey-cache option, which disable the passphrase cache used for symmetrical encryption and decryption.
gpg --no-symkey-cache --output file_out --symmetric --cipher-algo AES256 file_in
something like that.
When using openssl to encrypt/decrypt data and the AES cipher, my command will look something like this:
openssl enc -aes-256-cbc -in message_file -K 42AB7FCE7BFEEE03E16719044916CBD475F6D000F230D213FF0F4775EF8D46F5 -iv D5C21AC249B26A1FBA376E8CFCDC4E1A -S 2C6A1B8EAACA302D -e -out message_file.enc
This places the key, iv, and salt in my process title that is visible in top/ps. Is there a way to AES encrypt a file with openssl (or even another alternative if not) without revealing this information? I did not see an option to grab these strings from files.
RSA encryption:
http://bsdsupport.org/q-how-do-i-use-openssl-to-encrypt-files/
openssl rsautl -encrypt -pubin -inkey public.key -in plaintext.txt -out encrypted.txt
AES encryption:
Based on the results of openssl enc -h
openssl enc -aes-128-cbc -in foo -out foo.enc -kfile passwordfile
And here's the result of openssl enc -h. Note the description of -kfile
root#bt:/tmp# openssl enc -h
unknown option '-h'
options are
-in <file> input file
-out <file> output file
-pass <arg> pass phrase source
-e encrypt
-d decrypt
-a/-base64 base64 encode/decode, depending on encryption flag
-k passphrase is the next argument
-kfile passphrase is the first line of the file argument
-md the next argument is the md to use to create a key
from a passphrase. One of md2, md5, sha or sha1
-K/-iv key/iv in hex is the next argument
-[pP] print the iv/key (then exit if -P)
-bufsize <n> buffer size
-engine e use engine e, possibly a hardware device.
Cipher Types
-aes-128-cbc -aes-128-cfb -aes-128-cfb1
-aes-128-cfb8 -aes-128-ecb -aes-128-ofb
-aes-192-cbc -aes-192-cfb -aes-192-cfb1
-aes-192-cfb8 -aes-192-ecb -aes-192-ofb
-aes-256-cbc -aes-256-cfb -aes-256-cfb1
-aes-256-cfb8 -aes-256-ecb -aes-256-ofb
-aes128 -aes192 -aes256
-bf -bf-cbc -bf-cfb
-bf-ecb -bf-ofb -blowfish
-cast -cast-cbc -cast5-cbc
-cast5-cfb -cast5-ecb -cast5-ofb
-des -des-cbc -des-cfb
-des-cfb1 -des-cfb8 -des-ecb
-des-ede -des-ede-cbc -des-ede-cfb
-des-ede-ofb -des-ede3 -des-ede3-cbc
-des-ede3-cfb -des-ede3-ofb -des-ofb
-des3 -desx -desx-cbc
-rc2 -rc2-40-cbc -rc2-64-cbc
-rc2-cbc -rc2-cfb -rc2-ecb
-rc2-ofb -rc4 -rc4-40
openssl can take commands from stdin
For example if onetime_keyfile specifies the key and IV with the following contents
-K 42AB7FCE7BFEEE03E16719044916CBD475F6D000F230D213FF0F4775EF8D46F5 -iv D5C21AC249B26A1FBA376E8CFCDC4E1A
Then the following commands will encrypt a file using that information
umask 077
echo -n "enc -aes-256-cbc -in message_file -out message_file.enc " > encrypt_command_file
cat onetime_keyfile >> encrypt_command_file
openssl < encrypt_command_file
Note that in your question you specify both key, initialization vector and salt. The salt argument is ignored in that case; salt is only used to derive key and iv from a pass phrase. If you specify key and iv explicitly, then you should use your own salt algorithm to generate a unique key and iv for each file that you encrypt. So in practical use, the file onetime_keyfile in the example above should be generated as output from another program.
Refer to https://www.openssl.org/docs/crypto/EVP_BytesToKey.html for details of the standard algorithm for generating key and IV from pass phrase and salt.
If you are not doing your own salting, you are probably better to use the -kfile or -pass option to read a pass phrase from a file.