I am very annoyed with the GPG encryption process in the Linux terminal, I encrypt files with GPG from the terminal with the following command:
gpg --output file_out --symmetric --cipher-algo AES256 file_in
This command has been recommended here since GPG is a reliable encryption package.
The problem is that after enter the password and encrypt the file, the password doesn't get deleted. So anyone who has access to the PC can decrypt this file, and it doesn't get deleted only after I restart the computer.
So if I enter the decryption command right after:
gpg --output file_in --decrypt file_out
It will give this message
gpg: AES256 encrypted data
gpg: encrypted with 1 passphrase
And it will decrypt this automatically. So the password is stored somewhere and it doesn't get deleted until I restart the computer.
Is there any way to clear/wipe the password right after the encryption is finished?
Simply reloading gpg-agent (instead of killing it) clears its passphrase cache. It exists different methods to reload gpg-agent:
echo RELOADAGENT | gpg-connect-agent
gpgconf --reload gpg-agent
pkill -SIGHUP gpg-agent
Passphrase is saved by gpg-agent. GPG tools like gpg start it automatically.
Use gpgconf --kill gpg-agent to stop agent.
Alternatively, you can add --no-symkey-cache option, which disable the passphrase cache used for symmetrical encryption and decryption.
gpg --no-symkey-cache --output file_out --symmetric --cipher-algo AES256 file_in
something like that.
Related
I guess that what I want is a GPG equivalent to the ssh-copy-id function from SSH. Here is what I have tried, along with the output that I have recieved:
foo#bar:~$ ssh pi#192.168.0.42 gpg --export-secret-key A32D835B51CAF93AD264826E2C7AE63B68CDAB22 | gpg --import
gpg: directory '/home/foo/.gnupg' created
gpg: keybox '/home/foo/.gnupg/pubring.kbx' created
gpg: key F0A27839C3F40D2B42172A28124E5F88293B3719: error receiving key from agent: Inappropriate ioctl for device - skipped
gpg: key 61322A2DACD3C52D35086D123704A5559C3E0456: error receiving key from agent: Inappropriate ioctl for device - skipped
gpg: WARNING: nothing exported
gpg: no valid OpenPGP data found.
gpg: Total number processed: 0
For the record, here is the link to a relevant old SO question:
How to transfer pgp private key to another computer?
UPDATE: I attempt to leverage --passphrase/--pinentry switches as suggested in the answer given by user ahi324. Here's how it looks:
foo#bar:~$ stty -echo && ssh pi#192.168.0.42 "gpg --batch --passphrase-fd 0 --pinentry loopback --export-secret-key A32D835B51CAF93AD264826E2C7AE63B68CDAB22" | gpg import; stty echo
gpg: WARNING: no command supplied. Trying to guess what you mean ...
gpg: can't open 'import'
gpg: key F0A27839C3F40D2B42172A28124E5F88293B3719: error receiving key from agent: No passphrase given - skipped
gpg: key 61322A2DACD3C52D35086D123704A5559C3E0456: error receiving key from agent: No passphrase given - skipped
gpg: WARNING: nothing exported
Indeed, the execution appears to get "stuck in limbo" after the appearance of output gpg: WARNING: no command supplied. Trying to guess what you mean .... Only after I hit Enter on the keyboard does the execution run to completion.
The errors you're receiving (error receiving key from agent: Inappropriate ioctl for device - skipped) indicate that your secret key is passphrase protected and that your GPG passphrase agent isn't compatible through SSH, which most aren't.
Three options come to mind:
Initiate the export from the source host (to facilitate interactive passphrase entry);
Leverage --passphrase/--pinentry switches (as suggested in the post your reference); e.g., stty -echo && ssh "$host" "gpg --batch --passphrase-fd 0 --pinentry loopback -a --export-secret-key '$key'" | gpg --import; stty echo; or,
Remove passphrase protection from the key (not necessarily desirable).
in GPG while we are doing encryption
gpg --cipher-algo AES256 --symmetric ./.abcd.csv
It open a prompt
Enter Passphrase
Can we change that too
Enter Passphrase for xyz:
The gpg PIN entry is handled by an external program or device, so there is no universal mean to control the prompt of a PIN, unless you force gpg into batch mode, and force PIN entry to loop back to the caller script, so you have full control of it.
Note that this is of questionable security, because while taking control of the pin entry, you are also responsible for all the security, and a shell script is the least secure environment to handle secret data like a PIN.
Here it is how you would control the PIN prompt.
(Know the security concerns before using this):
read -r -s -p 'Enter Passphrase for xyz: ' secret
gpg \
--cipher-algo AES256 \
--pinentry-mode loopback \
--batch \
--passphrase "$secret" \
--symmetric \
./.abcd.csv
printf '\n'
I would like to automate a GPG private key export so it runs without user interaction.
gpg --export-secret-keys my#email.com
I tried providing --batch --passphrase-fd 0 arguments both with passphrase being passsed as:
an argument --passphrase 'my-passhrase'
from stdin echo 'my-passphrase' | gpg ...
It didn't work. Is it even possible to export private keys without user interaction?
You should add --pinentry-mode=loopback parameter, as well as --batch.
Full example from the RNP CLI tests suite:
gpg --batch --homedir .gpg ----pinentry-mode=loopback --yes --passphrase "password" --output keyfile.asc --export-secret-key userid
I'm using linux and I basically want to encrypt a file using a password.
I've tried using gpg -c myfile for encryption, and that works fine, it asks me for a password and encrypts it. But it only asks for a password when encrypting.
I want a way to encrypt a file and if you want to decrypt it you have to give the same password that it was encrypted with.
If there's a python library that would work too since I can put that on a script.
There are several alternatives to create passowrd protected files under Linux.
GnuPG
GnuPG can be used to encrypt data and create digital signatures.
To encrypt and decrypt a data.txt file, use gpg command as follows:
$ gpg -c data.txt
$ gpg data.txt.gpg
mcrypt
mcrypt allows you to create password protected files similarly to GnuPG
To encrypt and decrypt a data.txt file, use mcrypt command as follows:
$ mcrypt data.txt
$ mcrypt -d data.txt.nc
OpenSSL
The OpenSSl Cryptography Toolkit can also be used to encrypt and decrypt files and messages.
To encrypt and decrypt a data.txt file, use the openssl command as follows:
$ openssl enc -aes-256-cbc -salt -in data.txt -out data.txt.enc
$ openssl enc -aes-256-cbc -d -in data.txt.enc -out data.txt
That's because of gpg-agent, a daemon that manages private keys and which is used as a backend for gpg. It caches your passphrases for some time by default. You can configure that with the following options (from man gpg-agent):
--default-cache-ttl n
Set the time a cache entry is valid to n seconds. The default is 600 seconds. Each time a cache entry is accessed, the entry's timer is reset. To set an entry's maximum
lifetime, use max-cache-ttl. Note that a cached passphrase may not evicted immediately from memory if no client requests a cache operation. This is due to an internal
housekeeping function which is only run every few seconds.
--max-cache-ttl n
Set the maximum time a cache entry is valid to n seconds. After this time a cache entry will be expired even if it has been accessed recently or has been set using gpg-
preset-passphrase. The default is 2 hours (7200 seconds).
One way to clear the cache is to reload the gpg-agent : gpgconf --reload gpg-agent
You can use gpg -c myfile && gpgconf --reload gpg-agent to encrypt your file, after which the password will be asked if you try to decrypt it with gpg myfile.gpg
When decrypting I get following error:
$ eyaml decrypt -s 'ENC and the key goes on here'
.gnupg --quiet --no-secmem-warning --no-permission-warning --no-tty --yes --decrypt)
failed with: gpg: Sorry, no terminal at all requested - can't get input
I have checked my keys, everything is in order. At this point I am out of options.
If you configured Automatic Git commit signing with GPG on macOS and you see this error comment out no-tty in ~/.gnupg/gpg.conf as suggested by Fahl-Design.
This will also allow you to generate new GPG keys following the GitHub instructions for new keys.
You need to remove the option --no-tty
--no-tty
Make sure that the TTY (terminal) is never used for any output. This option is needed in some cases because GnuPG sometimes
prints warnings to the TTY even if --batch is used.
For those who are encountering this error from scripts that are running with no TTY available, adding --batch to the GPG command line, or batch to a line in ~/.gnupg/gpg.conf can make the problem go away.
I had to update my git email so that it matched the email on my gpg key and the primary email on my Github.
$ git config --global user.email "myemailaddress#gmail.com"