How can I encrypt a given string using gpg from command line?
I have the public key stored in a file called pubkey.pub
I thought I could simply do it with something like that.
gpg --import "path/to/pubkey.pub" --encrypt "my string to encrypt"
But this won't work.
Background: I have to use the PHP exec command to encrypt given text, because I don't have the PHP module itself installed on the server.
gpg reads from stdin while encrypting, thus run
echo "my string to encrypt" | gpg --encrypt
gpg --import imports key material to GnuPG's keystore, where it remains; thus you only have to call it once (and it is a rather slow operation, as it might trigger updating your trust database).
Related
Im using Gnupg to decrypt a file:
gpg --decrypt -o file.xml file.gpg
You need a passphrase to unlock the secret key for
user: "TEST-COMPANY (DAM Key) <test#test.de>"
4096-bit RSA key, ID 257C2D21, created 2018-04-23
Enter passphrase:
Then I write this passphrase and then works.
And now I want to make it automatic using this command on PHP:
$command = 'gpg --decrypt -o file.xml file.gpg'
exec($command);
The problem came when system ask for phassphrase.
I tried this:
$command = 'gpg --decrypt -o file.xml file.gpg | [Passphrase]'
but doesn't work.
Any idea about this?
Thank you
Just adding the answer that the OP and #CD001 figured out in the comments, because it helped me immensely (thanks!), and seems like a common issue (secret key was generated with passphrase, and generating new keys isn't an option). I was pulling my hair out trying to decrypt with the GnuPG functions, before learning that as of GnuPG 2.1, it can't decrypt a file with passphrase-generated key (as noted in comment here). Configuring gpg-agent with a preset passphrase may work fine, but I much prefer what the OP here did.
$encrypted_file = "file.csv.pgp";
$path_to_file = $_SERVER["DOCUMENT_ROOT"]."/dir1/dir2";
$passphrase = "passphrase";
$command = "echo {$passphrase} | gpg --passphrase-fd 0 --batch --yes {$path_to_file}/{$encrypted_file}";
exec($command);
If successful, the decrypted file will be in the same directory, without the .pgp extension. So make sure it was successful...
$decrypted_file = str_replace(".pgp", "", $encrypted_file );
if (file_exists("{$path_to_file}/{$decrypted_file}")) {
echo "Successfully decrypted $encrypted_file to $decrypted_file";
}
I'm fairly sure this should be simple, but somehow I've come up short from Googling.
I am writing a php script on linux to encrypt files. I want anyone to be able to encrypt files using this script, but to require a password when decrypting the files.
I looked at GnuPG and openssl but they seem to require keyfiles when decrypting too, or password both when encrypting and decrypting - unless I missed something.
Basically I am working on a repository and the project's configuration files contain sensitive information that I don't want on the repo unencrypted, but I want to have a script all developers can use to easily encrypt sensitive files before they commit them to the repo.
This should be possible using both GnuPG and openssl.
You need to have an encrypted (i.e. - password protected) private key file and an unencrypted public key file. Anyone can encrypt using the public key, but decrypting requires providing the private key, which is password protected.
The only technicality is that you will need to distribute the key files to everyone.
After martinstoeckli asked the obvious question of "why can't you use a key to decrypt the files?", I thought I had thought of a hack, but apparently it's actually very widely used after googling around - my solution here involved using both a keypair and password.
Note: I generate the keypair in a temporary folder, else this keypair would exist on the keychain on the PC where they are generated, I do not want that, therefore I add --homedir /tmp/gnupg
I generate a password-less keypair with GPG - here's what I typed:
mkdir /tmp/gnupg
gpg --homedir /tmp/gnupg --full-gen-key
(1) RSA and RSA (default)
4096
0
y
mark
marklahn#domain.com
this key is used for protecting config files
o
Then export the private key, private key and ownertrust
gpg --homedir /tmp/gnupg --armor --export marklahn#domain.com > gpg_keyfile.pub
gpg --homedir /tmp/gnupg --armor --export-secret-keys marklahn#domain.com > gpg_keyfile.priv
gpg --homedir /tmp/gnupg --export-ownertrust > gpg_ownertrust.txt
rm -rf /tmp/gnupg
This is enough to encrypt and decrypt files without a password once the keys are imported to GPG's keychain.
Next up is password protecting the private key, so nobody can use it without having the password.
gpg -c --batch --passphrase password1234 gpg_keyfile.priv
BEWARE: GPG does NOT delete the original files, so when encrypting, remember to delete the original file if necessary
Then I can add all 3 files to the repository (gpg_keyfile.pub gpg_keyfile.priv.gpg gpg_ownertrust.txt - NOT gpg_keyfile.priv! ).
To encrypt a file on another machine:
1: import the public file and ownertrust
gpg --import gpg_keyfile.pub
gpg --import-ownertrust gpg_ownertrust.txt
2: encrypt the file with the public key
gpg -e -r marklahn#domain.com configfile.ini
configfile.ini.gpg should now exist, which can be commited to repo
Now when wanting to decrypt a file again, there's a couple of extra hoops to jump through to make sure the system doesn't save the private key.
1: First, the private key is password protected, so decrypt the private key:
gpg --batch --passphrase password1234 gpg_keyfile.priv.gpg
2: Then create a temporary gpg directory
mkdir /tmp/gnupg
3: import the private key to the temporary keychain
gpg --homedir /tmp/gnupg --import gpg_keyfile.priv
4: use the temporary keychain that now holds the private key to decrypt the file
gpg --homedir /tmp/gnupg configfile.ini.gpg
5: make sure to immediately remove the temporary keychain and private key
rm -rf /tmp/gnupg gpg_keyfile.priv
That works for me, now I can git clone a branch onto a new system, easily set up my application and decrypt my config files having just a password.
I'm having some weird behaviour with the openssl_decrypt method in PHP. It's failing, giving me an error: Unknown cipher algorithm, but only sometimes (about 6:10 times) i.e. If I run the command enough times, it will eventually work... My code is:
$result = openssl_decrypt(base64_decode($hash), 'AES-128-CBC', $timestamp);
running openssl list-cipher-commands lists AES-128-CBC as one of the available cipher methods. The specs don't really list anything on the subject - only specifying that unknown cipher algorithm is a possible exception from running the command.
edit:
Using the command line: i.e. running echo "soemthing" | openssl enc -aes-128-cbc on a random machine and then decrypting on the machine that fails with the above echo "..." | openssl enc -aes-128-cbc -d works consistently.
I'm looking forward encrypting a file using Win32 command-line mcrypt.exe. Then decrypt it using an apache/unix based PHP script.
So I do in win's command-line:
mcrypt -a "blowfish" -k 1234 -m cbc test.txt
(test.txt is a simple text file that contains "working fine"
This generates a 47 bytes files named test.txt.nc
So I upload the file to my apache webserver and run this script:
$s = mcrypt_cbc("blowfish","1234",file_get_contents("test.txt.nc"),MCRYPT_DECRYPT);
file_put_contents("newtext.txt",$s);
I get this warning:
Warning: mcrypt_cbc() [function.mcrypt-cbc]: Attempt to use an empty IV, which is NOT recommend
And a 48 bytes newtext.txt file, which contains binary data instead of the decrypted text file
I need some guidance!. Thank you very much
I have a task which need to
use gpg to encrypt the upload file in php
my code is:
("echo '1234' | gpg --passphrase-fd 0 -c /path/aaa.jpg ");
it works by paste the code in linux
but not work by php any solution
You need to use gnupg_decypt() to decrypt the text.