Decrypt and encrypt a file using gpg without re-typing the passphrase

linux command-line encryption gnupg passphrase
9,474

There are several options, but they all could leave you with a decrypted file on disk, waiting to be undeleted later. Shred might even have problems securely deleting a file (if there's a log/journal, redundant writes / RAID, temporary caches, compressed filesystems) and an SSD could swap sectors silently too. Even using a tmpfs filesystem is subject to being written out to swap. And the editing program you use could leave even more temporary/cache files. If your entire filesystem and swap is encrypted that helps a lot, but then do you really need more encryption?

If you're just saving basic text (like passwords) I'd suggest using a purpose-built program like KeePass(X/XC), LastPass, etc. Or a different encryption method, one that encrypts files like eCryptfs, EncFS, or that encrypts devices like LUKS, or a TrueCrypt successor.

But with just GPG, you could use one of these options

  • --passphrase-fd n
    Read the passphrase from file descriptor n. Only the first line will be read from file descriptor n. If you use 0 for n, the passphrase will be read from STDIN. This can only be used if only one passphrase is supplied.

    Note that this passphrase is only used if the option --batch has also been given. This is different from GnuPG version 1.x.

  • --passphrase-file file
    Read the passphrase from file file. Only the first line will be read from file file. This can only be used if only one passphrase is supplied. Obviously, a passphrase stored in a file is of questionable security if other users can read this file. Don't use this option if you can avoid it. Note that this passphrase is only used if the option --batch has also been given. This is different from GnuPG version 1.x.

  • --passphrase string
    Use string as the passphrase. This can only be used if only one passphrase is supplied. Obviously, this is of very questionable security on a multi-user system. Don't use this option if you can avoid it. Note that this passphrase is only used if the option --batch has also been given. This is different from GnuPG version 1.x.

For the above options, you'll probably need either --pinentry-mode loopback (allows entering new info, for example a new filename if there's a conflict) or --batch otherwise gpg will just ignore the passphrase options and still ask the agent for a passphrase (a bug IMO). This might be useful too:

  • --passphrase-repeat n
    Specify how many times gpg will request a new passphrase be repeated. This is useful for helping memorize a passphrase. Defaults to 1 repetition.

You could only type the passphrase once and read / store it in a shell/bash variable (say $password), recalling it later with --passphrase="$password". Something like

until gpg --pinentry-mode loopback --passphrase="$password" --output $file_to_edit $ecrypted_file;
do read -r password;
done

#Got out of the loop with a correct password, now
echo "Some edit" >> $file_to_edit

gpg --pinentry-mode loopback --passphrase="$password" --output $ecrypted_file --yes --symmetric $file_to_edit

(--yes to overwrite)

Share:
9,474
francescop21
Author by

francescop21

Updated on September 18, 2022

Comments

  • francescop21
    francescop21 over 1 year

    [Notice: my problem is similar to this. And related to this]

    Basically I want to edit a symmetrically encrypted filed and then encrypt it again using the same passphrase, without the need to retype it.

    It goes like this:

    gpg --output $file_to_edit --decrypt $ecrypted_file
echo "Some edit" >> $file_to_edit
gpg --output $ecrypted_file --symmetric $file_to_edit

    Now, gpg asks 3 times for the passphrase (1 for decryption and 2 for encryption). What I'd like is to type the passphrase only once (for decryption) and, if it's correct, use it again for encryption. Is there a secure way to do this?

  • francescop21
    francescop21 over 5 years
    Note: --pinentry-mode is available only for gpg 2.x (not for gpg 1.x). Also, there's no need for --batch option with gpg 1.x.
  • Xen2050
    Xen2050 over 5 years
    That's true, with gpg 1 --passphrase [& --passphrase-file & --passphrase-fd] actually worked without needing extra tricks ;-) Another surprise is that gpg will remember the passphrase for a while (minutes?) and decrypt the same file again without asking for the passphrase

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

How to automatically delete the original files after encrypting with GPG?
Set up gpg to decrypt own local files without supplying passphrase
gpg symmetric encryption using pipes
How to delete a subkey on Linux in GnuPG?
How to have a different pass phrase for a gpg subkey?
Clean up my gnupg keyring?
What are the correct permissions for the .gnupg enclosing folder? gpg: WARNING: unsafe enclosing directory permissions on configuration file
gpg: import failure key xxxxxxxx: no valid user IDs
How to specify private key when decrypting a file using GnuPG?
how to encrypt a file using private key in gpg