gpgwrap(1) | General Commands Manual | gpgwrap(1) |
gpgwrap - a small wrapper for gpg
gpgwrap -V
gpgwrap -P [-v] [-i] [-a] [-p <file>]
gpgwrap -F [-v] [-i] [-a] [-c] [-p <file>] [-o <name>] [--] <file> [<file> ... ]
gpgwrap [-v] [-i] [-a] [-p <file>] [-o <name>] [--] gpg [gpg options]
The GNU Privacy Guard (gpg) supplies the option --passphrase-fd. This instructs gpg to read the passphrase from the given file descriptor. Usually this file descriptor is opened before gpg is executed via execvp(3). Exactly that is what gpgwrap is doing. The passphrase may be passed to gpgwrap in 4 ways:
With no precautions the first point undermines the secure infrastructure gpg provides. But in pure batch oriented environments this may be what you want. Otherwise if you are willing to enter passphrases once and don't want them to be stored as plain text in a file gpg-agent is what you are looking for. Another security objection could be the use of the environment variable GPGWRAP_PASSPHRASE which contains the passphrase and may be read by other processes of the same user.
The given passphrase is subject to several limitations depending on the way it was passed to gpgwrap:
gpgwrap -p /path/to/a/secret/file \ gpg -c -z 0 --batch --no-tty \ --cipher-algo blowfish < infile > outfileRead passphrase from /path/to/a/secret/file and execute gpg to do symmetric encryption of infile and write it to outfile.
gpgwrap -i -a \ gpg -c -z 0 --batch --no-tty \ --cipher-algo blowfish < infile > outfileSame as above except that gpgwrap prompts twice for the passphrase.
gpgwrap -F -i - <<EOL gpg --decrypt --batch --no-tty < "$HOME/infile1" > "$HOME/outfile1" gpg --decrypt --batch --no-tty < "$HOME/infile2" > "$HOME/outfile2" gpg --decrypt --batch --no-tty < "$HOME/infile3" > "$HOME/outfile3" gpg --decrypt --batch --no-tty < "$HOME/infile4" > "$HOME/outfile4" EOLgpgwrap prompts for the passphrase and executes four instances of gpg to decrypt the given files.
GPGWRAP_PASSPHRASE="mysecretpassphrase" export GPGWRAP_PASSPHRASE gpgwrap -F -c -v /tmp/cmdfile1 - /tmp/cmdfile2 <<EOL gpg --decrypt --batch --no-tty < "$HOME/infile1" > "$HOME/outfile1" gpg --decrypt --batch --no-tty < "$HOME/infile2" > "$HOME/outfile2" gpg --decrypt --batch --no-tty < "$HOME/infile3" > "$HOME/outfile3" gpg --decrypt --batch --no-tty < "$HOME/infile4" > "$HOME/outfile4" EOLSame as above except that gpgwrap gets the passphrase via the environment variable, reads commands additionally from other files and checks the exit code of every gpg instance. This means if one gpg command has a non zero exit code, no further commands are executed. Furthermore gpgwrap produces verbose output.
GPGWRAP_PASSPHRASE="$(gpgwrap -P -i -a)" export GPGWRAP_PASSPHRASE find . -maxdepth 1 -type f | while read FILE; do FILE2="$FILE.bz2.gpg" bzip2 -c "$FILE" | gpgwrap gpg -c -z 0 --batch --no-tty \ --cipher-algo blowfish > "$FILE2" && touch -r "$FILE" "$FILE2" && rm -f "$FILE" doneRead in passphrase, compress all files in the current directory, encrypt them and keep date from original file.
find . -maxdepth 1 -type f -name '*.bz2.gpg' | awk '{ printf("gpg --decrypt --batch --no-tty --quiet "); printf("--no-secmem-warning < %s\n", $0); }' | gpgwrap -F -i -c - | bzip2 -d -c - | grep -i 'data'Decrypt all *.bz2.gpg files in the current directory, decompress them and print out all occurrences of data. If you pipe the result to less you get into trouble because gpgwrap and less try to read from the TTY at the same time. In such a case it is better to use the environment variable to give the passphrase (the example above shows how to do this).
GPGWRAP_PASSPHRASE="$(gpgwrap -P -i -a)" export GPGWRAP_PASSPHRASE gpgwrap -P | ssh -C -x -P -l user host " GPGWRAP_PASSPHRASE=\"\$(cat)\" ... "Prompt for a passphrase twice and write it to the GPGWRAP_PASSPHRASE environment variable.
echo -n "Passphrase: " stty -echo read GPGWRAP_PASSPHRASE echo stty echo export GPGWRAP_PASSPHRASEAnother way to prompt manually for the passphrase. It was needed in combination with older versions of gpgwrap, because they did not upport -P. Be aware that with this method no automatic conversion to backslash escaped octal numbers takes place.
echo "mysecretpassphrase" | gpg --batch --no-tty --passphrase-fd 0 \ --output outfile --decrypt infileCheap method to give passphrase to gpg without gpgwrap. Note that you can't use stdin to pass a file to gpg, because stdin is already used for the passphrase.
gpg --batch --no-tty \ --passphrase-fd 3 3< /path/to/a/secret/file \ < infile > outfileThis is a more advanced method to give the passphrase, it is equivalent to Option -p of gpgwrap. This example should at least work with the bash.
gpg --batch --no-tty --passphrase-fd 3 \ 3< <(echo "mysecretpassphrase") \ < infile > outfileLike above, but the passphrase is given directly. This example should at least work with the bash.
In version 0.02 of gpgwrap the exit code of gpg was only returned if gpgwrap read the passphrase from a file. Since version 0.03, only -F omits exit code checking by default, but it can be enabled with -c.
gpg, gpg-agent
Karsten Scheibler
gpgwrap 0.04 |