I am using an Encryption method as mentioned below:
--homedir "C:\GnuPG" --batch --yes --encrypt --recipient a#a.com --default-key a#a.com --passphrase-fd 0 --no-verbose
It generates a.gpg file.
But when i decrypt this file on the stdin as mentioned below command:
gpg --output my.csv --decrypt a.gpg
Error:
gpg: no valid OpenPGP data found.
gpg: decrypt_message failed: eof
Whats wrong with the Encryption command?
Related
Background:
I have a GPG encrypted secret that must not be written to file unencrypted.
Let say that it lives at ~/.secrets/.mysecret.gpg.
Running gpg ~/.secrets/.mysecret.gpg unencrypts the .mysecret.gpg and saves it to file at .mysecret (unacceptable). Running gpg -d ~/.secrets/.mysecret.gpg prints the decrypted secret only (thank you JustinC).
To avoid the stderr and to encode it in base64 for my use purpose, I wrote this shell function as a convenience method:
keyreader() {
local gpg_file=$1
echo -n "$(gpg -d "$gpg_file" 2> /dev/null)" | base64
}
Running keyreader ~/.secrets/.mysecret.gpg, after entering the password for the encrypted secret, it prints out the base64 encoded, decrypted secret, no output file.
Questions:
When gpg -d ~/.secrets/.mysecret.gpg is run, does gpg write a tmp file that would include the unencrypted .mysecret?
Why does gpg not output a file, .mysecret, when I use the above syntax? (ANSWER: the -d flag was used, again thank you JustinC).
Assuming I use the appropriate $HISTIGNORE identifier before running the command, how can I encrypt a string from the command line to a .gpg AES256 encrypted file without having first written it unencrypted to file?
For Q3, something like:
$ echo "secret info" | gpg --cipher-algo AES265 -c -o secrets_file.txt.gpg
instead of:
$gpg --cipher-algo AES265 -c secrets_file.txt
Again, #JustinC, thank you for your answer.
For completeness, here is my solution for encrypting/decrypting a string in memory only:
encryption:
# notice the space before echo here
# it is the default $HISTIGNORE flag which can be set in the ~/.bashrc
# it keeps this line from being written to the ~/.bash_history file
echo -n 'your secrets here' | gpg -c > ~/.secrets/.mysecret.gpg
# Enter passphrase:
decryption:
# 2> /dev/null: skip printing strerr
gpg -d ~/.secrets/.mysecrets.gpg 2> /dev/null
NB: If you get the error "inappropriate ioctl for device", you may be running on WSL and this may help you:
# https://d.sb/2016/11/gpg-inappropriate-ioctl-for-device-errors
echo -e "use-agent\npinentry-mode loopback" >> ~/.gnupg/gpg.conf
echo "allow-loopback-pinentry" >> ~/.gnupg/gpg-agent.conf
echo RELOADAGENT | gpg-connect-agent
Are you sure gpg -d ~/.secrets/.mysecret.gpg writes decrypted file to disk? It does not for me.
You can use strace to check if any temporal file is created.
I sometimes prevent leaving password in bash history by typing:
PP=`cat`
secret-info ENTER Ctrl+D
echo $PP # will print "secret-info"
The secret-info string is sent to cat program, not to shell, so bash will not save it to history file.
I've decrypted a file successfully using:
gpg --encrypt --recipient user#company.com myfile.txt
If I run the command below, I'm prompted for a passphrase, and decryption works:
gpg --output decrypted_myfile.txt -decrypt myfile.txt.gpg
I can't seem to get any form of non-interactive decryption working. The closest I've come is:
gpg --decrypt --batch --passphrase MYPASSPHRASE myfile.txt.gpg
This gives me:
gpg: encrypted with 2048-bit RSA key, ID F6CF3C25, created 2016-03-17
"Company_20210316 (Incoming Files) <user#company.com>"
gpg: public key decryption failed: Bad passphrase
gpg: decryption failed: No secret key
Is there a different way to do it?
Having error like:
gpg: decryption failed: No secret key
simply means that you don't have a private or secret key in your gpg keyring. You may want to check first if:
gpg --list-secret-keys if it has a private key there and if not,
Import it and then trust it.
To trust, use:
gpg --key-edit <yourKey> then "trust" then "5" then "quit"
To get your keyID run:
gpg --edit-key <yourKey> then
On the first line you'll see: "Private key available"
Then two sub-keys on the left of the fist, you'll see similar to:
sec rsa2048/E7E43C5C844E2917
and the part on a right after slash - will be your
E7E43C5C844E2917
So to explicitly export from where it was generated, the key to a file, you need to use that like this:
gpg --export-secret-keys --armor E7E43C5C844E2917>yourSecretKey.asc
This will create a secret key in a file ONLY, unlike if you use keyname in the export call. Then it will contain more than that.
Then to import use:
gpg --import yourSecretKey.asc
Then check your key in the list updated. Add a trust if needed.
Then line to decrypt copied from terminal of my MAC and tested works, w/ no prompt:
gpg --batch --passphrase MyPassphrase -o test.tt7 -d CE.txt.gpg
NOTE that: -d is the same as --decrypt and
-o the same as --output
And the value of the passphrase is the actual value I used in my test to decrypt the above and not the variable. The same created during the time key generated, and actual recommendation is to use a longer set of characters but actually any number is accepted.
Having error like: gpg: decryption failed: No secret key simply means that you don't have a private or secret key in your gpg keyring. You may want to check first if gpg -k (same as gpg --list-keys) has a private key there and import it and then trust it,
To add trust, use "1 to 5":
gpg --key-edit <yourKey>
then trust then 5 then `quit
To get your keyID run:
gpg --edit-key <yourKey>
then first line you'll see: Private key available
then two sub-keys on the left of the fist you'll see
sec rsa2048/E7E43C5C844E2917
and the part on a right after slash - will be your <keyID> E7E43C5C844E2917
so, to explicitly export from where it was generated, the key to a file you need to use that like:
gpg --export-secret-keys --armor E7E43C5C844E2917>yourSecretKey.asc
this will create secret key in a file ONLY, unlike if you use keyname in the export call then it will contain more than that.
Then to import use:
gpg --import E7E43C5C844E2917
then check your key in the list updated. Add trust if needed.
Then line to decrypt copied from terminal of my MAC and tested works, w/ no prompt:
gpg --batch --passphrase MyPassphrase -o test.tt7 -d CE.txt.gpg
NOTE that: -d is the same as --decrypt just like -o is the same as --output
You can try this command:
gpg --output File.txt --batch--passphrase-fd YourPassword --decrypt file.pgp
The following command is run from the Windows command line and it works sometimes, but it does not in other occasions.
GPG --recipient "my.puclic.key#recipient.com" --output "MyEncryptedFileName.txt.PGP" --encrypt "MyTestDocument.txt Working Directory: \\myServer\myfolderName\
The directory and file name exist, but it seems like GPG can't find them. I have also tried the command as..
GPG --recipient "my.puclic.key#recipient.com" --output "MyEncryptedFileName.txt.PGP" --encrypt "MyTestDocument.txt Working Directory: \\myServer\myfolderName\"
and
GPG --recipient "my.puclic.key#recipient.com" --output "MyEncryptedFileName.txt.PGP" --encrypt "MyTestDocument.txt Working Directory: \\myServer\myfolderName"
but keep getting an error:
"can't open 'MyTestDocument.txt Working Directory:\\myServer\myfolderName\': No such file or directory
gpg MyTestDocument.txt Working Directory: \\myServer\myfolderName\: encryption failed: No such file or directory
In prior occasions this same command worked fine.
If I run gpg to sign and encrypt a file from the command line, it works. I have an application that tries the same and I get the following error. The application has worked signing and encrypting before, so I do not think that it is a permission issue. Any ideas?
Running on windows. GnuPG 1.4.2.2
gpg: keyblock resource C:/Program Files/GNU/GnuPG" --output D:/WEA/ACH/milw472b.gpg --yes --batch --armor --recipient JPMC_ECS_PROD_2015 --default-key wea#weatrust.com --passphrase-fd 0 --no-verbose --sign --encrypt D:/WEA/ACH/ACH \secring.gpg': file open error
gpg: keyblock resourceC:/Program Files/GNU/GnuPG" --output D:/WEA/ACH/milw472b.gpg --yes --batch --armor --recipient JPMC_ECS_PROD_2015 --default-key wea#weatrust.com --passphrase-fd 0 --no-verbose --sign --encrypt D:/WEA/ACH/ACH \pubring.gpg': file open error
gpg: no valid OpenPGP data found.
gpg: processing message failed: eof
Why is your program including the paths to the public and secret keyrings? GPG should find them in the home directory, if you're using a different location for those files then you either need to specify the new home directory (with the --homedir flag) or prepend the two keyring files with the relevant flags (--keyring and --secret-keyring).
As it is, that command appears to be trying to encrypt your public and secret keyrings to the "JPMC_ECS_PROD_2015" recipient. If "JPMC_ECS_PROD_2015" is not a group name (specified in the gpg.conf file) or specified elsewhere in the code for your program, then that will generate errors relating to an invalid recipient (or recipient format).
i am struggling with a gpg problem for a few days and cant figure out a solution by my own. i would be glad if you could help me out with the following issue:
i need to decrypt a gpg file in php. for that, i am using the following command:
cat passphrase.txt | /usr/local/bin/gpg --decrypt --passphrase-fd 0 stammdaten.txt.gpg>stammdaten.txt
the passphrase.txt contains the password for decryption
stammdaten.txt.gpg is the encrypted file
the decrypted data will be written in stammdaten.txt
when i run this command in php:
shell_exec=("cat passphrase.txt | /usr/local/bin/gpg --decrypt --passphrase-fd 0 stammdaten.txt.gpg>stammdaten.txt")
i get a zero-byte output file (stammdaten.txt) with owner=ftpadmin and group=psacln
but when i execute the same command via ssh terminal (as root), the data will be decrypted and written correctly with file owner=root and group=root.
i think, that this is a permission problem. how can i use that command in php correctly? i also tried to chown and chgrp with the ftprightson the decrypted file, but nothing seems to help.
every answer is highly appreciated. thanks!
finally i got it to work:
first of all, i changed the gpg command for decryption with echoing the passphrase into stdin:
$passphrase = utf8_decode('mypassphrase');
$encrypted = 'fullsystempathtogpgfile.gpg';
"echo '$passphrase' | /usr/local/bin/gpg -v -v --batch --passphrase-fd 0 --no-default-keyring $encrypted";
before executing with shell_exec i needed to change the homedir of gpg:
before it was set with:
putenv("GNUPGHOME=/var/www/.gnupg");
but obviously the php user (in my case "ftpadmin", found out with "whoami") has no permission to access that directory, so i copied the .gpg folder into my new created php user folder: /home/ftpadmin (with 777 perms) and changed the GNUPGHOME:
putenv("GNUPGHOME=/home/ftpadmin/.gnupg");
now i am able to decrypt the gpg files with php. maybe you could find some help for your similar issue. thanks again for every answer.
You can try to use
cat passphrase.txt | /usr/local/bin/gpg --output stammdaten.txt --decrypt --passphrase-fd 0 stammdaten.txt.gpg
instead.
Another thing you can try is to run this command in the shell as ftpadmin in the directory where your stammdaten.txt file is to make sure it is not a file permission problem.
su ftpadmin
cat passphrase.txt | /usr/local/bin/gpg --output stammdaten.txt --decrypt --passphrase-fd 0 stammdaten.txt.gpg