I'm using gpg to decrypt files sent to me by a vendor. Everything works fine accept for when the content of the encrypted file is empty (the vendor has told me that there is no content in the files in question).
If I try and decrypt one of these files I get:
gpg: can't handle this ambiguous
signature data
Is there any way to check that the file has no content accept for the header, so that I can set it up to fail more elegantly?
According to this mailing-list post, the official PGP tool has a bug that sometimes causes it to produce malformed messages. You can verify whether this is the case for your particular file by running gpg --list-packets path/to/encrypted/file.pgp and looking at the output. If you see a :onepass_sig packet: followed immediately by a :signature packet: then that's probably what's going on.
In my (limited) experience, this occurs if the sender has tried to encrypt an empty file. Unfortunately, since encryption is designed to make it difficult to see what's inside, it's hard to tell if that's actually the case before you try to decrypt it. gpg's --list-packets output will give you some information, but I've noticed that the :literal data packet: output will usually say "raw data: 0 bytes" even if the message contains a non-empty file.
You can make gpg ignore all signature data in the encrypted file with the --skip-verify option, but then of course you can't tell whether the file you're decrypting comes from a trusted source.
Assuming you are using a unix shell script, you could first do a '[ -s /the/file ]' before attempting the GPG decrypt.
Related
So I created encrypted key using ansible-vault create my.key.
Then I use it as var:
my_key: "{{ lookup('file','{{ inventory_dir }}/group_vars/my.key') }}"
And then when running my playbook, like this:
- name: Create My Private Key
ansible.builtin.copy:
content: "{{ secrets.my_key }}"
dest: "{{ secrets_key }}"
no_log: true
It does properly create key on remote host and it is then unencrypted. But I'm thinking if this is the right way to do it? Does it unencrypt at the right time and I am not exposing sensitive data where it should not be?
I thought encrypted variables must also have !vault keyword specified. But if I do this for my my_key, I get this error:
fatal: [v14-test]: FAILED! => {"msg": "input is not vault encrypted data. "}
So this got me worried, that file is unencrypted at the wrong time or maybe message is misleading or something.
Is this the right way to do it? Or I should do it differently?
Firstly, a definitive answer as to whether this approach is appropriate, is directly linked to what you want to achieve from encryption. Therefore all the answers here can do is talk about how Vault works and then you can decide if it is right for your requirements.
Fundamentally what you are doing is a 'correct' usage of Ansible Vault, although I have not previously seen it used in quite this workflow (typically I have seen create used for encrypting YAML files of vars).
Using your method, your secret is turned into ciphertext and stored in my.key (which can be confirmed by using basic text tools such as cat, less or more). You will see the first line of the file, contains a bunch of metadata that allows Ansible to understand the file contents and decrypt on demand.
At runtime, Ansible will then use the password/key for the encrypted file (accessed through a number of methods) to decrypt the file contents into plain text and then store it in the variable my_key for use during the play.
A non-exhaustive list of things to consider when determining if Ansible Vault is the right approach for you:
Ansible Vault encryption is purely designed to protect secrets at rest (i.e. when they are stored on your hard disk)
At run time, the secrets are converted into plain text and treated like any other variable/string data, however the file on disk still contains ciphertext so the plaintext is only accessible within the running Ansible process (i.e. on a multi-user system, at no point can anybody view the plaintext simply by looking inside the my.key file. However, depending on their level of access, skills and what your Ansible tasks are doing, they may be able to access the plaintext from the running process.)
Given inside the process the data is just plain text, it is vulnerable to leakage (for example by writing the contents out into a log file - checkout the Ansible no_log option)
At run time, Ansible needs some way to access the key necessary to decrypt the ciphertext. It provides a variety of methods, including prompting the user, accessing it from a file stored on disk, accessing it from an Env var, using scripts/integrations to pull it from another secrets mgmt tool. Careful thought needs to be given about which option is chosen, relative to what you are looking to achieve from the encryption (e.g. if your goal is to protect your data in the event that your laptop gets stolen, then storing the key in a file on the same system, renders the whole operation pointless). Quite often, with more sophisticated methods, you can still end up in a 'chicken and egg' situation, once more relative to what your goal from using encryption is
I might be talking complete cobblers or be a nefarious individual trying to sow disinformation, so read the docs thoroughly if the value of the secrets if significant to you :)
Unfortunately there is no getting away from generally good security is harder to achieve than the illusion of good security :|
I am setting up a platform whereby data is stored on IPFS and then give access to some (or in some cases all) through a front-end UI.
Storing on IPFS is straight forward as is encrypting.
First I encrypt the file:
gpg --encrypt --recipient "myUserName" "myVideo.mp4"
Then I save the encrypted file:
ipfs add "myVideo.mp4.gpg"
So far so good. Recovering it is easy as is decrypting:
ipfs cat _hashcode > “myVideo.mp4.gpg”
gpg “myVideo.mp4.gpg”
My question though is, that only works if I want to encrypt the file such that only I can decrypt it, how can I allow a certain group of users to access any given file, possibly even ALL users on the platform, but not for people outside of the platform.
I know it is possible to set up Groups in the gpg.config file, but I won't know ahead of time who all of the users are that should have access and it may change over time as well.
Can anyone help me with this please?
Thanks!
I would like to do full file encryption of an org mode file. I would like just to have a password to open it - I believe its called symmetric encryption - no keyrings, public keys, etc because I know nothing about that.
So far I have learned that all I have to do is save an org mode file ending in .gpg or .org.gpg, and when I save, I get:
Select recipients for encryption.
If no one is selected, symmetric encryption will be performed.
- ‘m’ to mark a key on the line
- ‘u’ to unmark a key on the line
[Cancel][OK]
I just click OK and I am prompted for the password. Wonderful.
When I close Emacs and view the file in another text editor, I can see the file is encrypted. Wonderful.
The problem comes in when I open the encrypted file - Emacs does not prompt me for the password. Emacs does report it decrypted the file and then it opens it.
I would like to be prompted for the password.
I have tried many different commands in both .emacs and in the file itself and nothing works. Eg:
(setq epa-file-cache-passphrase-for-symmetric-encryption nil)
I find that most articles seem to be old or for different versions of gpg or different types of encryption and so the commands suggested are not suitable.
What is the minimum amount of commands and what are those commands that I need to use to make sure encryption/decryption functions properly and securely and i will be prompted for the password each time I open the file?
I am using:
gpg (GnuPG) 2.2.20
libgcrypt 1.8.5
See this question on the Emacs SE site. It's a matter of configuring the default-cache-ttl setting in ~/.gnupg/gpg-agent.conf. The default is 300 seconds (5 mins), so the password is cached in gpg-agent for that long. Setting it to 0 makes sure that it is not cached.
I would like to ask a question about ioncube encryption. I have successfully encrypted a *.conf file.
When I run it, it doesn't seems to be running properly.
How can I encrypt a non-php file? Can you give a step by step process?
All steps taken from the latest ionCube Encoder User Guide for Version 9 and the GUI documentation.
Encrypt files
In the command line encoder, you can create encrypted files with the command
--encrypt "fileselector"
You can chain these together to select multiple files, and use Wilcards as selectors. For example:
ioncube_encoder --encrypt "*.conf" --encrypt "*.xml"
In the GUI you can enter these selectors in the 'Source Tab' in your Project settings, under the 'Non-PHP encryption extensions' label:
Loading encrypted files
Once the files are encrypted, you can read their content by calling the function:
mixed ioncube_read_file(string path [,bool &was_encrypted [,string passphrase] ] ] )
For example, if you encrypted the file foo.conf without passphrase, you can get the content back by calling:
$file_content = ioncube_read_file("foo.conf");
Note: This only works from already encoded files, otherwise the encryption would be useless. Furthermore, encrypted files can only be decrypted by files encoded with the same ionCube Encoder, i.e. if you encrypt your files on Machine 1 and try to decrypt them with files encoded on Machine 2, you won't be able to decrypt the file.
I need to encrypt data while we take mysqldump from database through command prompt. My OS is windows7. Please help me.
Can't you just pipe the dump output directly though your encryption tool?
ie:
mysqldump mydb | some-encryption-tool.sh
btw, the only reason I suggested piping directly through an encryption tool is to the (unsafe) plain-text version never exists on disk, which is the only interpretation of the question that makes sense. Otherwise, just save the dump to a file and encrypt it - there is nothing to "answer".