Back to Blog
Decrypt nextab nx1610132s ps7/1/2023 ![]() ![]() So I've been debugging the bulk decryption operations and have evidence to show that file descriptors seem to close automatically or perhaps it's auto closed by GnuPG. If you like the above code then you may want to also checkout the script I debugged for key generation either unattended or attended because it covers even less commonly used gpg file descriptor options. Also please don't forget to close the descriptor when finished so that your passphrase isn't accessible via that method anymore.- Often I've seen advised in these use cases to use specifically non-passphrase protected keys but that's totally your choose. # Do not forget to close the file descriptorĭo be warned, outside of special use cases, that saving your private keys passphrase is generally seen as a bad idea or bad security practice. # Open file descriptor and shove the passphrase file into it Var_gpg_decrypt_opts="-passphrase-fd $ -decrypt" The answer by kylehuff is very good if you're decryping files, however, if you've need of input/output redirection, such as piping, here's an example of using a non- 0 file descriptor to pass the passphrase. The above examples should work the same in Windows and *nix environments, with the only difference being that in Windows - depending on your configuration and version - you will have to replace cat with type in order to dump the contents of a file to STDIN.Īs I've had to recently figure this out myself I thought it might be worth chiming in. In summary, -passphrase-fd just tells GnuPG that you want to feed it the requisite passphrase via a standard file descriptor the difference between GnuPG v2 and GnuPG is merely the -batch parameter. In the next example, we will tell GnuPG to retrieve the passphrase from input into the current shell that is actually the output of another command (echo, in this case, which merely "echos" what you tell it to): echo "mypassphrase" | gpg2 -batch -passphrase-fd 0 -armor -decrypt /path/to/encrypted_file.pgpĪnother example that dumps the contents of a file that contains the passphrase to STDIN - cat /path/to/file_with_passphrase | gpg2 -batch -passphrase-fd 0 -armor -decrypt /path/to/encrypted_file.pgp In the above example, the passphrase was provided via file descriptor 0 (STDIN) - which we provided by entering it on the shells current standard input. Gpg: encrypted with 1024-bit RSA key, ID EC18C175, created passphrase-fd 0 tells GnuPG to retrieve the passphrase from input into the current shell so for example if you want GnuPG to get the passphrase data in the very next line of console input, the command and output would be like so: gpg2 -batch -passphrase-fd 0 -armor -decrypt /path/to/encrypted_file.pgp You didn't specify where you want the passphrase to come from, so I will demonstrate the usage of STDIN (standard in) in a variety of ways. For the context of this question, you would normally only be concerned about STDIN (0). The standard file descriptors are STDIN (0), STDOUT (1) and STDERR (2). ![]() passphrase-fd tells GnuPG which file descriptor (-fd) to expect the passphrase to come from. I will first explain how -passphrase-fd works, and then get to the examples. In order to use the gpg option -passphrase-fd in GnuPG v2, you must specify the -batch parameter. ![]()
0 Comments
Read More
Leave a Reply. |