Shell Programming and Scripting

I've been blessed with the task of writing functions that will be used to encrypt / decrypt data files using the Gnupg (gpg command) software on our Solaris 9. This was just installed last friday and I've got no documentation other than what I've found on the web.

I was successful in writing and testing the encrypt_file function. Piece of cake. The problem I have is with the decrypt_file function trying to get the gpg command to allow me to pass the 'passphrase' as a variable. I can run the command (without a script), it prompts me for the passphrase, I type it and it works. I'm confused about the --command-fd and --passphrase-fd options. I've tried with each seperately and each alone and still get an error saying 'bad passphrase'. Has anyone else tried this? What have I got wrong?

My current script and its output follows.


#! /bin/ksh
#------------------
function decrypt_file
{
# This function uses the GnuPG (gpg command) to decrypt files
# $1.gpg will be the input file and the output will be called $1.

# The gpg command resides in /usr/local/bin

#Setup
B=/bin
U=/usr/local/bin # this is where the gpg executable is

# Check if the input file exists
if [[ ! -f $1.gpg ]] then
echo "-*- Error - $1.gpg not found"
return 1
fi

# Delete the output file (if one exists)
$B/rm -f $1

# Let's decrypt the file
PP=`echo 'this is my test passphrase'` # this and the next line will be
echo "Pp=$PP" # replaced by an environment variable
echo $PP| $U/gpg --command-fd 0 --passphrase-fd 0 \
--decrypt-files "$1.gpg" << !end \
> /tmp/$$data
!end

stat=$?
if [[ $stat != 0 ]] then
echo "-*- Error - decrypt (gpg) failed"
return 1
fi

$B/grep -i "ERROR" /tmp/$$data > /dev/null
stat=$?
if [[ $stat != 1 ]] then
echo "-*- Decrypt failed"
cat /tmp/$$data
return 1
fi

# Look's like we're good to go
echo "--- File $1.gpg successfully de-encrypted as $1"

# Remove the input-file (the point of the whole process) and /tmp files
$B/rm -f $1.gpg
$B/rm -f /tmp/$$*

return 0
} # end decrypt_file
#------------------


Here's what I get when I run it:

$: decrypt_file test-file.txt
Pp=this is my test passphrase
gpg: WARNING: using insecure memory!
gpg: please see http://www.gnupg.org/faq.html for more information
Reading passphrase from file descriptor 0

You need a passphrase to unlock the secret key for
user: "test name (test comment) <testemail@pni.com>"
1024-bit ELG-E key, ID 84D710AC, created 2006-01-13 (main key ID F423056A)

gpg: encrypted with 1024-bit ELG-E key, ID 84D710AC, created 2006-01-13
"test name (test comment) <testemail@pni.com>"
gpg: public key decryption failed: bad passphrase
gpg: decryption failed: secret key not available
-*- Error - decrypt (gpg) failed
$:


Thanks, in advance, for any help you can give me.

Ahhh, lucky you I had gone through a similar exercise a while back but was responsible only for the encrypt piece. However, the decrypt operation should be identical and your code looks OK. The only difference I notice is that you redirect the output of the decrypt operation of the file whereas I use the --output parameter... But that shouldn't make a difference. I will make a copy of your script and run it in my environment and see what I find...

Ok, well, I had the same result on my end (even though on HP-UX). You may want to try the following for your gpg command-line:

echo $PP | $U/gpg --command-fd 0 --passphrase-fd 0 --decrypt-files "$1.gpg" > /tmp/$$data 2>&1

This worked for me. You'll get the same result and, for some reason, the here document confuses gpg (also, it's not really performing any function anyway since the input for gpg is read via the --passphrase-fd option). Hope that helps!

I appreciate your help. It still didn't work though. Here's what I'm getting.

$: decrypt_file /home/carlsob/test-file.txt
this is my test passphrase
Reading passphrase from file descriptor 0

You need a passphrase to unlock the secret key for
user: "test name (test comment) <testemail@pni.com>"
1024-bit ELG-E key, ID 84D710AC, created 2006-01-13 (main key ID F423056A)

-*- Error - decrypt (gpg) failed
$:

It appears as if the passphrase is being read before it's needed.

Here's the code snippet:

# Let's decrypt the file
PP='this is my test passphrase'
echo $PP
echo $PP| $U/gpg --command-fd 0 --passphrase-fd 0 --decrypt-files "$1.gpg" > /tm
p/$$data 2>&1

Actually, I'm getting the same output as you (re: the "You need a passphrase ..." message) yet my result is different. Here's some output from my run:

snippy<1046> ./testgpg.shl pgp
Pp=this is my passphrase
Reading passphrase from file descriptor 0

You need a passphrase to unlock the secret key for
user: "Test User <user@snippy>"
2048-bit ELG-E key, ID A3417109, created 2006-01-19 (main key ID C5CB77AE)

BEGIN TEMP FILE:
gpg: WARNING: using insecure memory!
gpg: please see http://www.gnupg.org/faq.html for more information
gpg: encrypted with 2048-bit ELG-E key, ID A3417109, created 2006-01-19
"Test User <user@snippy>"
END TEMP FILE:
--- File pgp.gpg successfully de-encrypted as pgp

The "BEGIN TEMP FILE" and "END TEMP FILE" stuff is just delimiting the contents of the /tmp/$$data file. Here's my script in its entirety:

#! /bin/ksh
#------------------
function decrypt_file
{
# This function uses the GnuPG (gpg command) to decrypt files
# $1.gpg will be the input file and the output will be called $1.

# The gpg command resides in /usr/local/bin

#Setup
B=/bin
U=/usr/local/bin # this is where the gpg executable is

# Check if the input file exists
if [[ ! -f $1.gpg ]] then
echo "-*- Error - $1.gpg not found"
return 1
fi

# Delete the output file (if one exists)
$B/rm -f $1

# Let's decrypt the file
#PP=`echo 'this is my test passphrase'` # this and the next line will be
PP=`echo 'this is my passphrase'` # this and the next line will be
echo "Pp=$PP" # replaced by an environment variable
echo $PP | $U/gpg --command-fd 0 --passphrase-fd 0 --decrypt-files "$1.gpg" > /tmp/$$data 2>&1

stat=$?

###
echo "BEGIN TEMP FILE:"
cat /tmp/$$data
echo " END TEMP FILE:"
###

if [[ $stat != 0 ]] then
echo "-*- Error - decrypt (gpg) failed"
return 1
fi

$B/grep -i "ERROR" /tmp/$$data > /dev/null
stat=$?
if [[ $stat != 1 ]] then
echo "-*- Decrypt failed"
cat /tmp/$$data
return 1
fi

# Look's like we're good to go
echo "--- File $1.gpg successfully de-encrypted as $1"

# Remove the input-file (the point of the whole process) and /tmp files $B/rm -f $1.gpg $B/rm -f /tm
p/$$*

return 0
} # end decrypt_file
#------------------

decrypt_file $1

You could try using the --debug option and --verbose as well to see if that provides anything useful. Also, what is the value of your $stat variable after the gpg command and what are the contents of /tmp/$$data?

Well, I was pulled away on another project (or three) and finally got back to is. After trying various combinations of the myriad of options I finally hit on what worked and I'm posting my solution for others that may need it.

(see the man page on this at:
http://www.gnupg.org/(en)/documentation/manpage.en.html)

My 'working' functions follow (I also included the encrypt_file function). If anyone spots something that would make these better let me know.

Now, as a side note - I just heard that we'll be getting Solaris - version 10 and it has (a company approved) encryption method included it in. So, whether this ever gets implemented or not is hard to say (go figure - at least I learned a bit doing all this ).


#! /bin/ksh
function decrypt_file
{
# This function uses the GnuPG (gpg command) to decrypt files
# $1.gpg will be the input file and the output will be called $1.

# The gpg command resides in /usr/local/bin

#Setup
B=/bin
U=/usr/local/bin # this is where the gpg executable is

# Check if the input file exists
if [[ ! -f $1.gpg ]] then
echo "-*- Error - $1.gpg not found"
return 1
fi

# Delete the output file (if one exists)
$B/rm -f $1

# Let's decrypt the file
PP=`$B/cat /home/circop/.gnupg/.passphrase`
echo $PP| $U/gpg -r "Circop" --passphrase-fd 0 \
--decrypt-files "$1.gpg" > /tmp/$$data 2>&1

stat=$?
if [[ $stat != 0 ]] then
echo "-*- Error - decrypt (gpg) failed"
return 1
fi

$B/grep -i "decryption failed" /tmp/$$data > /dev/null
stat=$?
if [[ $stat != 1 ]] then
echo "-*- Decrypt failed"
cat /tmp/$$data
return 1
fi

# Look's like we're good to go
echo "--- File $1.gpg successfully encrypted as $1"

# Remove the input-file (the point of the whole process) and /tmp files
$B/rm -f $1.gpg
$B/rm -f /tmp/$$data

return 0
} # end decrypt_file


#! /bin/ksh
function encrypt_file
{
# This function uses the GnuPG (gpg command) to encrypt files
# $1 will be the input file and the output will be called $1.gpg

# The gpg command resides in /usr/local/bin

#Setup
B=/bin
U=/usr/local/bin # this is where the gpg executable is

# Check if the input file exists
if [[ ! -f $1 ]] then
echo "-*- Error - $1 not found"
return 1
fi

# Delete the output file
$B/rm -f $1.gpg

# Let's encrypt the file
$U/gpg --recipient "Circop" --no-secmem-warning --output "$1.gpg" \
--encrypt "$1" > /tmp/$$data
stat=$?
if [[ $stat != 0 ]] then
echo "-*- Error - encrypt (gpg) failed"
return 1
fi

$B/grep -i "ERROR" /tmp/$$data > /dev/null
stat=$?
if [[ $stat != 1 ]] then
echo "-*- Encrypt failed"
cat /tmp/$$data
return 1
fi

# Look's like we're good to go
echo "--- File $1 successfully encrypted as $1.gpg"

# Remove the input-file (the point of the whole process) and /tmp files
$B/rm -f $1
$B/rm -f /tmp/$$data

return 0
} # end encrypt_file


This is a great site. Wish I'd have known of it years ago when I first started learning Unix.