2

Is there are good default python or simple shell script that I can use to encrypt and decrypt files via PGP/GPG? I would be running this script every 5 minutes.

Dennis Williamson
  • 62,149
  • 16
  • 116
  • 151
Daniel
  • 3,791
  • 7
  • 33
  • 34

3 Answers3

9

You do not want a symmetric cipher

If you need to auto-run encryption you don't want to use a symmetric cipher with a passphrase (this is what gpg -ac does). Storing the passphrase in a script or in cron is unacceptable and pointless (seriously, this sounds harsh, but you may as well rot13 it.)

If you're using encryption, it isn't enough to simply "change the permissions" of the script. If it was, you could simple change the permissions on the data you want to hide. Encryption at this level is obviously meant to stop someone who has gained access to your account (most likely maliciously) reading the data once they have access.

In this case, what you want is public key crytography. You generate a private key (which is encrypted again with a symmetric cipher with a password) and a public key. The public key can be distributed anywhere. Anyone can encrypt data that you can read with your private key. Noone should have access to your private key. So for the type of encryption you need, it's perfect. You can store your public key on the server and encrypt all of your data using it. If an attacker has your public key and your encrypted data, he can do nothing.

Your private key should be the bit of the puzzle a potential attacker is always missing. You need to hide this. i.e. encrypting data that you can read is easy. Decrypting it should be hard. With a symmetric cipher, the difficulty of both is the same (if you want to think of it in those terms, it's probably not the greatest analogy.)

GPG makes public crypto relatively painless, but first things first, you need to generate a keypair (this is not done on your server, but on your desktop or somewhere secure you're happy having your private key):

$ gpg --gen-key

Run through the questions there.

Then you want to export your GPG public key and copy and paste it to your server:

$ gpg --list-keys
$ gpg --armor --export me@mydomain.com > pub.key

Copy pub.key to your server and then import with:

$ gpg --import pub.key

If you're considering using encryption in the first place, it's obviously because you've got sensitive data. I'd stress again: you need to think seriously about the way you're encrypting this data as it is a whole lot of effort for no gain if you simply use a symmetric cipher where the password can be accessed trivially.

WolfHumble
  • 5
  • 2
Philip Reynolds
  • 9,799
  • 1
  • 34
  • 33
0
#!/bin/bash
gpg -ac passphrase="secret" < $1

Seems a bit unnecessary to make it its own script, though.

tylerl
  • 15,055
  • 7
  • 51
  • 72
  • I need to auto run encryption on files every 5 minutes. – Daniel Nov 12 '09 at 02:31
  • Then you can just run `gpg -ac passphrase="secret" < file` from cron. As tylerl stated, there's really no need for a script here. – EEAA Nov 12 '09 at 03:27
  • 2
    There's gotta be a better way to protect the "secret" than just sticking it in the cron or directly on the command line. Otherwise, anyone can read the "secret" straight off of a ps -ef. – David Mackintosh Nov 12 '09 at 03:34
  • 2
    If you don't want the passphrase in the script you can read it from a different file or configure the gpg-agent. http://www.gnupg.org/documentation/manuals/gnupg/Invoking-GPG_002dAGENT.html If you put it in a file or include it in the script make sure you have appropriately restricted access to both the file and the script that can read the file. – J.Zimmerman Nov 12 '09 at 07:36
0

The following crontab line will cause secretfile to be encrypted every 5 minutes with the specified passphrase, without revealing the passphrase to ps aux and similar queries. Of course, you will probably also want to do something with the original file and the encrypted result, but that's up to you.

*/5 * * * * gpg -c --passphrase-fd 3 secretfile 3<<<"passphrase"
Amir
  • 837
  • 8
  • 17