Is it possible to force gpg to do in-place encryption? In other words, to overwrite the source (unencrypted) file with encrypted data?
This is how ccrypt(1) operates by default.
Asked
Active
Viewed 4,041 times
2
-
Belongs to http://superuser.com/ – Eugene Mayevski 'Callback Feb 27 '11 at 12:50
-
Perhaps. I chose stackoverflow.com since the FAQ mentions this is the place for questions about "software tools commonly used by programmers" – Adam Monsen Feb 28 '11 at 20:29
2 Answers
3
The answer is basically no, not without custom code.
gpg can operate on pipes, so if there were an easy way to destructively send data to a pipe, this might be doable. But there isn't.
Another idea to keep from using up the disk quickly is encrypt chunks at a time (in custom software).
while !eof:
read()
encrypt()
write()
seek()
It appears that ccrypt is able to operate in-place because the encrypted data is the same length as the decrypted data (I know little of crypto, but this might just be a general property of block ciphers). GPG/PGP does stuff like compressing and adding headers, so the output data won't be the same length. If it is shorter, no problem (the above custom code should work). If it is longer, more work would need to be done to place overflow somewhere else.
This custom code adds complexity (and obscurity) to encryption and decryption.
Adam Monsen
- 9,054
- 6
- 53
- 82
0
gpg does it by opening a new file using the original filename and appending a .gpg extension, then writing the encrypted data out to the new file. if everything works fine, it deletes the original file.
I don't think you'd want to use actual in-place encryption, where it would read a byte, crypt it, write it back out to the file, etc... what happens if something kills the gpg process half-way through? You've now got a corrupted file, with half of the plaintext dangling in the breeze.
Marc B
- 356,200
- 43
- 426
- 500
-
1Yep, I agree with your analysis about gpg, I confirmed the same with strace. As to why I want in-place encryption... I just do. :) Here's one scenario: I want to encrypt a 400GB file and I have a 500GB hard drive. Other reasons I want this: it is more secure. Yes, I realize it is more dangerous, too. See the ccrypt(1) manpage: "For encryption, this is usually the desired behavior, since one does not want copies of the unencrypted data to remain in hidden places in the file system." – Adam Monsen Feb 27 '11 at 07:09