Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. GnuPG>
  3. users
decrypting input, not a file...
pevad at kudosnet
May 17, 2000, 7:24 PM
Post #1 of 7 (1389 views)
Permalink
I finally figured out the proper syntax to decrypt a file from
command line passing the passphrase as

echo '$passphrase' | gpg -v --batch --no-secmem-warning
--passphrase-fd 0 --decrypt $file

However, in a particular case... I would like to decrypt a 'string'
but don't want to necessarily write the 'string' to a file.

I know I can encrypt a 'string' passed on the command line... but how
can I get gpg to read a varialbe instead of passing a file name?

Sorry, fairly new to scripting with bash etc...

Please CC me on reply's, I haven't subscribed to the list yet....

Thanks in advance for any help/advice.

- paul
--------------------- Kudosnet Technologies Inc. ---------------------

For a copy of our most recent newsletter send a blank email to:
mailto:latestnews@kudosnet.net

---------------------------- 1-877-885-8367 --------------------------
Re: decrypting input, not a file... [ In reply to ]
ftobin at uiuc
May 18, 2000, 12:26 PM
Post #2 of 7 (1369 views)
Permalink
Paul Evad, at 19:24 -0700 on Wed, 17 May 2000, wrote:

> echo '$passphrase' | gpg -v --batch --no-secmem-warning
> --passphrase-fd 0 --decrypt $file
>
> However, in a particular case... I would like to decrypt a 'string'
> but don't want to necessarily write the 'string' to a file.

While I think using shell for anything sensitive is ridiculous...this
might work. I don't recommend passing in passphrases to stdin, however,
in case you run situations where the passhrase isn't needed, and is
processed as part of the normal message by GnuPG.

echo "$passphrase\n$string" | gpg --passphrase-fd 0 --decrypt


> Please CC me on reply's, I haven't subscribed to the list yet....

It is advisable for you to subscribe. Lots of goodies for those who do :)


--
Frank Tobin http://www.uiuc.edu/~ftobin/

"To learn what is good and what is to be valued,
those truths which cannot be shaken or changed." Myst: The Book of Atrus
Re: decrypting input, not a file... [ In reply to ]
pevad at kudosnet
May 18, 2000, 1:03 PM
Post #3 of 7 (1367 views)
Permalink
At 2:26 PM -0500 5/18/00, Frank Tobin wrote:
>Paul Evad, at 19:24 -0700 on Wed, 17 May 2000, wrote:
>
>> echo '$passphrase' | gpg -v --batch --no-secmem-warning
>> --passphrase-fd 0 --decrypt $file
>>
>> However, in a particular case... I would like to decrypt a 'string'
>> but don't want to necessarily write the 'string' to a file.
>
>While I think using shell for anything sensitive is ridiculous...this
>might work. I don't recommend passing in passphrases to stdin, however,
>in case you run situations where the passhrase isn't needed, and is
>processed as part of the normal message by GnuPG.
>
>echo "$passphrase\n$string" | gpg --passphrase-fd 0 --decrypt
>
>
>> Please CC me on reply's, I haven't subscribed to the list yet....
>
>It is advisable for you to subscribe. Lots of goodies for those who do :)

Thanks for the feedback,

If anyone is interested... here is the resulting PHP script that will
encrypt/decrypt data using this hack..

<pre>
<?

// exec($command, $encrypted, $errorcode);

putenv("HOME=/home/httpd/");
if($tocrypt) {
// encrypt and set $code to result.
$command="echo '$tocrypt' | gpg -a -q --no-tty -e -u $user -r $user";
// $code = `$command`;
// echo "code: $code";
exec($command, $encrypted, $errorcode);
// echo "command: $command \n";
while(list($key,$val) = each ($encrypted)) {
$code.="$val\n";
}
// echo "\n errorcode: $errorcode <br>\n code: $code <br>\n ";
// echo "encrypted: " . array_tunnel($encrypted);
}
if($passphrase && $code) {
// decrypt the code...
$command="echo '$passphrase\n$code' | gpg -v --batch
--no-secmem-warning --passphrase-fd 0 --decrypt";
exec($command, $encrypted, $errorcode);
// echo "command: $command \n";
// echo "\n errorcode: $errorcode <br>\n code: $code <br>\n ";
// echo "encrypted: " . array_tunnel($encrypted);
echo "your secret message was: ";
while(list($key,$val) = each ($encrypted)) {
echo "$val\n";
}
}
?>
</pre>
<form method=post action=gpgtest.php3>
<input type=text name=passphrase>
<textarea name="code" rows=10 cols=80><? echo $code ?>
</textarea>
<input type=submit value=decrypt>
</form>
</pre>
<hr>
<pre>
<form method=post action=gpgtest.php3>
<input type=text name=tocrypt>
<input type=submit value=encrypt>
</form>
</pre>
--------------------- Kudosnet Technologies Inc. ---------------------

For a copy of our most recent newsletter send a blank email to:
mailto:latestnews@kudosnet.net

---------------------------- 1-877-885-8367 --------------------------
Re: decrypting input, not a file... [ In reply to ]
Florian.Weimer at rus
May 19, 2000, 2:49 AM
Post #4 of 7 (1371 views)
Permalink
Paul Evad <pevad@kudosnet.com> writes:

> $command="echo '$passphrase\n$code' | gpg -v --batch
> --no-secmem-warning --passphrase-fd 0 --decrypt";
> exec($command, $encrypted, $errorcode);

On most Unix-like systems, any local user can eavesdrop the passphrase
if you run this (and similar code) because command-line arguments are
readable for all users.

--
Florian Weimer Florian.Weimer@RUS.Uni-Stuttgart.DE
University of Stuttgart http://cert.uni-stuttgart.de/
RUS-CERT +49-711-685-5973/fax +49-711-685-5898
http://ca.uni-stuttgart.de:11371/pks/lookup?op=get&search=0xC06EC3B5
Re: decrypting input, not a file... [ In reply to ]
pevad at kudosnet
May 19, 2000, 8:25 AM
Post #5 of 7 (1369 views)
Permalink
At 11:49 AM +0200 5/19/00, Florian Weimer wrote:
>> $command="echo '$passphrase\n$code' | gpg -v --batch
>> --no-secmem-warning --passphrase-fd 0 --decrypt";
>> exec($command, $encrypted, $errorcode);
>
>On most Unix-like systems, any local user can eavesdrop the passphrase
>if you run this (and similar code) because command-line arguments are
>readable for all users.

This I know.

but, if you are dealing with cycling through a database of encrypted
bits of information, needing to decrypt on the fly.. short of writing
everything to files (performance issue?) is there a better way?

The code above is not bullet proof, but if you do not allow shell
accounts on your server... well, it's 'mostly' secure ;_)

- paul
--------------------- Kudosnet Technologies Inc. ---------------------

For a copy of our most recent newsletter send a blank email to:
mailto:latestnews@kudosnet.net

---------------------------- 1-877-885-8367 --------------------------
Re: decrypting input, not a file... [ In reply to ]
cloos at jhcloos
May 21, 2000, 3:10 PM
Post #6 of 7 (1372 views)
Permalink
>>>>> "Paul" == Paul Evad <pevad@kudosnet.com> writes:

Paul> but, if you are dealing with cycling through a database of
Paul> encrypted bits of information, needing to decrypt on the
Paul> fly.. short of writing everything to files (performance issue?)
Paul> is there a better way?

Yes, but it requires an extension to php.

Unlike, eg perl or python or etc, php cannot yet run a subcommand with
multiple pipes between parent and child. Were it able to, the
solution is to do what the gui frontend(s?) to gpg do: a pipe for the
plaintext, one for the cyphertext, one for the passphrase (as
required), for for statii and one for stderr.

A proposed syntax would be to extend php's popen() to take either an
array of direction strings, or a multi-char string of directions to
signify more than one pipe. It would then return an array of FDs,
one for each pipe.

-JimC
--
James H. Cloos, Jr. <URL:http://jhcloos.com/public_key> 1024D/ED7DAEA6
<cloos@jhcloos.com> E9E9 F828 61A4 6EA9 0F2B 63E7 997A 9F17 ED7D AEA6
Check out TGC: <URL:http://jhcloos.com/go?tgc>
Re: decrypting input, not a file... [ In reply to ]
Florian.Weimer at rus
May 22, 2000, 4:42 AM
Post #7 of 7 (1372 views)
Permalink
Paul Evad <pevad@kudosnet.com> writes:

> but, if you are dealing with cycling through a database of encrypted
> bits of information, needing to decrypt on the fly.. short of writing
> everything to files (performance issue?) is there a better way?

I prefer to have no passphrase at all in such cases. Of course, you
must keep the secret key ring at a safe place.

--
Florian Weimer Florian.Weimer@RUS.Uni-Stuttgart.DE
University of Stuttgart http://cert.uni-stuttgart.de/
RUS-CERT +49-711-685-5973/fax +49-711-685-5898
http://ca.uni-stuttgart.de:11371/pks/lookup?op=get&search=0xC06EC3B5

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal