-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Crest wrote:
> Ken Takusagawa wrote: > >> I have many files that are all encrypted with the same public key, and >> the private key is protected with a passphrase. Is there a way that I >> can decrypt all of them at once, concatenate the results and print it >> all to standard output but only have to type my passphrase once? I'd >> like to avoid having the decrypted files be written to disk, i.e., I'd >> like "-d" behavior but with multiple files. > > man gpg # and search for --command-fd DETAILS PLEASE! I did, and tried to use the --multifile before that. When I looked for command-fd in the doc/DETAILS as promised by the man page it wasn't there. A search for how to use it on Google wasn't all that useful either. Now the following code will get you part way towards where you want to go (maybe). It is also available here (with srm code): http://www.securemecca.com/Crypto.tbz http://www.securemecca.com/Crypto.tbz.sig http://www.securemecca.com/Crypto.7z http://www.securemecca.com/Crypto.7z.sig For now they are signed with public key 5BA96FAC. Here is the script: - ------------------------------------------------------------------------ #!/bin/bash # What this script does is decrypt multiple publicly # encrypted files and concatenate all the files together # into one file. Optionally, you can print the file. The # order in which the files are in the output file is set # by where you put them in the cryptfiles file list. # # WARNING # There are so many things wrong with this shell script from a # security standpoint that I will not claim it. That holds for # who ever I am. Will somebody provide a better shell script # please? # # The /bin/sh designator does not always mean you are using the # Bourne shell. Most Linux systems do not have the Bourne shell # becuase all they have is BASH. Just make sure you don't have # any history going out of here. if test "$#" -eq 0 then echo echo usage: decryptNcat.sh OUTPUT_FILE_NAME echo exit fi OUTPUTFILE=$1 SAVEHISTSIZE=${HISTSIZE} HISTSIZE=0 export HISTSIZE if [ ! -s cryptfiles ] then echo put crypted files in a list in files cryptfiles echo with one file per line and make sure they are in echo the order you want them in. exit 1 fi rm -f ${OUTPUTFILE} touch ${OUTPUTFILE} echo -n what is the passphrase:\ \ read PASSPHRASE clear echo cat cryptfiles | while read FILE do if [ -s ${FILE} ] then gpg --list-packets --list-only ${FILE} > testforkey if grep -iq pubkey testforkey then echo adding file ${FILE} to the ${OUTPUTFILE} file echo gpg -q -d --passphrase ${PASSPHRASE} < ${FILE} \ >> ${OUTPUT_FILE} 2> /dev/null else echo file ${FILE} may not bea valid OpenPGP file echo skipping it echo fi else echo file ${FILE} either does not exist or is empty echo skipping it echo fi rm -f testforkey done PASSPHRASE=BOGUS export PASSPHRASE PASSPHRASE=BOGUS # Uncomment the following and substitute your commands to print # the file and then securely remove the file # if lp -q 100 ${OUTPUTFILE} # then # sleep 60 # srm ${OUTPUTFILE} # fi HISTSIZE=${SAVEHISTSIZE} export HISTSIZE exit - ------------------------------------------------------------------------ So what is wrong with it? 1. It is dangerous. - your secret pass-phrase is in a SHELL variable!? - worries about history - where has the Bourne shell gone? - pass-phrase is visible; use LCD; if you must use CRT do it so nobody can read it with RF sensors; make sure nobody is looking over your shoulder. - etcetera, etcetera, etcetera - you fill em in 2. It is inefficient. - cat cryptfiles | while read FILE ... - gpg -q -d --passphrase ${PASSPHRASE} < ${FILE} \ >> output 2> /dev/null - etcetera 3. It only gets you part way there. Ken wanted it to go to the printer, not a file. Yes, he can print the file and use srm on it to securely remove it but what if somebody hacks in or is in from the internet and steals the file in the process? So what is right with it? 1. You only type the pass-phrase once. Repetition of key things kills you - look at history. At least we aren't repeating the typing of our secret pass-phrase. 2. Modify the script to decrypt multiple files into separate files as they come in from remote sites. At least the sending is sort of automated by automatic encryption on the sending end. 4. IT WORKS! Well, sorta ... Now if you can flesh in the details on how to use command-fd or command-file options we are all ears. This script is NOT what Ken is looking for. But maybe, just maybe, it will give him some ideas. HHH -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGhL+Zr3QZv1upb6wRCoOMAKCex2sg9LEenWNeRtqVcpYPwvO7cQCgj0oG LiciRmk9vuWvJvum10DkxG8= =FeNJ -----END PGP SIGNATURE----- _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
