On Wed 2014-03-26 17:37:05 -0400, ------ ------ wrote: > is it possible to encrypt a file with a symmetric cipher (e.g., AES256) > using a key file (e.g., a binary file) instead of a password?
Yes, but you will need to translate the binary file into a long ascii
string first (which means the exact same transformation needs to be done
on the decrypting side too, or else decryption will fail).
Here is an example, using "base64 -w0" as the translator, while creating
the key file from /dev/urandom:
0 dkg@alice:~$ dd if=/dev/urandom of=key bs=256 count=1
1+0 records in
1+0 records out
256 bytes (256 B) copied, 0.000288545 s, 887 kB/s
0 dkg@alice:~$ echo secret info > secret.txt
0 dkg@alice:~$ base64 -w0 <key | gpg --symmetric --passphrase-fd 0 secret.txt
Reading passphrase from file descriptor 0
0 dkg@alice:~$ ls -l
total 12
-rw-r--r-- 1 dkg dkg 256 Mar 27 09:17 key
-rw-r--r-- 1 dkg dkg 12 Mar 27 09:17 secret.txt
-rw-r--r-- 1 dkg dkg 57 Mar 27 09:19 secret.txt.gpg
0 dkg@alice:~$ rm secret.txt
rm: remove regular file ‘secret.txt’? y
0 dkg@alice:~$ base64 -w0 <key | gpg --decrypt --passphrase-fd 0 secret.txt.gpg
Reading passphrase from file descriptor 0
gpg: CAST5 encrypted data
gpg: encrypted with 1 passphrase
secret info
gpg: WARNING: message was not integrity protected
0 dkg@alice:~$
if you don't like the pipes and stdio redirection (or if you're stuck on
a platform that can't do them), you could translate the keyfile
explicitly into a new file, and then use gpg's --passphrase-file
option instead of --passphrase-fd.
Just remember that gpg will only use the first line of the translated
keyfile as its key, so avoid linebreaks in the translated output.
The gpg manpage is a useful source of more information about these
options.
hth,
--dkg
pgpxMVZ5_t9XC.pgp
Description: PGP signature
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
