Batch Program Needs to Bypass the Passphrase

Frank Calfo frank.calfo at csgpro.com
Thu Oct 9 14:45:48 CEST 2003 

Sorry if this has already been answered but I thought I'd pass along my two 
cents since I just finished a long struggle

with this (thanks to help from this group!) :

I have created a few batch files to automate encryption and decryption, 
even with a keystore that is password protected

(GPG version 1.2.1).

To encrypt a file via key-based encryption and sign it with your own secret 
key the following command within a batch file

has been working well on Windows:

@rem Script wrapper for GNU PGP utility function: Encrypt a file using 
key-based encryption
@rem Arguments: 1 - password to  keystore
@rem            2 - path to  keystore
@rem            3 - id of public key to use to encrypt the file - should be 
key of client receiving the file
@rem            4 - fully qualified name of file to encrypt
@rem Note: since client is prepared for key-based encryption and since we 
have the keystore password
@rem this script will also sign the encrypted file to provide extra security
@rem Watch it! - on Windows do NOT include space between %1 and the pipe 
(|) - will get bad
@rem passphrase error

echo %1| gpg --homedir %2 --batch --yes --passphrase-fd 0 --always-trust 
--sign --recipient %3 --encrypt %4


To encrypt a file via password-based encryption WITHOUT signing it the 
following command within a batch file has been

working well on Windows:

At this point I hit some trouble if I tried to sign the encrypted file 
since that requires two passwords as input: the

password to use for encryption and
the password to use to access the keystore so the encrypted file can be 
signed.  I decided to avoid the problem by not

signing the encrypted file -
that left me with just one input (the encryption password) which this 
script can handle.

I figured that not signing the encrypted file is ok in this scenario since 
we're using password-based encryption.  If

client receiving the file wants to verify my signature, they need to have 
my public key - and if they have my public key

then they're familiar with key-based encryption so why not use key-based 
encryption instead of password based encryption?

Thus, I'm treating password-based encryption as a less stringent, easier 
form of encryption where
lack of signed file is not all that bad.  If the receiver wants extra 
security of a signed file, then they just need to

step up to key-based encryption (again, they'll need to start dealing with 
keys to verify the signature anyway so this

should not be a big deal).

@rem Script wrapper for GNU PGP utility function: Encrypt a file using 
password-based encryption
@rem Arguments: 1 - password to encrypt the file with
@rem            2 - path to  keystore
@rem            3 - fully qualified name of unencrypted file to encrypt
@rem Note: since client is assumed to be not prepared for key-based 
encryption if they are using
@rem this option and since we do not have a good way to provide the 
keystore password for
@rem this option, this script will not sign the encrypted file
@rem Watch it! - on Windows do NOT include space between %1 and the pipe 
(|) - will get bad
@rem passphrase error

echo %1| gpg --homedir %2 --batch --yes --passphrase-fd 0 --symmetric %3


To decrypt a file encrypted via passphrase-based encryption, the following 
command within a batch file has been working

well on Windows:

@rem Script wrapper for GNU PGP utility function: Decrypt a file encrypted 
with password-based encryption
@rem Arguments: 1 - password that file was encrypted with
@rem            2 - path to  keystore
@rem            3 - fully qualified name of decrypted file to create
@rem            4 - fully qualified name of encrypted file to decrypt
@rem Watch it! - on Windows do NOT include space between %1 and the pipe 
(|) - will get bad
@rem passphrase error

echo %1| gpg --homedir %2 --batch --yes --passphrase-fd 0 --output %3 
--decrypt %4


To decrypt a file encrypted via key-based encryption, the following command 
within a batch file has been working well on

Windows. Note that this is same as previous example.  Only difference is 
that previous one passed in encryption password

under argument #1 while this one passes keystore password under argument #1:

@rem Script wrapper for GNU PGP utility function: Decrypt a file encrypted 
with key-based encryption
@rem Arguments: 1 - password to  keystore
@rem            2 - path to  keystore
@rem            3 - fully qualified name of decrypted file to create
@rem            4 - fully qualified name of encrypted file to decrypt
@rem Watch it! - on Windows do NOT include space between %1 and the pipe 
(|) - will get bad
@rem passphrase error

echo %1| gpg --homedir %2 --batch --yes --passphrase-fd 0 --output %3 
--decrypt %4


hth,
Frank


At 03:43 PM 10/7/2003 -0400, Kordet, Kimberly wrote:
>Hi,
>
>I am writing a batch program (.bat) to encrypt and decrypt files.  However,
>I'm having trouble figuring out how to NOT have it prompt me for a
>passphrase.  I've looked up things on --passphrase-fd 0 and environment
>variables, but I can't seem to find the actual steps to follow to get it
>working properly.
>
>Please let me know if you can help!
>
>Thanks,
>Kim
>
>
>_______________________________________________
>Gnupg-users mailing list
>Gnupg-users at gnupg.org
>http://lists.gnupg.org/mailman/listinfo/gnupg-users

More information about the Gnupg-users mailing list