1GPGDIR(1) General Commands Manual GPGDIR(1)
2
3
4
6 gpgdir - recursive directory encryption with GnuPG
7
9 gpgdir -e|-d <directory> [options]
10
12 gpgdir is a perl script that uses the CPAN GnuPG::Interface perl module
13 to recursively encrypt and decrypt directories using gpg. gpgdir
14 recursively descends through a directory in order to make sure it
15 encrypts or decrypts every file in a directory and all of its subdirec‐
16 tories. By default the mtime and atime values of all files will be
17 preserved upon encryption and decryption (this can be disabled with the
18 --no-preserve-times option). Note that in --encrypt mode, gpgdir will
19 delete the original files that it successfully encrypts (unless the
20 --no-delete option is given). However, upon startup gpgdir first asks
21 for a the decryption password to be sure that a dummy file can success‐
22 fully be encrypted and decrypted. The initial test can be disabled
23 with the --skip-test option so that a directory can easily be encrypted
24 without having to also specify a password (this is consistent with gpg
25 behavior). Also, note that gpgdir is careful not encrypt hidden files
26 and directories. After all, you probably don't want your ~/.gnupg
27 directory or ~/.bashrc file to be encrypted. The key gpgdir uses to
28 encrypt/decrypt a directory is specified in ~/.gpgdirrc.
29
30 Finally, gpgdir can use the wipe program with the --Wipe command line
31 option to securely delete the original unencrypted files after they
32 have been successfully encrypted. This elevates the security stance of
33 gpgdir since it is more difficult to recover the unencrypted data asso‐
34 ciated with files from the filesystem after they are encrypted
35 (unlink() does not erase data blocks even though a file is removed).
36
37
39 -e, --encrypt <directory>
40 Recursively encrypt all files in the directory specified on the
41 command line. All original files will be deleted (a password
42 check is performed first to make sure that the correct password
43 to unlock the private GnuPG key is known to the user).
44
45 -d, --decrypt <directory>
46 Recursively decrypt all files in the directory specified on the
47 command line. The encrypted .gpg version of each file will be
48 deleted.
49
50 --sign <directory>
51 Recursively sign all files in the directory specified on the
52 command line. For each file, a detached .asc signature will be
53 created.
54
55 --verify <directory>
56 Recursively verify all .asc signatures for files in the direc‐
57 tory specified on the command line.
58
59 -g, --gnupg-dir <directory>
60 Specify which .gnupg directory will be used to find GnuPG keys.
61 The default is ~/.gnupg if this option is not used. This option
62 allows gpgdir to be run as one user but use the keys of another
63 user (assuming permissions are setup correctly, etc.).
64
65 -p, --pw-file <pw-file>
66 Read decryption password from pw-file instead of typing it on
67 the command line.
68
69 -t, --test-mode
70 Run an encryption and decryption test against a dummy file and
71 exit. This test is always run by default in both --encrypt and
72 --decrypt mode.
73
74 -S, --Symmetric
75 Instruct gpgdir to encrypt to decrypt files using a symmetric
76 cipher supported by GnuPG (CAST5 is commonly used). This
77 results in a significant speed up for the encryption/decryption
78 process.
79
80 -T, --Trial-run
81 Show what encrypt/decrypt actions would take place without actu‐
82 ally doing them. The filesystem is not changed in any way in
83 this mode.
84
85 -I, --Interactive
86 Prompt the user before actually encrypting or decrypting each
87 file. This is useful to have fine-grained control over gpgdir
88 operations as it recurses through a directory structure.
89
90 -F, --Force
91 Tell gpgdir to ignore non-fatal error conditions, such as the
92 inability to encrypt or decrypt individual files because of per‐
93 missions errors.
94
95 --Exclude <pattern>
96 Instruct gpgdir to skip all files that match pattern as a regex
97 match against each filename. This is similar to the --exclude
98 option in the standard GNU tar command.
99
100 --Exclude-from <file>
101 Instruct gpgdir to exclude all files matched by patterns listed
102 in file. This is similar to the --exclude-from the GNU tar com‐
103 mand.
104
105 --Include <pattern>
106 Instruct gpgdir to only include files that match pattern as a
107 regex match against each filename.
108
109 --Include-from <file>
110 Instruct gpgdir to only include files matched by patterns listed
111 in file.
112
113 -W, --Wipe
114 Use the wipe program to securely delete files after they have
115 been successfully encrypted.
116
117 -O, --Obfuscate-filename
118 Tell gpgdir to obfuscate the file names of files that it
119 encrypts (in -e mode). The names of each file are stored within
120 the file .gpgdir_map_file for every sub-directory, and this file
121 is itself encrypted. In decryption mode (-d), the -O argument
122 reverses the process so that the original files are restored.
123
124 --overwrite-encrypted
125 Overwrite encrypted files even if a previous <file>.gpg file
126 already exists.
127
128 --overwrite-decrypted
129 Overwrite decrypted files even if the previous unencrypted file
130 already exists.
131
132 -K, --Key-id <id>
133 Manually specify a GnuPG key ID from the command line. Because
134 GnuPG supports matching keys with a string, id does not strictly
135 have to be a key ID; it can be a string that uniquely matches a
136 key in the GnuPG key ring.
137
138 -D, --Default-key
139 Use the key that GnuPG defines as the default, i.e. the key that
140 is specified by the default-key variable in ~/.gnupg/options.
141 If the default-key variable is not defined within
142 ~/.gnupg/options, then GnuPG tries to use the first suitable key
143 on its key ring (the initial encrypt/decrypt test makes sure
144 that the user knows the corresponding password for the key).
145
146 -a, --agent
147 Instruct gpgdir to acquire gpg key password from a running gpg-
148 agent instance.
149
150 -A, --Agent-info <connection info>
151 Specify the value of the GPG_AGENT_INFO environment variable as
152 returned by the gpg-agent --daemon command. If the gpgdir
153 --agent command line argument is used instead of --Agent-info,
154 then gpgdir assumes that the GPG_AGENT_INFO environment variable
155 has already been set in the current shell.
156
157 -s, --skip-test
158 Skip encryption and decryption test. This will allow gpgdir to
159 be used to encrypt a directory without specifying a password
160 (which normally gets used in encryption mode to test to make
161 sure decryption against a dummy file works properly).
162
163 -q, --quiet
164 Print as little as possible to the screen when encrypting or
165 decrypting a directory.
166
167 --no-recurse
168 Instruct gpgdir to not recurse through any subdirectories of the
169 directory that is being encrypted or decrypted.
170
171 --no-password
172 Instruct gpgdir to not ask the user for a password. This is
173 only useful when a gpg key literally has no associated password
174 (this is not common).
175
176 --no-delete
177 Instruct gpgdir to not delete original files at encrypt time.
178
179 --no-preservetimes
180 Instruct gpgdir to not preserve original file mtime and atime
181 values upon encryption or decryption.
182
183 -l, --locale <locale>
184 Provide a locale setting other than the default "C" locale.
185
186 --no-locale
187 Do not set the locale at all so that the default system locale
188 will apply.
189
190 -v, --verbose
191 Run in verbose mode.
192
193 -V, --Version
194 Print version number and exit.
195
196 -h, --help
197 Print usage information and exit.
198
200 ~/.gpgdirrc
201 Contains the key id of the user gpg key that will be used to
202 encrypt or decrypt the files within a directory.
203
205 The following examples illustrate the command line arguments that could
206 be supplied to gpgdir in a few situations:
207
208 To encrypt a directory:
209
210 $ gpgdir -e /some/dir
211
212 To encrypt a directory, and use the wipe command to securely delete the
213 original unencrypted files:
214
215 $ gpgdir -W -e /some/dir
216
217 To encrypt a directory with the default GnuPG key defined in
218 ~/.gnupg/options:
219
220 $ gpgdir -e /some/dir --Default-key
221
222 To decrypt a directory with a key specified in ~/.gpgdirrc:
223
224 $ gpgdir -d /some/dir
225
226 To encrypt a directory but skip all filenames that contain the string
227 "host":
228
229 $ gpgdir -e /some/dir --Exclude host
230
231 To encrypt a directory but only encrypt those files that contain the
232 string "passwd":
233
234 $ gpgdir -e /some/dir --Include passwd
235
236 To acquire the GnuPG key password from a running gpg-agent daemon in
237 order to decrypt a directory (this requires that gpg-agent has the
238 password):
239
240 $ gpgdir -A /tmp/gpg-H4DBhc/S.gpg-agent:7046:1 -d /some/dir
241
242 To encrypt a directory but skip the encryption/decryption test (so you
243 will not be prompted for a decryption password):
244
245 $ gpgdir -e /some/dir -s
246
247 To encrypt a directory and no subdirectories:
248
249 $ gpgdir -e /some/dir --no-recurse
250
251 To encrypt root's home directory, but use the GnuPG keys associated
252 with the user "bob":
253
254 # gpgdir -e /root -g /home/bob/.gnupg
255
257 gpgdir requires that gpg, the Gnu Privacy Guard (http://www.gnupg.org)
258 is installed. gpgdir also requires the GnuPG::Interface perl module
259 from CPAN, but it is bundled with gpgdir and is installed in
260 /usr/lib/gpgdir at install-time so it does not pollute the system perl
261 library tree.
262
263
265 gpg(1)
266
267
269 Michael Rash <mbr@cipherdyne.org>
270
271
273 Many people who are active in the open source community have contrib‐
274 uted to gpgdir; see the CREDITS file in the gpgdir sources.
275
276
277
279 Send bug reports to mbr@cipherdyne.org. Suggestions and/or comments are
280 always welcome as well.
281
282
284 gpgdir is distributed under the GNU General Public License (GPL), and
285 the latest version may be downloaded from http://www.cipherdyne.org
286
287
288
289Linux May, 2007 GPGDIR(1)