1gpgwrap(1) General Commands Manual gpgwrap(1)
3
7 gpgwrap - a small wrapper for gpg
8
11 gpgwrap -V
12 gpgwrap -P [-v] [-i] [-a] [-p <file>]
14 gpgwrap -F [-v] [-i] [-a] [-c] [-p <file>] [-o <name>] [--] <file>
16 [<file> ... ]
17 gpgwrap [-v] [-i] [-a] [-p <file>] [-o <name>] [--] gpg [gpg options]
19
22 The GNU Privacy Guard (gpg) supplies the option --passphrase-fd. This
23 instructs gpg to read the passphrase from the given file descriptor.
24 Usually this file descriptor is opened before gpg is executed via
25 execvp(3). Exactly that is what gpgwrap is doing. The passphrase may be
26 passed to gpgwrap in 4 ways:
27 * as file path, whereat the passphrase is stored as plain text
29 in the file
30 * it is piped from another program to the stdin of gpgwrap
32 * through the GPGWRAP_PASSPHRASE environment variable
34 * gpgwrap prompts for it
36 With no precautions the first point undermines the secure infrastruc‐
38 ture gpg provides. But in pure batch oriented environments this may be
39 what you want. Otherwise if you are willing to enter passphrases once
40 and don't want them to be stored as plain text in a file gpg-agent is
41 what you are looking for. Another security objection could be the use
42 of the environment variable GPGWRAP_PASSPHRASE which contains the
43 passphrase and may be read by other processes of the same user.
44
47 -V, --version
48 Print out version and exit.
49 -P, --print
51 Get the passphrase and print it mangled to stdout.
52 -F, --file
54 Read gpg commands from the given files. If <file> is - it is
55 read from stdin. Exactly one command per line is expected. The
56 given line is handled in the following way:
57 * In the first place the passphrase is mangled. This means that
59 unusual characters are replaced by their backslash escaped
60 octal numbers.
61 * Secondly the mangled passphrase is stored in the environment
63 variable GPGWRAP_PASSPHRASE.
64 * "exec gpgwrap -- " is prepended to each line, before the
66 result is passed as argument to "sh -c".
67 -h, --help
69 Print out usage information.
70 -v, --verbose
72 Increase verbosity level.
73 -i, --interactive
75 Always prompt for passphrase (ignores -p and the environment
76 variable).
77 -a, --ask-twice
79 Ask twice if prompting for a passphrase.
80 -c, --check-exit-code
82 While reading gpg commands from a file, gpgwrap ignores per
83 default the exit code of its child processes. This option
84 enables the check of the exit code. If a child terminates
85 abnormal or with an exit code not equal 0 gpgwrap stops immedi‐
86 ately and does return with this exit code. See also section
87 BUGS.
88 -p <file>, --passphrase-file <file>
90 Read passphrase from <file>. If <file> is - it is read from
91 stdin. The passphrase is expected to be in plain text. If this
92 option is not given the passphrase will be taken either from
93 the environment variable GPGWRAP_PASSPHRASE or it will be
94 prompted on the controlling tty if the environment variable is
95 not set.
96 -o <name>, --option-name <name>
98 Specify the name of the "--passphrase-fd" option understood by
99 the program to be executed. This is useful if you want to use
100 gpgwrap in combination with other programs than gpg.
101
104 The given passphrase is subject to several limitations depending on the
105 way it was passed to gpgwrap:
106 * There is a size limitation: the passphrase should be not
108 larger than some kilobytes (examine the source code for the
109 exact limit).
110 * gpgwrap allows you to use all characters in a passphrase even
112 \000, but this does not mean that gpg will accept it. gpg may
113 reject your passphrase or may only read a part of it, if it
114 contains characters like \012 (in C also known as \n).
115 * If you set the environment variable GPGWRAP_PASSPHRASE you
117 should take special care with the backslash character, because
118 gpgwrap uses backslash to escape octal numbers, (see option
119 -F). Therefore write backslash itself as octal number: \134.
120
123 1.
124 gpgwrap -p /path/to/a/secret/file \
125 gpg -c -z 0 --batch --no-tty \
126 --cipher-algo blowfish < infile > outfile
127 Read passphrase from /path/to/a/secret/file and execute gpg to
129 do symmetric encryption of infile and write it to outfile.
130 2.
133 gpgwrap -i -a \
134 gpg -c -z 0 --batch --no-tty \
135 --cipher-algo blowfish < infile > outfile
136 Same as above except that gpgwrap prompts twice for the
138 passphrase.
139 3.
142 gpgwrap -F -i - <<EOL
143 gpg --decrypt --batch --no-tty < "$HOME/infile1" > "$HOME/outfile1"
144 gpg --decrypt --batch --no-tty < "$HOME/infile2" > "$HOME/outfile2"
145 gpg --decrypt --batch --no-tty < "$HOME/infile3" > "$HOME/outfile3"
146 gpg --decrypt --batch --no-tty < "$HOME/infile4" > "$HOME/outfile4"
147 EOL
148 gpgwrap prompts for the passphrase and executes four instances
150 of gpg to decrypt the given files.
151 4.
154 GPGWRAP_PASSPHRASE="mysecretpassphrase"
155 export GPGWRAP_PASSPHRASE
156 gpgwrap -F -c -v /tmp/cmdfile1 - /tmp/cmdfile2 <<EOL
157 gpg --decrypt --batch --no-tty < "$HOME/infile1" > "$HOME/outfile1"
158 gpg --decrypt --batch --no-tty < "$HOME/infile2" > "$HOME/outfile2"
159 gpg --decrypt --batch --no-tty < "$HOME/infile3" > "$HOME/outfile3"
160 gpg --decrypt --batch --no-tty < "$HOME/infile4" > "$HOME/outfile4"
161 EOL
162 Same as above except that gpgwrap gets the passphrase via the
164 environment variable, reads commands additionally from other
165 files and checks the exit code of every gpg instance. This
166 means if one gpg command has a non zero exit code, no further
167 commands are executed. Furthermore gpgwrap produces verbose
168 output.
169 5.
172 GPGWRAP_PASSPHRASE="$(gpgwrap -P -i -a)"
173 export GPGWRAP_PASSPHRASE
174 find . -maxdepth 1 -type f |
176 while read FILE; do
177 FILE2="$FILE.bz2.gpg"
178 bzip2 -c "$FILE" |
179 gpgwrap gpg -c -z 0 --batch --no-tty \
180 --cipher-algo blowfish > "$FILE2" &&
181 touch -r "$FILE" "$FILE2" &&
182 rm -f "$FILE"
183 done
184 Read in passphrase, compress all files in the current direc‐
186 tory, encrypt them and keep date from original file.
187 6.
190 find . -maxdepth 1 -type f -name '*.bz2.gpg' |
191 awk '{
192 printf("gpg --decrypt --batch --no-tty --quiet ");
193 printf("--no-secmem-warning < %s\n", $0);
194 }' |
195 gpgwrap -F -i -c - |
196 bzip2 -d -c - |
197 grep -i 'data'
198 Decrypt all *.bz2.gpg files in the current directory, decom‐
200 press them and print out all occurrences of data. If you pipe
201 the result to less you get into trouble because gpgwrap and
202 less try to read from the TTY at the same time. In such a case
203 it is better to use the environment variable to give the
204 passphrase (the example above shows how to do this).
205 7.
208 GPGWRAP_PASSPHRASE="$(gpgwrap -P -i -a)"
209 export GPGWRAP_PASSPHRASE
210 gpgwrap -P |
212 ssh -C -x -P -l user host "
213 GPGWRAP_PASSPHRASE=\"\$(cat)\"
214 ...
215 "
216 Prompt for a passphrase twice and write it to the GPG‐
218 WRAP_PASSPHRASE environment variable.
219 8.
222 echo -n "Passphrase: "
223 stty -echo
224 read GPGWRAP_PASSPHRASE
225 echo
226 stty echo
227 export GPGWRAP_PASSPHRASE
228 Another way to prompt manually for the passphrase. It was
230 needed in combination with older versions of gpgwrap, because
231 they did not upport -P. Be aware that with this method no auto‐
232 matic conversion to backslash escaped octal numbers takes
233 place.
234 9.
237 echo "mysecretpassphrase" |
238 gpg --batch --no-tty --passphrase-fd 0 \
239 --output outfile --decrypt infile
240 Cheap method to give passphrase to gpg without gpgwrap. Note
242 that you can't use stdin to pass a file to gpg, because stdin
243 is already used for the passphrase.
244 10.
247 gpg --batch --no-tty \
248 --passphrase-fd 3 3< /path/to/a/secret/file \
249 < infile > outfile
250 This is a more advanced method to give the passphrase, it is
252 equivalent to Option -p of gpgwrap. This example should at
253 least work with the bash.
254 11.
257 gpg --batch --no-tty --passphrase-fd 3 \
258 3< <(echo "mysecretpassphrase") \
259 < infile > outfile
260 Like above, but the passphrase is given directly. This example
262 should at least work with the bash.
263
266 In version 0.02 of gpgwrap the exit code of gpg was only returned if
267 gpgwrap read the passphrase from a file. Since version 0.03, only -F
268 omits exit code checking by default, but it can be enabled with -c.
269
272 gpg, gpg-agent
273
276 Karsten Scheibler
277 gpgwrap 0.04 gpgwrap(1)