Geek Answers Handbook

GPG automatic password decryption

We receive encrypted GPG files from a third party. I change the program in C #, which finds the encrypted files, decrypts them and deletes the encrypted ones. All this works, with the exception of the decryption part that requests fassfras; I know the passphrase, and it fires on input. I need to pass the passphrase in the command, so the hint never appears.

string CommandText = string.Format("echo {0}|gpg.exe --keyring {1} --secret-keyring {2} --batch --yes --passphrase-fd 0 -o {3} -d {4}", passPhrase, publicKeyRingPath, secretKeyRingPath, outputFullPath, encryptedFilePath);

I also tried:

  string CommandText = string.Format("gpg.exe --keyring {1} --secret-keyring {2} --batch --yes --passphrase {0} -o {3} -d {4}", string CommandText = string.Format("gpg.exe --keyring {1} --secret-keyring {2} --batch --yes --passphrase-fd {0} -o {3} -d {4}",

Like a few other options.

This works GnuPG for Windows 2.1.0.57899

In case the problems are located elsewhere, this is a bunch of code written mostly by my predecessor:

 public bool decryptInputFile(string encryptedFilePath, string outputFullPath, out string message) { message = "decryptInputFile: Started"; try { ProcessStartInfo psi = new ProcessStartInfo("cmd.exe") { CreateNoWindow = true, UseShellExecute = true, RedirectStandardInput = true, RedirectStandardOutput = true, RedirectStandardError = true, WorkingDirectory = decryptPath, }; message = "decryptInputFile: PSI Initialized"; using (Process process = Process.Start(psi)) { string CommandText = string.Format("echo {0}|gpg.exe --keyring {1} --secret-keyring {2} --batch --yes --passphrase-fd 0 -o {3} -d {4}", passPhrase, publicKeyRingPath, secretKeyRingPath, outputFullPath, encryptedFilePath); process.StandardInput.WriteLine(CommandText); process.StandardInput.Flush(); process.StandardInput.Close(); process.WaitForExit(); process.Close(); process.Dispose(); message = "decryptInputFile: Success"; //These processes don't close and it keeps the file from being deleted. foreach (Process P in Process.GetProcessesByName("gpg")) { P.Kill(); } foreach (Process P in Process.GetProcessesByName("gpg2")) { P.Kill(); } } } catch (Exception x) { // If there was an error, we're going to eat it and just let the user know we failed. message = "decryptInputFile: Error: " + x.Message; string errMessage = "ERROR: could not decrypt. " + x.Message + "\r\n"; File.AppendAllText(System.Configuration.ConfigurationSettings.AppSettings["LogPath"], errMessage); return false; } if (File.Exists(outputFullPath) && File.Exists(encryptedFilePath)) { File.Delete(encryptedFilePath); } return File.Exists(outputFullPath); }
+1
c # windows gnupg passphrase
source share
1 answer

Problem

You are using GnuPG 2, which only supports --passphrase* options along with --batch .

Using --batch

The --passphrase* options --passphrase* intended for use in scripts. GnuPG 2 restricts them (perhaps for their slow exclusion) to --batch mode, where GnuPG does not perform any interaction (for example, it asks for your passphrase or other "dialogs").

While this is possible, it is probably preferable to use the password pre-setting in gpg-agent , which allows you to completely remove the passphrase from your application code. Pay attention to the consequences of --passphrase (all users of your system can read it if GnuPG is running!) And --passphrase-file (the passphrase is stored on the hard disk, check the permissions).

Preset passphrase

The preferred method with GnuPG 2 is to pre-set the passphrase in gpg-agent , which GnuPG relies heavily on; in the case of GnuPG 2.1, it even fully handles operations with the private key and passphrase.

But, for your salvation, GnuPG 2 offers a new gpg-preset-passphrase tool. On Debian Linux, it is hiding in /usr/lib/gnupg2/ , I don’t know where it is stored on Windows.

From man gpg-preset-passphrase :

gpg-preset-passphrase is a utility for populating the internal cache of a running gpg-agent using phrases. This is mainly useful for automatic machines, where the usual pinentry tool cannot be used, and passphrases for the keys used are indicated when the machine starts.

[...]

gpg-preset-passphrase is invoked as follows:

 gpg-preset-passphrase [options] [command] cacheid

cacheid is either a 40-digit hexadecimal character key that identifies the key for which to set or clear the passphrase. [...]

You must specify one of the following command parameters:

 --preset Preset a passphrase. This is what you usually will use. gpg-preset-passphrase will then read the passphrase from stdin.

To complete the process, when initializing GnuPG for your application (and at intervals corresponding to the configured caching time), run gpg-preset-passphrase --preset [fingerprint] , which will read the passphrase from stdin or optionally use the --passphrase passphrase parameter, to directly install it in your request. Keep in mind that when using the echo or --passphrase other system users can obtain a passphrase by listing processes; it's better to write directly to the 'stdin process from C #.

+4
source share

More articles:


All Articles