decrypting a symmetric key from the command line in a script

[Ralf Döring]

"Adam Cadieux" <acadieux@pcguardian.com> writes:

> This works fine:
> //Decrypt data from a file with a symmetric key in PHP
> $results = exec("echo '$password' | /usr/bin/gpg --passphrase-fd 0 --batch
> --yes -d /tmp/crypt2.gpg");
>
> But I can't seem to get this to work:
>
> //Decrypt data from a variable with a symmetric key in PHP
> <?php
>
> $encrypted_data = "-----BEGIN PGP MESSAGE----- Version: GnuPG v1.0.6
> (GNU/Linux) Comment: For info see http://www.gnupg.org
> jA0EAwMCGP4cuhKM/+dgySINGrMuDol3KYTkeKKz5kvEPYZjoM+I/+fH65t2K7ve folW =3b9z
> -----END PGP MESSAGE-----";
>
> $results = exec("echo '$password' | /usr/bin/gpg --passphrase-fd 0 --batch
> --yes -d '$encrypted_data'");
> echo ($results);
> ?>

gpg expects a filename with data to decrypt on its commandline or the
data to be read via stdin. You put your data on the cmdline, which is
something completely different.  So it treats the contents of
$encrypted_data to be a filename, which it obviously can not find.

Your options, as long as I can see, are:
- store your encrypted data in temporary files and let gpg decrypt
  them.
- feed gpg with your encrypted data via stdin, using some sort of
  pipes. This requires to provide an other fd for --passphrase-fd
  instead of 0 in your example. I gave some hints how you can achieve
  this in a mail to this list some days ago. 
  http://www.php.net/proc_open should have everything you need,
  including the elimination of the unnecessary (and insecure) use of
  'echo' together with your password.

HTH,
Ralf