How to verify the file was successfully encrypted...

Benny Helms benny at egovmt.com
Wed Jul 12 18:57:45 CEST 2006


On Wed, 2006-07-12 at 05:14 -0500, Robert J. Hansen wrote:
> Benny Helms wrote:
> > I'm looking for a way to gpg encrypt a file, test that the encryption
> > was good and that the file can be extracted, and then to delete the
> > original file.
> 
> Forgive a silly question, but what's wrong with decrypting the file as a
> way of verifying the encryption worked?

Sorry.  I guess I should have given more details.  I was just hoping the
bare minimum info would be enough because somebody would say, "Oh,
that's easy!  All you do is..."

I have a server with files that are created on a daily basis.  Many
files.  I've reached a point where I want to have those files encrypted
each night to prevent security breaches.  My intent is to encrypt the
file and delete the original.  However, if I do that, and then go back a
week later to obtain some data from that file, and it says, "Whoa, dude!
This gpg file seems to be hosed.  I can't open it!", I'm absolutely
screwed because our contract requires eternal data retention on some if
this stuff.  Losing data is unacceptable.  But at the same time, having
an encrypted version and an unencryted version is equally unacceptable.

Basically, I'm looking for a *scripted* way to verify that the newly
created gpg file is in good condition and I'll be able to open it at a
later date if needed, BEFORE I delete the original file.  Frankly, I'm
surprised that's not a standard built-in function in gpg.  Bzip2 will
bzip a file, and only after successfully completing the task, it will
automatically delete the original and leave only the bz2 version in
place.  That's the basic functionality I'm looking for.

And I definitely want it to be able to do the job in a script because I
don't have a life as it is, let alone sitting here manually decrypting
file after file to test their usability in the wee hours of the morning
when I should be home with my family.

Make sense?

> If you've got a Perl script that's doing the encryptions, then have your
> Perl script do the verification step, too.

I'm doing this with a plain old bash script.  Basically...

for file in "list of files"
do
  gpg -r username -z 9 --encrypt $file
  <pseudo code here; if the encryption went well, and the file is a \
   good one, delete the original; otherwise email the the hosed file\
   name so I can manually encrypt it when I get to work in the morning>
done

Benny




More information about the Gnupg-users mailing list