decrypting many files to stdout

Henry Hertz Hobbit hhhobbit at securemecca.net
Fri Jun 29 10:15:21 CEST 2007 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Crest wrote:

> Ken Takusagawa wrote:
> 
>> I have many files that are all encrypted with the same public key, and
>> the private key is protected with a passphrase.  Is there a way that I
>> can decrypt all of them at once, concatenate the results and print it
>> all to standard output but only have to type my passphrase once?  I'd
>> like to avoid having the decrypted files be written to disk, i.e., I'd
>> like "-d" behavior but with multiple files.
> 
> man gpg # and search for --command-fd

DETAILS PLEASE!

I did, and tried to use the --multifile before that.  When I looked for
command-fd in the doc/DETAILS as promised by the man page it wasn't
there.  A search for how to use it on Google wasn't all that useful
either. Now the following code will get you part way towards where
you want to go (maybe).  It is also available here (with srm code):

http://www.securemecca.com/Crypto.tbz
http://www.securemecca.com/Crypto.tbz.sig
http://www.securemecca.com/Crypto.7z
http://www.securemecca.com/Crypto.7z.sig

For now they are signed with public key 5BA96FAC. Here is the script:

- ------------------------------------------------------------------------
#!/bin/bash

# What this script does is decrypt multiple publicly
# encrypted files and concatenate all the files together
# into one file. Optionally, you can print the file. The
# order in which the files are in the output file is set
# by where you put them in the cryptfiles file list.
#
# WARNING
# There are so many things wrong with this shell script from a
# security standpoint that I will not claim it.  That holds for
# who ever I am.  Will somebody provide a better shell script
# please?
#
# The /bin/sh designator does not always mean you are using the
# Bourne shell. Most Linux systems do not have the Bourne shell
# becuase all they have is BASH.  Just make sure you don't have
# any history going out of here.

if test "$#" -eq 0
then
   echo
   echo usage:  decryptNcat.sh OUTPUT_FILE_NAME
   echo
   exit
fi

OUTPUTFILE=$1
SAVEHISTSIZE=${HISTSIZE}
HISTSIZE=0
export HISTSIZE

if [ ! -s cryptfiles ]
then
   echo put crypted files in a list in files cryptfiles
   echo with one file per line and make sure they are in
   echo the order you want them in.
   exit 1
fi

rm -f ${OUTPUTFILE}
touch ${OUTPUTFILE}

echo -n  what is the passphrase:\ \
read PASSPHRASE
clear
echo

cat cryptfiles | while read FILE
do
   if [ -s ${FILE} ]
   then
      gpg --list-packets --list-only ${FILE} > testforkey
      if grep -iq pubkey testforkey
      then
         echo adding file ${FILE} to the ${OUTPUTFILE} file
         echo
         gpg  -q -d --passphrase ${PASSPHRASE} < ${FILE} \
           >> ${OUTPUT_FILE} 2> /dev/null
      else
         echo file ${FILE} may not bea valid OpenPGP file
         echo skipping it
         echo
      fi
   else
      echo file ${FILE} either does not exist or is empty
      echo skipping it
      echo
   fi
   rm -f testforkey
done

PASSPHRASE=BOGUS
export PASSPHRASE
PASSPHRASE=BOGUS

# Uncomment the following and substitute your commands to print
# the file and then securely remove the file

# if lp -q 100 ${OUTPUTFILE}
# then
#    sleep 60
#    srm ${OUTPUTFILE}
# fi

HISTSIZE=${SAVEHISTSIZE}
export HISTSIZE

exit
- ------------------------------------------------------------------------

So what is wrong with it?

1. It is dangerous.
   - your secret pass-phrase is in a SHELL variable!?
   - worries about history - where has the Bourne shell gone?
   - pass-phrase is visible; use LCD; if you must use CRT do it
     so nobody can read it with RF sensors; make sure nobody is
     looking over your shoulder.
   - etcetera, etcetera, etcetera - you fill em in
2. It is inefficient.
   - cat cryptfiles | while read FILE ...
   - gpg  -q -d --passphrase ${PASSPHRASE} < ${FILE} \
     >> output 2> /dev/null
   - etcetera
3. It only gets you part way there.  Ken wanted it to go to the
   printer, not a file.  Yes, he can print the file and use srm
   on it to securely remove it but what if somebody hacks in or
   is in from the internet and steals the file in the process?

So what is right with it?

1. You only type the pass-phrase once.  Repetition of key things
   kills you - look at history.  At least  we aren't repeating
   the typing of our secret pass-phrase.
2. Modify the script to decrypt multiple files into separate
   files as they come in from remote sites.  At least the
   sending is sort of automated by automatic encryption on
   the sending end.
4. IT WORKS!  Well, sorta ...

Now if you can flesh in the details on how to use command-fd
or command-file options we are all ears.  This script is NOT
what Ken is looking for.  But maybe, just maybe, it will give
him some ideas.

HHH
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFGhL+Zr3QZv1upb6wRCoOMAKCex2sg9LEenWNeRtqVcpYPwvO7cQCgj0oG
LiciRmk9vuWvJvum10DkxG8=
=FeNJ
-----END PGP SIGNATURE-----

More information about the Gnupg-users mailing list