Looking for simple wrapper for symmetric key file encryption

Mr. Clif clif at eugeneweb.com
Fri Jan 17 22:15:50 CET 2014


I've been happily using pgp and gpg off and on for decades. One thing I 
never quite figured out was what the best way to use it for encrypting 
sensitive files on disk. After doing that one has to remember to cleanup 
after themselves and delete all the leftover plaintext versions of the 
file, or it kind of defeats the whole purpose, and its pretty easy to 
make a mistake when doing it manually. I always felt that GPG should 
help you a bit more in that regard. Now I know that full disk encryption 
might be a way around this, but it seems like overkill if you just have 
a couple of files to protect.

I have searched high and low and checked out GnuPG Shell, GPA, Seahorse, 
XAP, and some other misc wrappers but nothing seemed to fit my use case. 
So I wrote a simple wrapper in perl. Basically it just lets you toggle a 
file between plaintext and encrypted forms without letting the plaintext 
version touch/remain on the disk, unless that is what you want.

#! /usr/bin/perl -U
#       This Perl script is a wrapper around GPG to decrypt or encrypt a file.
#	It's goal is to try to prevent plaintext from touching, or remaining
#	on the disk, something GPG fails to do. If there is a new file created
#	It will be in the same directory as the original unless you specify a new
#	path in a second arg.
#	By Clif 12/05/13

# External utilities
$GPG   = "/usr/bin/gpg";  			# GnuPG 1.4.15
$SHRED = "/usr/bin/shred";                      # secure file deleter (GNU coreutils) 8.13

# Arguments
($arg, $dest) = @ARGV;

# Break down the pathname
$path = $1 if $arg  =~ /^(.*?)(\/[^\/]*)$/;
$file = $1 if $arg  =~ /([^\/]+)\/?$/;
$base = $1 if $file =~ /^(.+?)(\.[^.]*)?$/;
$ext  = $1 if $file =~ /\.([^. ]*)\s*$/;

# Get destination
if ($dest) {
	 $destp = 1;
	 $dest .= "/$base" if (-d $dest);
	 $dest =~ s/\.asc\s*$//;
} else { $dest = $path ? "$path/$base" : $base }

# Is this a planetext or an encrypted file?

if (-r $arg) {
	if ($ext eq "asc") {					# Encrypted
		if ($destp) { system("$GPG -o $dest $arg") }
		else        { system("$GPG -o -     $arg") }
	} else {						# Plaintext
		unlink "${dest}.asc";
		$err = system("$GPG -o ${dest}.asc -ca --cipher-algo AES256 $arg");
		if ($err) { print "ERROR = $err\n" }
		else      { system("$SHRED -un9 $arg") }
} else { warn "No such file: $arg\n" }
# All done

Obviously it could be much more thorough but I just wanted to get the 
idea across. I was also thinking about adding a RAM based editing 
feature but I didn't want to reinvent the wheel if someone knows of a 
similar project.

     Thanks for any comments you might have,

More information about the Gnupg-users mailing list