GnuPG encryption with key file

Daniel Kahn Gillmor dkg at
Thu Mar 27 14:30:11 CET 2014

On Wed 2014-03-26 17:37:05 -0400, ------ ------ wrote:
> is it possible to encrypt a file with a symmetric cipher (e.g., AES256)
> using a key file (e.g., a binary file) instead of a password?

Yes, but you will need to translate the binary file into a long ascii
string first (which means the exact same transformation needs to be done
on the decrypting side too, or else decryption will fail).

Here is an example, using "base64 -w0" as the translator, while creating
the key file from /dev/urandom:

0 dkg at alice:~$ dd if=/dev/urandom of=key bs=256 count=1
1+0 records in
1+0 records out
256 bytes (256 B) copied, 0.000288545 s, 887 kB/s
0 dkg at alice:~$ echo secret info > secret.txt
0 dkg at alice:~$ base64 -w0 <key | gpg --symmetric --passphrase-fd 0 secret.txt 
Reading passphrase from file descriptor 0    
0 dkg at alice:~$ ls -l
total 12
-rw-r--r-- 1 dkg dkg 256 Mar 27 09:17 key
-rw-r--r-- 1 dkg dkg  12 Mar 27 09:17 secret.txt
-rw-r--r-- 1 dkg dkg  57 Mar 27 09:19 secret.txt.gpg
0 dkg at alice:~$ rm secret.txt
rm: remove regular file ‘secret.txt’? y
0 dkg at alice:~$ base64 -w0 <key | gpg --decrypt --passphrase-fd 0 secret.txt.gpg 
Reading passphrase from file descriptor 0    
gpg: CAST5 encrypted data
gpg: encrypted with 1 passphrase
secret info
gpg: WARNING: message was not integrity protected
0 dkg at alice:~$ 

if you don't like the pipes and stdio redirection (or if you're stuck on
a platform that can't do them), you could translate the keyfile
explicitly into a new file, and then use gpg's --passphrase-file
option instead of --passphrase-fd.

Just remember that gpg will only use the first line of the translated
keyfile as its key, so avoid linebreaks in the translated output.

The gpg manpage is a useful source of more information about these


-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 948 bytes
Desc: not available
URL: </pipermail/attachments/20140327/e7e8414b/attachment.sig>

More information about the Gnupg-users mailing list