Using a passphrase FD from variable and piped data for encryption

Brett Cave brett at jemstep.com
Tue Apr 19 09:42:54 CEST 2016


Hi all, I'm wondering if anyone uses gpg piping data to it (on a *nix
system) while also providing a passphrase-fd? Might be more of a bash /
shell question that GPG itself...

Example: I want to create an encrypted archive. I don't want to write the
passphrase to the local fs and don't want it to be visible in the process
list.

To create an archive, and then encrypt it using a variable in 2 steps:
tar zxf dir.tgz dir
echo $PASSPHRASE | gpg -c --passphrase-fd 0 -o dir.tgz.gpg dir.tgz

This way, the passphrase is never written to the fs and does not show up in
the process list - it is only in-memory.

Is it possible to do this in a single step using a different FD some how? I
can do it with a redirect from a file....
tar zcf - /path/to/stuff | gpg -c --passphrase-fd 0 -o dir.tgz.gpg 1<>
passphrase-file

But how can it be done from a variable?
tar zcf - /path/to/stuff | gpg -c --passphrase-fd 0 -o dir.tgz.gpg
1<>$(echo $passphrase-var)

The last command doesn't work, but sort of indicates what I'm trying to do.

(I've read the previous threads discussing "why even bother encrypting if
you don't trust the system" and other "why" questions. There may be flaws
in this approach too, this is purely for "because I want to know how to do
it this way" sort of question).

Thanks,
Brett
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20160419/a1b1b205/attachment.html>


More information about the Gnupg-users mailing list