5

I want to create a script that would automatically encrypt and push to GitHub into public repo some sensible files I don't want to expose (but do want to keep together with the whole project).

As a solution I decided to encrypt them with GPG. The issue is that I can't find any clues on how to encrypt a particular file with a passphrase passed as a CLI argument to a gpg -c command.

Does anybody know how to do this?

Jeff Schaller
  • 67,283
  • 35
  • 116
  • 255
ddnomad
  • 1,978
  • 2
  • 16
  • 31

2 Answers2

12

Use one of the --passphrase-... options, in batch mode:

  • --passphrase-fd reads the passphrase from the given file descriptor

      echo mysuperpassphrase | gpg --batch -c --passphrase-fd 0 file

  • --passphrase-file reads the passphrase from the given file

      echo mysuperpassphrase > passphrase
  gpg --batch -c --passphrase-file passphrase file

  • --passphrase uses the given string

      gpg --batch -c --passphrase mysuperpassphrase file

These will all encrypt file (into file.gpg) using mysuperpassphrase.

With GPG 2.1 or later, you also need to set the PIN entry mode to “loopback”:

gpg --batch -c --pinentry-mode loopback --passphrase-file passphrase file

etc.

Decryption can be performed in a similar fashion, using -d instead of -c, and redirecting the output:

gpg --batch -d --passphrase-file passphrase file.gpg > file

etc.

Stephen Kitt
  • 434,908
  • Thanks a lot! Follow-up question: where I can find some kind of man page where all command and options of gpg are listed? (as my ArchLinux man lists just a tiny bit and I found no --passphrase option on the web) – ddnomad Dec 14 '16 at 12:34
  • The GPG site has manuals, e.g. Invoking GPG (which lists all the options for GPG 2.1); the Debian manpage is also available. – Stephen Kitt Dec 14 '16 at 12:38
  • Could I apply this if I want to decript a file? like gpg --batch -c --passphrase-file pas.txt --decrypt file.gpg – alper Jun 18 '20 at 12:08
  • @alper you need to drop the -c command, and specify where to write the output: gpg --batch -d --passphrase-file pas.txt file.gpg > file – Stephen Kitt Jun 18 '20 at 12:16
  • I have also come up with this using (--pinentry-mode loopback): gpg --output file --pinentry-mode loopback --passphrase-file=pas.txt --decrypt file.gpg, which also seems like working – alper Jun 18 '20 at 12:22
  • 1
    Ah yes, that’s required since version 2.1, I’ll add that to the answer. – Stephen Kitt Jun 18 '20 at 12:39
0

I tried the accepted answer but didn't work out.

I was on Ubuntu 20.04.1 LTS

Check my answer which worked out for me

Debu Shinobi
  • 101