3

I'm trying to encrypt our backups using GnuPG as a pipe (reading from stdin and writing to stdout). The passphrase is read from a file. An example command:

echo "mysecret" | gpg --passphrase-file password.key --batch --symmetric --cipher-algo AES256 > test.gpg

When I run this as a regular user, it works fine. But if I run it as root, I get:

gpg: gpg-agent is not available in this session
gpg: can't query passphrase in batch mode
gpg: error creating passphrase: invalid passphrase
gpg: symmetric encryption of `[stdin]' failed: invalid passphrase

How can I get --passphrase-file working for root?

I cannot use --passphrase-fd 0 as suggested here because stdin is the data to be encrypted. I'm using GPG 1.4.20 (from Ubuntu 16.04.5 LTS)

Sampo
  • 377
  • If you're using sudo for running the command, can you verify that the environment variables required by GPG are set? – Haxiel Jan 21 '19 at 09:13
  • What environment variables does GPG need? I'm not using any keychains etc, just doing symmetric encryption. – Sampo Jan 21 '19 at 09:33

2 Answers2

1

I found a workaround, which utilizes an additional file descriptor for input:

exec {FD}<password.key
echo "mysecret" | gpg --passphrase-fd ${FD} --batch --symmetric --cipher-algo AES256 > test.gpg
Sampo
  • 377
0

I wanted to build on the other answer, which involves writing the passphrase to the filesystem first. You can catch the output of a printf command as a file descriptor:

passphrase="topsecret"
exec {pw_fd}< <(printf "$passphrase")
echo "a total secret" | gpg --passphrase-fd ${pw_fd} --batch --symmetric --cipher-algo aes > test.gpg
exec {pw_fd}<&-

Then test:

gpg -d --passphrase -i test.gpg
gpg: AES.CFB encrypted data
gpg: encrypted with 1 passphrase
a total secret
Jonathan S. Fisher
  • 200