GNUPG Encryption/Decryption in Batch on OpenVMS (637 Views)
Reply
Honored Contributor
The Brit
Posts: 1,287
Registered: ‎06-18-2007
Message 1 of 9 (637 Views)
Accepted Solution

GNUPG Encryption/Decryption in Batch on OpenVMS

I am having a problem decrypting a file in a command procedure because it keeps asking for the passphrase to be entered manually. I want to run this script in Batch eventually, so my question is,
Does anyone use GNUPG, and can anyone help me with passing the passphrase to the decrypt command from within the script? I currently have the passphrase stored in a file which is read by the procedure, it is then placed into a symbol.

however the decrypt command doesn't seem interested in the symbol at all.

I saw a comment by Steven (sorry I forgot your surname, but I see you in this forum all the time) relating to a similar problem on HPUX, and I wondered if perhaps he would like to chime in.

thanks,

Dave.
Please use plain text.
Honored Contributor
John Gillings
Posts: 2,992
Registered: ‎07-31-2003
Message 2 of 9 (637 Views)

Re: GNUPG Encryption/Decryption in Batch on OpenVMS

Dave,

It depends on how the program has been coded. Do you know if it reads from SYS$INPUT or SYS$COMMAND?

Have you tried PIPE?

$ PIPE WRITE SYS$OUTPUT "passphrase" | GNUPG...

or
$ PIPE TYPE PASSPHRASE.TXT | GNUPG...

Sometimes it may help to redirect SYS$COMMAND to convince a program it's not running interactively, and to read from SYS$INPUT instead of the terminal:

$ PIPE WRITE SYS$OUTPUT "passphrase" | -
(DEFINE/USER SYS$COMMAND NL: ; GNUPG...)

or, if the program reads from SYS$COMMAND unconditionally, maybe:

$ PIPE WRITE SYS$OUTPUT "passphrase" | -
(DEFINE/USER SYS$COMMAND SYS$PIPE ; GNUPG...)

If none of those work, please post your example code and a transcript of what happens.
A crucible of informative mistakes
Please use plain text.
Honored Contributor
Steven Schweda
Posts: 9,067
Registered: ‎02-23-2005
Message 3 of 9 (637 Views)

Re: GNUPG Encryption/Decryption in Batch on OpenVMS

As usual, it mught help to know which version
of whose GnuPG you're using, and exactly what
you've tried to do with it where, but this
method seems to work for me (still
interactive here, but what could go wrong?):

alp $ pp_symb = "(Oh, wouldn't you like to know?)"

alp $ pipe write sys$output pp_symb | gpg --passphrase-fd 0 FRED.TXT-GPG
Reading passphrase from file descriptor 0

You need a passphrase to unlock the secret key for
user: "Steven M. Schweda (Antinode) "
2048-bit ELG-E key, ID 5D5FDBC7, created 2006-08-09 (main key ID FA00E2F4)

gpg: encrypted with 2048-bit ELG-E key, ID 5D5FDBC7, created 2006-08-09
"Steven M. Schweda (Antinode) "

That's using mine, of course:

alp $ gpg --version
gpg (GnuPG) 1.4.8a
Copyright (C) 2007 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Home: /SYS$LOGIN/gnupg
Supported algorithms:
Pubkey: RSA, RSA-E, RSA-S, ELG-E, DSA
Cipher: 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH
Hash: MD5, SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2

alp $ write sys$output f$getsyi( "version")
V7.3-2


> It depends on how the program has been
> coded. [...]

I haven't looked too closely at from what it
reads interactively. I don't immediately see
any VMS-specific stuff, so I suspect that it
normally ends up using SYS$COMMAND (one way
or another). (util/ttyio.c with HAVE_CTERMID
defined should use ctermid(), and "HELP CRTL
ctermid" says SYS$COMMAND, but I haven't
verified anything.)
Please use plain text.
Honored Contributor
Steven Schweda
Posts: 9,067
Registered: ‎02-23-2005
Message 4 of 9 (637 Views)

Re: GNUPG Encryption/Decryption in Batch on OpenVMS

> I currently have the passphrase stored in a
> file [...]

http://gnupg.org/gph/en/manual.html#AEN513

Protecting your private key

Protecting your private key is the most
important job you have to use GnuPG
correctly. [...]
Please use plain text.
Honored Contributor
The Brit
Posts: 1,287
Registered: ‎06-18-2007
Message 5 of 9 (637 Views)

Re: GNUPG Encryption/Decryption in Batch on OpenVMS

Thanks for your help Guys.

I was able to make it work using the

$ pipe ty | gpg ...

but curiously enough, it only worked in batch. When I ran it interactively it still seems to stick at the "Enter passphrase:" prompt, although I might be wrong about that. (I tend to think that this really is a "sys$command" issue).

The important thing is that this solution works for me in batch, which is where it will be running.

Thanks again.

Dave.
Please use plain text.
Honored Contributor
Steven Schweda
Posts: 9,067
Registered: ‎02-23-2005
Message 6 of 9 (637 Views)

Re: GNUPG Encryption/Decryption in Batch on OpenVMS

> [...] but curiously enough, it only worked
> in batch. [...]

Well, duh. Perhaps SYS$COMMAND is different
in batch mode from what it is in interactive
mode. You think?
Please use plain text.
Honored Contributor
Steven Schweda
Posts: 9,067
Registered: ‎02-23-2005
Message 7 of 9 (637 Views)

Re: GNUPG Encryption/Decryption in Batch on OpenVMS

For the record, the
pipe xxx | gpg --passphrase-fd 0 [...]
scheme seems to work in batch mode, too, as
expected.
Please use plain text.
Occasional Visitor
Jason Michael
Posts: 1
Registered: ‎06-13-2008
Message 8 of 9 (637 Views)

Re: GNUPG Encryption/Decryption in Batch on OpenVMS

how does one do a batch process using gpg which might include passing in the passphrase, and yet still keep the passphrase secure? storing the passphrase in a plaintext file which is passes in in batch mode might be a very insecure solution, but how is it supposed to be done?
Please use plain text.
Honored Contributor
Steven Schweda
Posts: 9,067
Registered: ‎02-23-2005
Message 9 of 9 (637 Views)

Re: GNUPG Encryption/Decryption in Batch on OpenVMS

> [...] but how is it supposed to be done?

If the only secure passphrase storage is your
brain, and if your brain is not easily
accessed from a batch job, then I'd tend to
use keys without passphrases in batch jobs.

Other things may be possible, depending on
your actual requirements, but I suspect that
the security provided by a passphrase stored
on a computer may be about as good as that
provided by no passphrase.
Please use plain text.
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation