Encrypt with GPG using a key passed as CLI argument

Question

I want to create a script that would automatically encrypt and push to GitHub into public repo some sensible files I don't want to expose (but do want to keep together with the whole project).

As a solution I decided to encrypt them with GPG. The issue is that I can't find any clues on how to encrypt a particular file with a passphrase passed as a CLI argument to a gpg -c command.

Does anybody know how to do this?

Near dupe http://unix.stackexchange.com/questions/60213/gpg-asks-for-password-even-with-passphrase but this answer is better focussed — dave_thompson_085, Dec 15 '16 at 00:50

Stephen Kitt · Accepted Answer · 2020-06-18T12:40:10.687

11

Use one of the --passphrase-... options, in batch mode:

--passphrase-fd reads the passphrase from the given file descriptor

  echo mysuperpassphrase | gpg --batch -c --passphrase-fd 0 file

--passphrase-file reads the passphrase from the given file

  echo mysuperpassphrase > passphrase
  gpg --batch -c --passphrase-file passphrase file

--passphrase uses the given string

  gpg --batch -c --passphrase mysuperpassphrase file

These will all encrypt file (into file.gpg) using mysuperpassphrase.

With GPG 2.1 or later, you also need to set the PIN entry mode to “loopback”:

gpg --batch -c --pinentry-mode loopback --passphrase-file passphrase file

etc.

Decryption can be performed in a similar fashion, using -d instead of -c, and redirecting the output:

gpg --batch -d --passphrase-file passphrase file.gpg > file

etc.

edited Jun 18 '20 at 12:40

answered Dec 14 '16 at 12:32

Stephen Kitt

411,918
54
1,065
1,164

Thanks a lot! Follow-up question: where I can find some kind of man page where **all** command and options of gpg are listed? (as my ArchLinux man lists just a tiny bit and I found no --passphrase option on the web) – ddnomad Dec 14 '16 at 12:34
The [GPG site](https://gnupg.org) has manuals, *e.g.* [Invoking GPG](https://gnupg.org/documentation/manuals/gnupg/Invoking-GPG.html) (which lists all the options for GPG 2.1); the [Debian manpage](https://manpages.debian.org/1/gpg) is also available. – Stephen Kitt Dec 14 '16 at 12:38
Could I apply this if I want to decript a file? like `gpg --batch -c --passphrase-file pas.txt --decrypt file.gpg` – alper Jun 18 '20 at 12:08
@alper you need to drop the `-c` command, and specify where to write the output: `gpg --batch -d --passphrase-file pas.txt file.gpg > file` – Stephen Kitt Jun 18 '20 at 12:16
I have also come up with this using (`--pinentry-mode loopback`): `gpg --output file --pinentry-mode loopback --passphrase-file=pas.txt --decrypt file.gpg`, which also seems like working – alper Jun 18 '20 at 12:22
1

Ah yes, that’s required since version 2.1, I’ll add that to the answer. – Stephen Kitt Jun 18 '20 at 12:39

score 0 · Answer 2 · answered Jan 27 '21 at 12:28

0

I tried the accepted answer but didn't work out.

I was on Ubuntu 20.04.1 LTS

Check my answer which worked out for me

answered Jan 27 '21 at 12:28

Debu Shinobi

101
2

Encrypt with GPG using a key passed as CLI argument

2 Answers2

Linked