Bash Script – Source Encrypted GPG File On-the-Fly

bashgpgshell-script

I need a bash script to source a file that is encrypted, as the file being sourced contains sensitive information.

I would like the script to prompt for the GPG passphrase and then run, sourcing the encrypted file. I cannot figure out how to do this though. There must be user input for the passphrase, as I don't want to store a key on the server with the encrypted file.

Looking into some different methods, I do not want to decrypt the file, source the non-encrypted file, then delete it after. I would like to reduce the chance of leaving an non-encrypted file behind, if something went wrong in the script.

Is there a way to get the GPG output of a file to source it this way? Possibly collecting STDOUT and parsing it (if GPG can even output the contents this way).

Also, if there is another way to encrypt a file that shell scripts can use, I am not aware of it, but open to other possibilities.

Best Answer

You can do this using process substitution.

. <(gpg -qd "$encrypted_filename")

Here's an example:

% cat > to-source <<< 'echo "Hello"'
% . ./to-source                     
Hello
% gpg -e -r chris@chrisdown.name to-source
% . <(gpg -qd to-source.gpg)
Hello

gpg -d does not persist the file to disk, it just outputs it to stdout. <() uses a FIFO, which also does not result in the actual file data being written to disk.

In bash, . and source are synonyms, but . is more portable (it's part of POSIX), so I've used it here. Note, however, that <() is not as portable -- as far as I know it's only supported in bash, zsh, ksh88, and ksh93. pdksh and mksh have coprocesses which can have the same effect.

Related Solutions

Way to edit a password-protected file without having to retype the password all the time

The GPG man page has several options you're probably interested in, that you could work into your own personal decrypt-edit-encrypt script/function. Like:

--passphrase-fd n - Read the passphrase from file descriptor n
--passphrase-file file - Read the passphrase from file file... Obviously, a passphrase stored in a file is of questionable security if other users can read this file. Don't use this option if you can avoid it.
--passphrase string - Use string as the passphrase... Obviously, this is of very questionable security on a multi-user system. Don't use this option if you can avoid it.

Placing a keyfile in ram (tmpfs) and not readable by anyone else might be adequate. Or for Linux you could look into the kernel's key management facility i.e. keyctl

Why doesn’t gpg need us to specify which keys for encryption and decryption

GnuPG will use the first key found in the secret keyring if neither --default-user nor --local-user is specified. You may also define the default key to be used with

default-key KEYID

in ~/.gnupg/gpg.conf.

Symmetric encryption does not involve any public or private keys. The passphrase that you enter is used to both encrypt and decrypt the message (hence "symmetric").

In your example, you will not be asked for the passphrase when decrypting because the gpg-agent process has cached the passphrase that you used when encrypting the message. If you terminated the agent and tried to decrypt the message again, you would be asked for the passphrase.

If you share your doc.gpg file and if it's encrypted with symmetric encryption, you would also need to share the passphrase somehow for enabling the recipients to decrypt the message. Anyone with the passphrase would be able to decrypt the message.

When using key encryption with signing, it would be enough to share you public key (for verification of the signature). Without signing, you don't have to share your key. Using key encryption, the message would be encrypted for one or several specific recipients, so you would need to have their public keys to perform the encryption. Without access to the private keys of the specific recipients, the message would not be able to be decrypted.

Best Answer

Related Solutions

Way to edit a password-protected file without having to retype the password all the time

Why doesn’t gpg need us to specify which keys for encryption and decryption

Related Question