topic Re: GNUPG Encryption/Decryption in Batch on OpenVMS in Operating System - OpenVMS

GNUPG Encryption/Decryption in Batch on OpenVMS

The Brit — Tue, 11 Mar 2008 18:17:15 GMT

I am having a problem decrypting a file in a command procedure because it keeps asking for the passphrase to be entered manually. I want to run this script in Batch eventually, so my question is,
Does anyone use GNUPG, and can anyone help me with passing the passphrase to the decrypt command from within the script? I currently have the passphrase stored in a file which is read by the procedure, it is then placed into a symbol.

however the decrypt command doesn't seem interested in the symbol at all.

I saw a comment by Steven (sorry I forgot your surname, but I see you in this forum all the time) relating to a similar problem on HPUX, and I wondered if perhaps he would like to chime in.

thanks,

Dave.

Re: GNUPG Encryption/Decryption in Batch on OpenVMS

John Gillings — Tue, 11 Mar 2008 22:47:11 GMT

Dave,

It depends on how the program has been coded. Do you know if it reads from SYS$INPUT or SYS$COMMAND?

Have you tried PIPE?

$ PIPE WRITE SYS$OUTPUT "passphrase" | GNUPG...

or
$ PIPE TYPE PASSPHRASE.TXT | GNUPG...

Sometimes it may help to redirect SYS$COMMAND to convince a program it's not running interactively, and to read from SYS$INPUT instead of the terminal:

$ PIPE WRITE SYS$OUTPUT "passphrase" | -
(DEFINE/USER SYS$COMMAND NL: ; GNUPG...)

or, if the program reads from SYS$COMMAND unconditionally, maybe:

$ PIPE WRITE SYS$OUTPUT "passphrase" | -
(DEFINE/USER SYS$COMMAND SYS$PIPE ; GNUPG...)

If none of those work, please post your example code and a transcript of what happens.

Re: GNUPG Encryption/Decryption in Batch on OpenVMS

Steven Schweda — Wed, 12 Mar 2008 11:15:45 GMT

As usual, it mught help to know which version
of whose GnuPG you're using, and exactly what
you've tried to do with it where, but this
method seems to work for me (still
interactive here, but what could go wrong?):

alp $ pp_symb = "(Oh, wouldn't you like to know?)"

alp $ pipe write sys$output pp_symb | gpg --passphrase-fd 0 FRED.TXT-GPG
Reading passphrase from file descriptor 0

You need a passphrase to unlock the secret key for
user: "Steven M. Schweda (Antinode) "
2048-bit ELG-E key, ID 5D5FDBC7, created 2006-08-09 (main key ID FA00E2F4)

gpg: encrypted with 2048-bit ELG-E key, ID 5D5FDBC7, created 2006-08-09
"Steven M. Schweda (Antinode) "

That's using mine, of course:

alp $ gpg --version
gpg (GnuPG) 1.4.8a
Copyright (C) 2007 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Home: /SYS$LOGIN/gnupg
Supported algorithms:
Pubkey: RSA, RSA-E, RSA-S, ELG-E, DSA
Cipher: 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH
Hash: MD5, SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2

alp $ write sys$output f$getsyi( "version")
V7.3-2

> It depends on how the program has been
> coded. [...]

I haven't looked too closely at from what it
reads interactively. I don't immediately see
any VMS-specific stuff, so I suspect that it
normally ends up using SYS$COMMAND (one way
or another). (util/ttyio.c with HAVE_CTERMID
defined should use ctermid(), and "HELP CRTL
ctermid" says SYS$COMMAND, but I haven't
verified anything.)

Re: GNUPG Encryption/Decryption in Batch on OpenVMS

Steven Schweda — Wed, 12 Mar 2008 11:24:14 GMT

> I currently have the passphrase stored in a
> file [...]

http://gnupg.org/gph/en/manual.html#AEN513

Protecting your private key

Protecting your private key is the most
important job you have to use GnuPG
correctly. [...]

Re: GNUPG Encryption/Decryption in Batch on OpenVMS

The Brit — Wed, 12 Mar 2008 17:34:32 GMT

Thanks for your help Guys.

I was able to make it work using the

$ pipe ty | gpg ...

but curiously enough, it only worked in batch. When I ran it interactively it still seems to stick at the "Enter passphrase:" prompt, although I might be wrong about that. (I tend to think that this really is a "sys$command" issue).

The important thing is that this solution works for me in batch, which is where it will be running.

Thanks again.

Dave.

Re: GNUPG Encryption/Decryption in Batch on OpenVMS

Steven Schweda — Wed, 12 Mar 2008 17:41:00 GMT

> [...] but curiously enough, it only worked
> in batch. [...]

Well, duh. Perhaps SYS$COMMAND is different
in batch mode from what it is in interactive
mode. You think?

Re: GNUPG Encryption/Decryption in Batch on OpenVMS

Steven Schweda — Wed, 12 Mar 2008 17:53:40 GMT

For the record, the
pipe xxx | gpg --passphrase-fd 0 [...]
scheme seems to work in batch mode, too, as
expected.

Re: GNUPG Encryption/Decryption in Batch on OpenVMS

Jason Michael — Fri, 13 Jun 2008 17:00:47 GMT

how does one do a batch process using gpg which might include passing in the passphrase, and yet still keep the passphrase secure? storing the passphrase in a plaintext file which is passes in in batch mode might be a very insecure solution, but how is it supposed to be done?

Re: GNUPG Encryption/Decryption in Batch on OpenVMS

Steven Schweda — Fri, 13 Jun 2008 17:21:30 GMT

> [...] but how is it supposed to be done?

If the only secure passphrase storage is your
brain, and if your brain is not easily
accessed from a batch job, then I'd tend to
use keys without passphrases in batch jobs.

Other things may be possible, depending on
your actual requirements, but I suspect that
the security provided by a passphrase stored
on a computer may be about as good as that
provided by no passphrase.