How to encrypt a file symmetrically with gpg / gpg2?

I was looking for a way to symmetrically encrypt a file (no key use, just a passphrase).
But reading this thread

I understand it is not possible at the moment.
Is that correct?
Thanks

How is that related to ncurses? (And especially its old ABI in particular)

Oops, search/interpretation failure of mine?

Honestly, I dont get really what they talk about.

gpg2 complains that pinentry is missing but pinentry seems to need libncursesw which has not been enabled for reasons that sound ancient greek to me.

Perhaps I should simpy have asked ‘How can I encrypt a file in my phone?’.

1 Like

Presumably all you need is a newly compiled version of pinentry then.

1 Like

Ok, thanks.
So appart find the sources and compile, (alas yet obscure to me) , no way, atm, to encrypt files on device. Right?

With little or no legwork, perhaps not (nothing immediately comes to mind). Otherwise there are probably a dozen.

No legwork problem. Can walk to the moon for Sf, N900…
But Brainwork problem. :–)

If you just want to encrypt and decrypt using a symmetric cypher and a passphrase, you could install the openssl tools to do this:

devel-su pkcon install openssl

Then to encrypt a file:

openssl enc -e -aes256 -pbkdf2 -in file_to_encrypted.txt -out encrypted.dat

and to decrypt it again:

openssl enc -d -aes256 -pbkdf2 -in encrypted.dat -out unecrypted_file.txt

These options are set to use AES as the encryption algorithm and PBKDF2 to derive a key from your passphrase.

Hope this helps.

7 Likes

Lovely, much thanks :–) !

1 Like

I have found that after installing jolla-email-cryto-gnupg, gpg can prompt for a password .

4 Likes

Thank you @nephros for mentioning this work linking GnuPG with the system. Actually, you can just install sailfishsecretsdaemon-cryptoplugins-gnupg if you need a pin entry provided by lipstick and using the system UI.

Besides, OpenSSL tools are also nice in that regard. I mean, to encrypt or decrypt data.

4 Likes

Great, finally so many solutions !
Thanks +++

1 Like

Yes, IMO you should have done that instead of performing wild guesses and asking “Can we encrypt a file on the phone with gpg2?”, without specifying who “we” are.

The answer to your rephrased question is a bold “Yes, you sure can!”. That even does not require any of the complications others denoted here, as installing OpenSSL, a Pinentry substitute or any other RPM.

All it takes is an internet search engine, some RTFM and the will to learn something! That would have quickly taken you to the point, where you might have discovered that a simple gpg --batch --passphrase 'abc' -c file creates a file.gpg symmetrically encrypted with the passphrase abc and gpg --batch --passphrase 'abc' -d file.gpg > file decrypts it to file, overwriting it, when it exists.

There are many variants of this, when you intend to encrypt multiple files by a single gpg call (--multifile), silence the informational output (-q), avoid overwriting files and determine the name of the output file (both by -o) etc.

To study and comprehend all this, the usual start is the man-page on your desktop computer by calling man gpg or searching the WWW for man gpg (my first hit). As the whole GnuPG suite is GNU software created in the name of the awful FSF, which hates man-pages (because they created the “far superior” info tool, which nobody uses, except for them), the info-page may be (even) more informative: Type info gpg on your desktop computer to view it.

There is even more elaborate information available at gnupg.org, e.g., the classic “Gpg Privacy handbook (GPH)” in its German variant (old, but still worth reading) or the vast English documentation.

But most important is to understand why gpg defaults to use pinentry! Because handling passphrases at the UNIX command line is inherently insecure, especially if you are not the sole user and also the sole admin of that machine (hence far less critical on a typical SailfishOS device). Still one does not really want a passphrase to end up in the shell’s history file, the process list etc. and one should not become accustomed to do so. This is also why putting plain passphrases into any file is a very bad idea™. Still one can easily construct a “mini-pinentry” at the command line by using read and printf / echo, see below. Additionally one should use some KDF (key derivation function) for memorise-able passphrases (as @nephros already suggested for OpenSSL), here (the hashed passphrase is not stored) a simple sha256 is sufficient for this purpose.

BTW, if you want state-of-the-art secrecy / security, do not use symmetric encryption directly, do use a public key for encryption and its corresponding private key in an encrypted “keyring” file for decryption instead. GnuPG handles all this nicely and easily.

All in all my command lines to en- and decrypt a single file symmetrically would be:

  • Encrypt: printf '%s' "$(read -p 'Passphrase:' pass; printf '%s' "$pass")" | sha256sum -bz | gpg --quiet --batch --no-symkey-cache --passphrase-fd 0 -c file
  • Decrypt: printf '%s' "$(read -p 'Passphrase:' pass; printf '%s' "$pass")" | sha256sum -bz | gpg --quiet --batch --no-symkey-cache --passphrase-fd 0 -o file -d file.gpg
1 Like

Wow, this is almost a double subject course.
Thank you for giving it, so richly, despite I started on this subject kind of unadequately.
And much better understandable to my thin knowledge than those FM! :–)

2 Likes

For fairness sake, its quite hard to find the right searchterms and stumble upon the right path sometimes. We’ve all went down some overly complicated paths before :wink:

Keep on learning! :slight_smile:

2 Likes