encrypt.sh and decrypt.sh

README.md

Blog 2019/4/29

<- previous | index | next ->

encrypt.sh and decrypt.sh

Just a couple of simple wrappers around gpg.

decrypt.sh

#!/bin/bash

set -e -o pipefail

# By default, gpg-agent will cache any passphrase that you enter.  
# This means that if you decrypt a file once, you can then decrypt it
# a second time without being prompted for a passphrase.  Yikes!

# Unfortunately, there doesn't seem to be a way to disable passphrase
# caching on a per-invocation basis -- you must use a config file.

# Here, we refuse to run if the user hasn't disabled passphrase caching, to
# protect newbs.  Savvy users who desire passphrase caching will edit this
# script.

if [ ! -e "${HOME}/.gnupg/gpg-agent.conf" ]
then
    echo "default-cache-ttl 0" > "${HOME}/.gnupg/gpg-agent.conf"
fi

if grep --silent --invert-match "default-cache-ttl 0" "${HOME}/.gnupg/gpg-agent.conf"
then
    echo "ERROR: gpg-agent passphrase caching hasn't been disabled, refusing to run!"
fi

nice gpg --use-embedded-filename "${1}"

encrypt.sh

#!/bin/bash

set -e -o pipefail

# By default, gpg-agent will cache any passphrase that you enter.  
# This means that if you decrypt a file once, you can then decrypt it
# a second time without being prompted for a passphrase.  Yikes!

# Unfortunately, there doesn't seem to be a way to disable passphrase
# caching on a per-invocation basis -- you must use a config file.

# Here, we refuse to run if the user hasn't disabled passphrase caching, to
# protect newbs.  Savvy users who desire passphrase caching will edit this
# script.

if [ ! -e "${HOME}/.gnupg/gpg-agent.conf" ]
then
    echo "default-cache-ttl 0" > "${HOME}/.gnupg/gpg-agent.conf"
fi

if grep --silent --invert-match "default-cache-ttl 0" "${HOME}/.gnupg/gpg-agent.conf"
then
    echo "ERROR: gpg-agent passphrase caching hasn't been disabled, refusing to run!"
fi

nice gpg --symmetric --cipher-algo AES256 "${1}"