LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 06-01-2017, 09:32 AM   #1
justmy2cents
Member
 
Registered: May 2017
Location: U.S.
Distribution: Un*x
Posts: 237
Blog Entries: 2

Rep: Reputation: Disabled
How to use GPG to encrypt multiple files?


Is it at all possible to symmetrically encrypt multiple files via GPG.. To be more specific I need to encrypt a bunch of files that I just created in a batch with names such as a.txt, 1.txt, A.txt, 2.txt, etc.. But the caveat is they all must be encrypted with different passphrases..
 
Old 06-01-2017, 09:51 AM   #2
Turbocapitalist
LQ Guru
 
Registered: Apr 2005
Distribution: Linux Mint, Devuan, OpenBSD
Posts: 5,513
Blog Entries: 3

Rep: Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784
gpg only handles files one at a time when doing symmetric encryption. You would have to do a loop of some kind.


Code:
for f in *.txt; do gpg --symmetric "$f"; done;
 
Old 06-01-2017, 11:11 AM   #3
justmy2cents
Member
 
Registered: May 2017
Location: U.S.
Distribution: Un*x
Posts: 237

Original Poster
Blog Entries: 2

Rep: Reputation: Disabled
Thanks I came up with this and it works, but the output is "file.txt.pgp" do you know how I can get rid of the .txt part?

Code:
#1/bin/bash
for f in `ls -1 *.txt`; do
password=$(pwgen -sy -1 100)
echo "$password:$f" | gpg --no-use-agent -c --passphrase "$password" > $f.pgp

Last edited by justmy2cents; 06-01-2017 at 11:17 AM.
 
Old 06-01-2017, 11:17 AM   #4
Turbocapitalist
LQ Guru
 
Registered: Apr 2005
Distribution: Linux Mint, Devuan, OpenBSD
Posts: 5,513
Blog Entries: 3

Rep: Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784
Yes, you'd have to calculate the final name and then add the --output option to gpg. As for figuring out the name without .txt before doing the encryption, see Manipulating Strings if you are using bash.
 
Old 06-01-2017, 12:54 PM   #5
sundialsvcs
LQ Guru
 
Registered: Feb 2004
Location: SE Tennessee, USA
Distribution: Gentoo, LFS
Posts: 9,078
Blog Entries: 4

Rep: Reputation: 3187Reputation: 3187Reputation: 3187Reputation: 3187Reputation: 3187Reputation: 3187Reputation: 3187Reputation: 3187Reputation: 3187Reputation: 3187Reputation: 3187
One pragmatic possibility would be to encrypt each of the files, one at a time (each with their individual passphrases), then put them all into a "zip" archive.

Of course, being encrypted, they won't compress at all. But, the single "zip" file will still contain the individual members in a single file from which any member can be extracted, and "everyone on Earth will know how."
 
Old 06-01-2017, 01:08 PM   #6
justmy2cents
Member
 
Registered: May 2017
Location: U.S.
Distribution: Un*x
Posts: 237

Original Poster
Blog Entries: 2

Rep: Reputation: Disabled
Quote:
Originally Posted by Turbocapitalist View Post
Yes, you'd have to calculate the final name and then add the --output option to gpg. As for figuring out the name without .txt before doing the encryption, see Manipulating Strings if you are using bash.
Ill just make a bunch of files without the .txt extension, but ill remember this for future scenarios, thank you.
 
Old 06-01-2017, 01:12 PM   #7
Turbocapitalist
LQ Guru
 
Registered: Apr 2005
Distribution: Linux Mint, Devuan, OpenBSD
Posts: 5,513
Blog Entries: 3

Rep: Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784
No problem. As an alternative, you could instead run rename over them after the loop is done creating them.
 
Old 06-01-2017, 01:15 PM   #8
justmy2cents
Member
 
Registered: May 2017
Location: U.S.
Distribution: Un*x
Posts: 237

Original Poster
Blog Entries: 2

Rep: Reputation: Disabled
Quote:
Originally Posted by sundialsvcs View Post
One pragmatic possibility would be to encrypt each of the files, one at a time (each with their individual passphrases), then put them all into a "zip" archive.

Of course, being encrypted, they won't compress at all. But, the single "zip" file will still contain the individual members in a single file from which any member can be extracted, and "everyone on Earth will know how."
My plan with this is to symmetrically encrypt 152 private key files, which are all meaningless. Only one file in that batch of 152 key files will contain a useful private key that opens my Keepassx database key (which is also encrypted with a symmetric cipher).. This is attempt to secure my private key, and Keepassx database key..

Last edited by justmy2cents; 06-01-2017 at 04:20 PM.
 
Old 06-01-2017, 01:26 PM   #9
justmy2cents
Member
 
Registered: May 2017
Location: U.S.
Distribution: Un*x
Posts: 237

Original Poster
Blog Entries: 2

Rep: Reputation: Disabled
Is the above a bad idea ^?
 
Old 06-01-2017, 01:27 PM   #10
justmy2cents
Member
 
Registered: May 2017
Location: U.S.
Distribution: Un*x
Posts: 237

Original Poster
Blog Entries: 2

Rep: Reputation: Disabled
Cool

Quote:
Originally Posted by Turbocapitalist View Post
No problem. As an alternative, you could instead run rename over them after the loop is done creating them.
Awesome thanks for the tip broskies!
 
Old 06-02-2017, 08:04 AM   #11
sundialsvcs
LQ Guru
 
Registered: Feb 2004
Location: SE Tennessee, USA
Distribution: Gentoo, LFS
Posts: 9,078
Blog Entries: 4

Rep: Reputation: 3187Reputation: 3187Reputation: 3187Reputation: 3187Reputation: 3187Reputation: 3187Reputation: 3187Reputation: 3187Reputation: 3187Reputation: 3187Reputation: 3187
Quote:
Originally Posted by justmy2cents View Post
My plan with this is to symmetrically encrypt 152 private key files, which are all meaningless. Only one file in that batch of 152 key files will contain a useful private key that opens my Keepassx database key (which is also encrypted with a symmetric cipher).. This is attempt to secure my private key, and Keepassx database key..
I suggest that this is needless complexity. Once someone figures out your "security through obscurity" system, they know that they only need to attack one file. Furthermore, in order to access any of the 151(!) files, you must handle a separate key for each.

Instead, I suggest that you secure the collection of files using one or more certificates, each one issued individually to an authorized recipient. This makes the data far more secure than any "password" could ever allow it to be, while simultaneously making it very convenient(!) for the authorized recipient(s) to handle.

If the system is cumbersome, it probably won't be used as you intended. I myself could not imagine being expected to handle 150 separate keys. Let me give you my public key and you can just encrypt the files using it. No further attempts at "security" are actually needed beyond this. The fact that it is encrypted using a lengthy digital key, that only I possess, is enough. Forget "keypassX." Forget passwords.

Cryptography Rule #1: K. I. S. S.

Last edited by sundialsvcs; 06-02-2017 at 08:07 AM.
 
Old 06-02-2017, 09:46 AM   #12
Turbocapitalist
LQ Guru
 
Registered: Apr 2005
Distribution: Linux Mint, Devuan, OpenBSD
Posts: 5,513
Blog Entries: 3

Rep: Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784
Quote:
Originally Posted by justmy2cents View Post
. . . will contain a useful private key that opens my Keepassx database key (which is also encrypted with a symmetric cipher). . .
Passphrases and RSA keys can be embedded in dongles such that they cannot be read or extracted from the dongle. Yubikey and Nitrokey are two that I recall off the top of my head. Neither are cheap but if you get a pair, one for use one for backup, then I think it may fulfill the same goal.

Here's a recent blog post about using a Yubikey 4.
 
Old 06-02-2017, 09:54 AM   #13
justmy2cents
Member
 
Registered: May 2017
Location: U.S.
Distribution: Un*x
Posts: 237

Original Poster
Blog Entries: 2

Rep: Reputation: Disabled
Quote:
Originally Posted by sundialsvcs View Post
I suggest that this is needless complexity. Once someone figures out your "security through obscurity" system, they know that they only need to attack one file. Furthermore, in order to access any of the 151(!) files, you must handle a separate key for each.
Thanks for your input, you're correct this is a "security through obscurity" system but maybe you misunderstood (or I don't understand something), but I don't plan to "handle" the other 151 keys (but just the one key that I use), as I only make one key then copy it 151 times. Also their all symmetrically enciphered with the same length passphrase so they'll all be similar sizes.. It's true once they understand how this system is set out they be more knowledgeable on what to do. But nevertheless it should be a gamble as there's 152 similar looking files, and I don't see how they could tell which one is my real key.. They would have to waste time brute forcing each one (two times as the pwgen pass is an overlay over the default required pass).. In the end though I'll probably just opt for the certificate idea because its seems more convenient. Thanks again!

Last edited by justmy2cents; 06-02-2017 at 03:23 PM.
 
Old 06-02-2017, 10:23 AM   #14
Turbocapitalist
LQ Guru
 
Registered: Apr 2005
Distribution: Linux Mint, Devuan, OpenBSD
Posts: 5,513
Blog Entries: 3

Rep: Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784
Quote:
Originally Posted by justmy2cents View Post
I don't see how they could tell which one is my real key..
Most file systems still mount with some variant of atime active. So, maybe on of these?

Code:
stat --printf "%x\n" ./*.key

stat --printf "%z\n" ./*.key
 
Old 06-02-2017, 10:39 AM   #15
justmy2cents
Member
 
Registered: May 2017
Location: U.S.
Distribution: Un*x
Posts: 237

Original Poster
Blog Entries: 2

Rep: Reputation: Disabled
Quote:
Originally Posted by Turbocapitalist View Post
Most file systems still mount with some variant of atime active. So, maybe on of these?

Code:
stat --printf "%x\n" ./*.key

stat --printf "%z\n" ./*.key
I cant try that out atm whatever it is (recently used key history?) but maybe a Bleachbit run can clean that out..
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Trying to use GPG to encrypt/decrypt backup files usao Linux - Security 10 05-09-2016 12:10 AM
[SOLVED] GPG Encrypt without filename jonnybinthemix Linux - Newbie 15 06-13-2014 07:57 AM
gpg --verify multiple files Phorize Slackware 8 06-22-2011 07:25 AM
Encrypt backups with GPG to multiple tapes TBKDan Linux - Software 11 10-30-2009 01:09 AM
What is the best way to encrypt emails? GPG? abefroman Linux - Security 5 08-28-2009 04:54 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 05:43 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration