GPG Encryption Script Issues

jonnybinthemix · 06-10-2014, 11:50 AM

Hey Guys,

I wonder if someone could help shed some light on the problems I'm having with my script.

I'm pretty new to BASH and have been learning loads lately, so I'm actually quite happy with how far I've come on my own, however I have a question..

I'll put my script below. So my question on most of it, is have I done it the 'right' way and could I have made it simpler? Or is there a nicer way of doing anything?

My second question is specifically with the GPG bit, although the password is stored in the file /root/.gpgpass - it still pops up and asks for the password if it's not run within a couple of hours.. almost like it's only caching the password and when it expires it requires human interaction. Is there another way of doing this without putting the password in plain text within the script and without any human interaction?

Code:

#!/bin/bash

#Declare the variables... change these as needed if the script is run on another server or the locations change.
HOST=ftp-server
USER=ftpxfer
PASS=pass
FILE=test.csv.gpg
FTPLOG=/tmp/ftplogfile
OUTPUT=/scripts/test.csv

ftp -inv $HOST <<! > $FTPLOG

quote USER $USER

quote PASS $PASS

get $FILE

bye
!

if fgrep "226 Transfer complete" $FTPLOG ; then
	echo "FTP TRANSFER SUCCESS"
else
	echo "FTP TRANSFER ERROR - Send email could go here."

fi

gpg --passphrase-file /root/.gpgpass --output $OUTPUT --decrypt $FILE

cp $OUTPUT /storage

exit 0

sag47 · 06-10-2014, 05:13 PM

I share with you my scripts as well (encrypt and decrypt). I use the scripts to encrypt whole drives. Typically terabytes on a file by file basis and then gpg sign the sha1sum.txt files.

One thing you can do is use the expect command in your script. I've used the pexpect python library on one of my side projects. It executes a script call cert.sh and then when there's user prompt it automates responses.

From the Esoteric Options docs on GPG here's a quote.

Quote:

--passphrase-file file
Read the passphrase from file file. Only the first line will be read from file file. This can only be used if only one passphrase is supplied. Obviously, a passphrase stored in a file is of questionable security if other users can read this file. Don't use this option if you can avoid it. Note that this passphrase is only used if the option --batch has also been given. This is different from gpg.

Your gpg command is not using the --batch option so it's likely not using that option at all. The gpg-agent is likely caching your password and you're prompted after a set expiration. If you need to automate gpg why not just remove the password from the key you're using? It's roughly equivalent. Also you shouldn't need to enter a passphrase at all if you're encrypting. But you would need to if you're signing just FYI.

SAM