Quote:
Originally Posted by Sum1
Code:
gpg -e --passphrase-file /home/abc/phrase.txt --batch -r john@johnsmith.com /home/abc/somefile.tar.gz
|
That command does the following:
Tells gpg to encrypt a file,
Code:
--passphrase-file /home/abd/phrase.txt
using a passphrase found in the specified file, indicating we're using symmetric encryption,
in non-interactive mode,
Code:
-r john@johnsmith.com
encrypting the symmetric key using an asymmetric, public key associated with "john@johnsmith.com",
Code:
/home/abc/somefile.tar.gz
...and that's the file to be encrypted.
Quote:
Originally Posted by Sum1
2. The public key on the cloud-based CentOS7 is then exported:
Code:
gpg --output public.gpg --armor --export john@johnsmith.com
|
OK, so now anyone in possession of
public.gpg can send "john@johnsmith.com" encrypted data. Not sure what that has to do with your file, though.
Quote:
Originally Posted by Sum1
3. The encrypted file, the pass-phrase file, and public key is then obtained and imported on Local Fedora 32 machine:
Code:
scp john@cloud-centos7:/home/abc/phrase.txt /home/john
Code:
scp john@cloud-centos7:/home/abc/somefile.tar.gz.gpg /home/john
Code:
scp john@cloud-centos7:/home/abc/public.gpg /home/john
Code:
gpg --import public.gpg
|
The Fedora machine now has a passphrase file, the public key belonging to "john@johnsmith.com", and a file encrypted with a session key that in turn is encrypted using the public key of "john@johnsmith.com".
Quote:
Originally Posted by Sum1
4. Attempts to decrypt the file using the passphrase file and without it fail:
Code:
gpg --passphrase-file /home/john/phrase.txt --batch -d --output /home/john/somefile.tar.gz /home/john/somefile.tar.gz.gpg
gpg: encrypted with 2048-bit RSA key, ID XXXXXXXXXXXXXXXXXX, created 2019-11-23
"john smith <john@johnsmith.com>"
gpg: decryption failed: No secret key
[mhf@zxc ~]$ gpg -d --output /home/john/somefile.tar.gz /home/john/somefile.tar.gz.gpg
gpg: encrypted with 2048-bit RSA key, ID XXXXXXXXXXXXXXXXXX, created 2019-11-23
"john smith <john@johnsmith.com>"
gpg: decryption failed: No secret key
|
Which is entirely as expected, as the file was encrypted using
john@johnsmith.com's public key. John will obviously need his private key in order to decrypt it.
You're mixing two very different encryption concepts here: Symmetrically encrypting data using a passphrase (a shared key) that both parties will need to have, and using asymmetric encryption to encrypt a (symmetric and usually random) session key using the recipient's public key, which means only the recipient can decrypt the key that in turn is used to decrypt the data.
Really, the "--passphrase-file" and "-r" options are sort of mutually exclusive, or at least "--passphrase-file" should be redundant on a system with a decent pseudo-random number generator.
TL;DR: If you want to use symmetric encryption, specify "--symmetric" and drop the "-r". If you want to use asymmetric encryption, specify "-r
recipient@domain.com" and remove "--passphrase-file".
