Terminal Takeaway 🥡

Tutorials
95

Simple password based AES-256 symmetric encryption using gpg:

Try it:

# Make a file
echo 'pkgs.org is a distro search engine for packages!' > 1-toencrypt.txt
# Encrypt
gpg -cao 2-encrypted.txt --cipher-algo AES256 --no-symkey-cache 1-toencrypt.txt
# Decrypt
gpg -o 3-unencrypted.txt --no-symkey-cache 2-encrypted.txt

Result:

├─ 1-toencrypt.txt
├─ 2-encrypted.txt
└─ 3-unencrypted.txt

Break down:

# Make a file containing a secret
echo 'pkgs.org is a distro search engine for packages!' > toencrypt.txt

# Encrypt toencrypt.txt using AES256
gpg -cao encrypted.txt --cipher-algo AES256 --no-symkey-cache toencrypt.txt
	# -c | --symmetric, Encrypt with a symmetric cipher using a passphrase.
	# -a | --armor, use ASCII "armored" output instead of binary (useful for Email, Web POST, ect)
	# -o | --output <file>, output file (default: input file name with ".asc" appended)
	# --cipher-algo <algorithm>, which algorithm to use (default: AES128)
		# Bonus: See which algorithms `gpg` supports by using `gpg --version`
	# --no-symkey-cache, disable gpg's default behavior of caching passwords

# Enter password at prompts

# Output encrypted file
cat encrypted.txt

-----BEGIN PGP MESSAGE-----

jA0ECQMCBXVoK9eD6ar/0nYBBz0B2EX0Z7R6UaOjjwDUNl3TublbeCy7rlJ7j6+t
Nqmvbm1wgmqsY/eY8171wMDInaa1M/VAoRFSIDRTAkx798ymbbsx/CUJakRH3Kll
kpWG1UfyDqUgWACOgpQxvjZyA4qhlruvYuI7IXeb0KEskFUEMdeQ
=33Fs
-----END PGP MESSAGE-----

# Unencrypt
gpg -o unencrypted.txt --no-symkey-cache encrypted.txt
	# -o | --output <file>
	# --no-symkey-cache, disable gpg's default behavior of caching passwords

# Enter password at prompt

# Output unencrypted file
cat unencrypted.txt

pkgs.org is a distro search engine for packages!

Bonus: Clearing gpg-agent password cache

Without the --no-symkey-cache argument above, passwords are cached by the gpg-agent allowing decryption of those files without a password until the user logs out.

The password manager pass also has gpg-agent cache the master password in the same way so this might be useful to pass users too.

To remove all cached passwords without having to logout, use the following command:

gpgconf --reload gpg-agent
2 Likes