How to use *.pub/*.sec files to encrypt/decrypt another file?

Question

I created a pair of *.pub and *.sec files using the instructions and code given here:

https://www.gnupg.org/documentation/manuals/gnupg/Unattended-GPG-key-generation.html

(I am using this documentation because the ultimate application I have in mind is an automated encryption/decryption pipeline.)

Q1: How can I use gpg2 and the *.pub file to encrypt another file?

Q2: How can I use gpg2 and the companion *.sec to decrypt a file encrypted using the companion *.pub file?

---

Important: I am interested only in answers that are suitable for programmatic implementation of an unsupervised operation. Please do not post answers that can only be carried out interactively. I am particularly interested in solutions that can be implemented in Python.

---

Please include precise pointers to the relevant documentation.

Answer 1

Since version 2.1.14, GPG supports the --recipient-file option, which lets you specify the public key to encrypt with without using the keyring. To quote the developer:

It is now possible to bypass the keyring and take the public key directly from a file. That file may be a binary or an ascii armored key and only the first keyblock from that file is used. A key specified with this option is always fully trusted.

This option may be mixed with the standard -r options. --hidden-recipient-file (or -F) is also available.

To futher assist some use cases the option

--no-keyring

has also been implemented. This is similar to

--no-default-keyring --keyring /dev/null

but portable to Windows and also ignores any keyring specified (command line or config file).

So to encrypt, you would do:

gpg --output myfileenc --encrypt --recipient-file key.pub myfile

To automate, in addition to using expect or Python as explained in the other answers, you can also use the --batch option. (You will need to see which of the offered answers works best on your system).

No such option, however, is available for the secret key, and, as a matter of fact, the same version of PGP (2.1) deprecated the secring option in the --generate-key command, so this file is not even available any more. The generated key will need to be added to the keyring to be used for decryption.

Answer 2

Some information about what you said:

I created a pair of *.pub and *.sec files using the instructions

Perfect to share the public key(s) with people you are exchanging information, but technically, when you are working programmatically, you don't need to use these files directly.

To be noted:

• when you encrypt data, you will specify the recipient corresponding to the key to use to encrypt
• when you decrypt data, you will first import the owner's public key, and then you will be able to decrypt data without specifying recipient, because it is embedded in the encrypted data

Actually, I am somewhat confused on this question. I have read conflicting information [...]

I agree it's quite confusing. In this situation, I think it is better to use version 1 for which there is more experience, and for which you find third party library to use.

In this answer, I tried:

• python-gnupg (for GnuPG v1) which is a well known Python library and match perfectly your needs
• cryptorito (for GnuPG v2) for which I didn't find enough documentation

With the first library, you can simply install it in your system:

sudo pip install python-gnupg

And then write a Python script to perform all the operations you want.

I wrote a simple one to answer your question.

#!/bin/python

import gnupg

GPG_DIR='/home/bsquare/.gnupg'
FILE_TO_ENCRYPT='/tmp/myFileToEncrypt'
ENCRYPTED_FILE='/tmp/encryptedFile'
DECRYPTED_FILE='/tmp/decryptedFile'
SENDER_USER='Bsquare'
TARGET_USER='Kjo'

gpg = gnupg.GPG(gnupghome=GPG_DIR)

print("Listing keys ...")
print(gpg.list_keys())

# On SENDER_USER side ... encrypt the file for TARGET_USER, with his public key (would match the kjo.pub if the key was exported).
print("Encrypting file " + FILE_TO_ENCRYPT + " for " + TARGET_USER + " ...")
with open(FILE_TO_ENCRYPT, "rb") as sourceFile:
    encrypted_ascii_data = gpg.encrypt_file(sourceFile, TARGET_USER)
    # print(encrypted_ascii_data)
    with open(ENCRYPTED_FILE, "w+") as targetFile:
        print("encrypted_ascii_data", targetFile)


# On TARGET_USER side ... decrypt the file with his private key (would match the kjo.sec if the key was exported).
print("Decrypting file " + ENCRYPTED_FILE + " for " + TARGET_USER + " ...")
with open(ENCRYPTED_FILE, "rb") as sourceFile:
    decrypted_ascii_data = gpg.decrypt_file(sourceFile)
    # print(decrypted_ascii_data)
    with open(DECRYPTED_FILE, "w+") as targetFile:
        print(decrypted_ascii_data, targetFile)

To be noted my keyring contains pub/sec pair for my Bsquare user, and the pub key of Kjo user.

Answer 3

when looking at encrypting and decrypting documents

this hints for pexpect; while I can provide regular expect scripts:

this is not directly a Python solution, but it should be easy to port.

as the tagline reads:

Pexpect makes Python a better tool for controlling other applications.

Encryption:

gpg --output doc.gpg --encrypt --recipient blake@cyb.org doc

as expect script; usage ./encrypt.exp doc blake@cyb.org 1234 (notice the space after the :):

#!/usr/bin/expect -f
set filename [lindex $argv 0]
set recipient [lindex $argv 1]
set passphrase [lindex $argv 2]

spawn gpg --output $filename.gpg --encrypt --recipient $recipient $filename
expect -exact "Enter pass phrase: "
send -- "$passphrase\r"
expect eof

Decryption:

gpg --output doc --decrypt doc.gpg

as expect script; usage: ./decrypt.exp doc 1234:

#!/usr/bin/expect -f
set filename [lindex $argv 0]
set passphrase [lindex $argv 1]

spawn gpg --output $filename --decrypt $filename.gpg
expect -exact "Enter pass phrase: "
send -- "$passphrase\r"
expect eof

Import:

keys can be imported into either key-chain with:

gpg --import somekey.sec
gpg --list-secret-keys

gpg --import somekey.pub
gpg --list-keys

there barely is anything to automate; however setting an imported key as "trusted" would require expect for automation. found this cheat-sheet, which has all commands on one page; and it also hints for: If you have multiple secret keys, it'll choose the correct one, or output an error if the correct one doesn't exist (which should confirm my comment below).

file ~/.gnupg/options is a user's options file; where one can eg. define the default key-server.