Encrypting text at the command line with GnuPG

Storing GnuPG content of any kind (that is, plain text to be encrypted, encrypted text to be decrypted, even public keys from co-respondents) on disk can result in the same kind of vulnerabilities associated with storing any sensitive data on disk.

The existence of files containing encrypted data might be considered incriminating, depending on who finds those files; leaving files with plaintext output from decrypted messages may (obviously) compromise that plaintext if an attacker has access to the system. If such files are deleted, delete them securely or else they can be recovered almost as easily if they were not deleted at all.

Sometimes it’s best to encrypt a quick message by typing text at the command line, and having GnuPG output ASCII armored text that can be cut and pasted into a message, bypassing the need to store sensitive data–encrypted or not–permanently on disk.

This command is an example of entering a short message (“secret message for Peter”) at the command line:

$ echo "secret message for Peter" | gpg --encrypt --armor --recipient "Peter Loshin" --no-version

The first part (echo "secret message for Peter") simply repeats the string “secret message for Peter”; the echo command can be used also to list a file to screen.

In this case, the output from the echo command is piped to another command, using the | character (vertical bar).

The command being fed the string should look familiar; GPG will encrypt the string to the public key associated with “Peter Loshin”, without the GPG software version information, as ASCII armored output.

WARNING: One of the benefits of using the command line is that commands are stored in RAM, and at the end of a session the command history is written to a history file. This is a benefit because it lets the user review, edit and resubmit commands. Of course, if the point of using the command line is to avoid writing sensitive data, it is important that the commands used are not stored in the history file. See Managing shell command history in OS X/Linux.

The result of this command will look something like this displayed in the terminal window:


-----BEGIN PGP MESSAGE-----

hQEMA7ydapzfyQthAQf+MPJmFnB11hffK7XjiqjBdCfMdzpqo3VyuxtC8HtL3V3E
rqGpKQdsGgLrCzS5vo1xaHie4VTE7Cblo8svL1/hc1g3gn3VRQJRlp9A6F3oRLXD
KYC9h+Oogvzm9bNRXbHiJ2y4GLun8BpAIE9q7lv4ld2WLYtjxvEl4Ob8K1LPaXYl
DRytb35HIdAcYH8QNnbHJ1axh5m/OPue4sTdt4pOx2a/njfsnr85C67mA2EaO/l7
8otu5dG9ds3cbMMc90bMsVUhAakCamVb+68HEc2/x3qW6umYl6kTyu5jwSxqKW+L
EqHNX0aN9Xv5yeOAhLZNPE68jOhf3LkatvWhMUI3bNJKAap/vi/j/pI7FxYUUAKv
JjlCLuv59JIrC1/zDo+3R14x9GyZXSFeTufXA71wI2l4XHkCYfInHWAqFbxvH/jG
IMcR244fg3DGqr0=
=gxb4
-----END PGP MESSAGE-----

This block of text can now be printed, copied into a web forum, instant message, email message, or stored on removable media.

On OS X/*nix systems, multi-line data can be entered using the backslash (“\”), like this (the “>” character on the following lines is supplied by the operating system and will not be included in the data to be encrypted):


$ echo "secret message for Peter\
>this is the second line
>this is the third line" | gpg --encrypt --armor --recipient "Peter Loshin" --no-version

The output will not look much different than the output shown above, but when decrypted, it will appear like this:


secret message for Peter
this is the second line
this is the third line

This entry was posted in Command Line, GNU Privacy Guard, How-To, Open source applications, Open source software, Practical Cryptography, Secure computing, Security/Cryptography. Bookmark the permalink.