Man Linux: Main Page and Category List


       gpgwrap - a small wrapper for gpg


       gpgwrap -V

       gpgwrap -P [-v] [-i] [-a] [-p <file>]

       gpgwrap  -F  [-v]  [-i]  [-a]  [-c] [-p <file>] [-o <name>] [--] <file>
       [<file> ... ]

       gpgwrap [-v] [-i] [-a] [-p <file>] [-o <name>] [--] gpg [gpg options]


       The GNU Privacy Guard (gpg) supplies the option  --passphrase-fd.  This
       instructs  gpg  to  read the passphrase from the given file descriptor.
       Usually this file descriptor is  opened  before  gpg  is  executed  via
       execvp(3). Exactly that is what gpgwrap is doing. The passphrase may be
       passed to gpgwrap in 4 ways:

              * as file path, whereat the passphrase is stored as  plain  text
                in the file

              * it is piped from another program to the stdin of gpgwrap

              * through the GPGWRAP_PASSPHRASE environment variable

              * gpgwrap prompts for it

       With   no   precautions   the   first   point   undermines  the  secure
       infrastructure gpg provides. But in pure  batch  oriented  environments
       this  may  be  what  you  want.  Otherwise  if you are willing to enter
       passphrases once and don’t want them to be stored as plain  text  in  a
       file  gpg-agent is what you are looking for. Another security objection
       could be the use of the environment variable  GPGWRAP_PASSPHRASE  which
       contains  the passphrase and may be read by other processes of the same


       -V, --version
               Print out version and exit.

       -P, --print
               Get the passphrase and print it mangled to stdout.

       -F, --file
               Read gpg commands from the given files. If <file> is  -  it  is
               read  from stdin. Exactly one command per line is expected. The
               given line is handled in the following way:

               * In the first place the passphrase is mangled. This means that
                 unusual  characters  are  replaced by their backslash escaped
                 octal numbers.

               * Secondly the mangled passphrase is stored in the  environment
                 variable GPGWRAP_PASSPHRASE.

               * "exec  gpgwrap  --  "  is  prepended to each line, before the
                 result is passed as argument to "sh -c".

       -h, --help
               Print out usage information.

       -v, --verbose
               Increase verbosity level.

       -i, --interactive
               Always prompt for passphrase (ignores -p  and  the  environment

       -a, --ask-twice
               Ask twice if prompting for a passphrase.

       -c, --check-exit-code
               While  reading  gpg  commands  from a file, gpgwrap ignores per
               default the exit code  of  its  child  processes.  This  option
               enables  the  check  of  the  exit  code. If a child terminates
               abnormal or with  an  exit  code  not  equal  0  gpgwrap  stops
               immediately  and  does  return  with  this  exit code. See also
               section BUGS.

       -p <file>, --passphrase-file <file>
               Read passphrase from <file>. If <file> is -  it  is  read  from
               stdin.  The passphrase is expected to be in plain text. If this
               option is not given the passphrase will be  taken  either  from
               the  environment  variable  GPGWRAP_PASSPHRASE  or  it  will be
               prompted on the controlling tty if the environment variable  is
               not set.

       -o <name>, --option-name <name>
               Specify  the name of the "--passphrase-fd" option understood by
               the program to be executed. This is useful if you want  to  use
               gpgwrap in combination with other programs than gpg.


       The given passphrase is subject to several limitations depending on the
       way it was passed to gpgwrap:

              * There is a size  limitation:  the  passphrase  should  be  not
                larger  than  some  kilobytes (examine the source code for the
                exact limit).

              * gpgwrap allows you to use all characters in a passphrase  even
                \000,  but this does not mean that gpg will accept it. gpg may
                reject your passphrase or may only read a part of  it,  if  it
                contains characters like \012 (in C also known as \n).

              * If  you  set  the  environment variable GPGWRAP_PASSPHRASE you
                should take special care with the backslash character, because
                gpgwrap  uses  backslash  to escape octal numbers, (see option
                -F). Therefore write backslash itself as octal number: \134.


               gpgwrap -p /path/to/a/secret/file  \
               gpg -c -z 0 --batch --no-tty  \
                   --cipher-algo blowfish < infile > outfile

               Read passphrase from /path/to/a/secret/file and execute gpg  to
               do symmetric encryption of infile and write it to outfile.

               gpgwrap -i -a  \
               gpg -c -z 0 --batch --no-tty  \
                   --cipher-algo blowfish < infile > outfile

               Same  as  above  except  that  gpgwrap  prompts  twice  for the

               gpgwrap -F -i - <<EOL
               gpg --decrypt --batch --no-tty < "$HOME/infile1" > "$HOME/outfile1"
               gpg --decrypt --batch --no-tty < "$HOME/infile2" > "$HOME/outfile2"
               gpg --decrypt --batch --no-tty < "$HOME/infile3" > "$HOME/outfile3"
               gpg --decrypt --batch --no-tty < "$HOME/infile4" > "$HOME/outfile4"

               gpgwrap prompts for the passphrase and executes four  instances
               of gpg to decrypt the given files.

               export GPGWRAP_PASSPHRASE
               gpgwrap -F -c -v /tmp/cmdfile1 - /tmp/cmdfile2 <<EOL
               gpg --decrypt --batch --no-tty < "$HOME/infile1" > "$HOME/outfile1"
               gpg --decrypt --batch --no-tty < "$HOME/infile2" > "$HOME/outfile2"
               gpg --decrypt --batch --no-tty < "$HOME/infile3" > "$HOME/outfile3"
               gpg --decrypt --batch --no-tty < "$HOME/infile4" > "$HOME/outfile4"

               Same  as  above except that gpgwrap gets the passphrase via the
               environment variable, reads commands  additionally  from  other
               files  and  checks  the  exit  code of every gpg instance. This
               means if one gpg command has a non zero exit code,  no  further
               commands  are  executed.  Furthermore  gpgwrap produces verbose

               GPGWRAP_PASSPHRASE="$(gpgwrap -P -i -a)"
               export GPGWRAP_PASSPHRASE

               find . -maxdepth 1 -type f |
               while read FILE; do
                   bzip2 -c "$FILE" |
                   gpgwrap gpg -c -z 0 --batch --no-tty  \
                       --cipher-algo blowfish > "$FILE2" &&
                   touch -r "$FILE" "$FILE2" &&
                   rm -f "$FILE"

               Read  in  passphrase,  compress  all  files  in   the   current
               directory, encrypt them and keep date from original file.

               find . -maxdepth 1 -type f -name ’*.bz2.gpg’ |
               awk ’{
                   printf("gpg --decrypt --batch --no-tty --quiet ");
                   printf("--no-secmem-warning < %s\n", $0);
                   }’ |
               gpgwrap -F -i -c - |
               bzip2 -d -c - |
               grep -i ’data’

               Decrypt   all   *.bz2.gpg   files  in  the  current  directory,
               decompress them and print out all occurances of  data.  If  you
               pipe  the  result  to less you get into trouble because gpgwrap
               and less try to read from the TTY at the same time. In  such  a
               case  it  is better to use the environment variable to give the
               passphrase (the example above shows how to do this).

               GPGWRAP_PASSPHRASE="$(gpgwrap -P -i -a)"
               export GPGWRAP_PASSPHRASE

               gpgwrap -P |
               ssh -C -x -P -l user host "

               Prompt  for  a  passphrase  twice   and   write   it   to   the
               GPGWRAP_PASSPHRASE environment variable.

               echo -n "Passphrase: "
               stty -echo
               read GPGWRAP_PASSPHRASE
               stty echo
               export GPGWRAP_PASSPHRASE

               Another  way  to  prompt  manually  for  the passphrase. It was
               needed in combination with older versions of  gpgwrap,  because
               they  did  not  upport  -P.  Be  aware that with this method no
               automatic conversion to backslash escaped octal  numbers  takes

               echo "mysecretpassphrase" |
               gpg --batch --no-tty --passphrase-fd 0  \
                   --output outfile --decrypt infile

               Cheap  method  to  give passphrase to gpg without gpgwrap. Note
               that you can’t use stdin to pass a file to gpg,  because  stdin
               is already used for the passphrase.

               gpg --batch --no-tty  \
                   --passphrase-fd 3 3< /path/to/a/secret/file  \
                   < infile > outfile

               This  is  a  more advanced method to give the passphrase, it is
               equivalent to Option -p of  gpgwrap.  This  example  should  at
               least work with the bash.

               gpg --batch --no-tty --passphrase-fd 3  \
                   3< <(echo "mysecretpassphrase")  \
                   < infile > outfile

               Like  above, but the passphrase is given directly. This example
               should at least work with the bash.


       In version 0.02 of gpgwrap the exit code of gpg was  only  returned  if
       gpgwrap  read  the  passphrase from a file. Since version 0.03, only -F
       omits exit code checking by default, but it can be enabled with -c.


       gpg, gpg-agent


       Karsten Scheibler

                                 gpgwrap 0.04                       gpgwrap(1)