Linux bash script gpg encrypt and decrypt without user interaction

fri 2018 januari 26


A bash script that decrypts gpg encrypted things on the fly still needs the passphrase, without it gpg is unable to decrypt.

Having the passphrase near the thing that needs to be decrypted automatically is probably not a good idea. A long as this gpg key associated to this passphrase is used for only this and nothing else. Whatever is encrytped cannot be written in a human readable file, that is why it is encrypted. At some point there is a use for decrypted content, at which point the passphrase must be used. A bash script can put the decrypted content in a $VARIABLE and echo it to the screen or somewhere.


Create a new gpg key

If not there already this will create in your home directory a .gnupg directory containing encrypted .gpg public and private key files. The gpg program explains itself very well. The larger the keysize you choose, the more patience you will need for random seed generation.

$ gpg --gen-key

gpg create new key

To use this gpg key you need the user name and or the passphrase you chose. You can now use this key to encrypt a file.


Encrypt using new gpg key

$ echo "There is a secret entrance to the south." > asecret.txt
$ gpg -r "user name" --encrypt asecret.txt
$ ls -lh
total 8.0K
-rw-r--r-- 1 user user 41 Jan 26 20:09 asecret.txt
-rw-r--r-- 1 user user 251 Jan 26 20:10 asecret.txt.gpg

gpg encrypt file

You have to enter either -r "user name" or --passphrase.


Decrypt using new gpg key

Remove the human readable file and decrypt the gpg encrypted file.

$ rm asecret.txt -f
$ ls
$ gpg --passphrase thepassphraseyouchoseforthiskey --decrypt asecret.txt.gpg

You need a passphrase to unlock the secret key for
user: "user name (maker) <user_name@somewhere>"
1024-bit RSA key, ID XXXXXXXX, created 2018-01-26 (main key ID XXXXXXXX)

gpg: encrypted with 1024-bit RSA key, ID XXXXXXXX, created 2018-01-26
        "user name (maker) <user_name@somewhere>"
There is a secret entrance to the south.

gpg decrypt file

To make gpg quiet output decrypted content only use gpg -q --no-tty

$ gpg -q --no-tty --passphrase thepassphraseyouchoseforthiskey --decrypt asecret.txt.gpg
There is a secret entrance to the south.


Capture decrypted gpg output in a bash variable string

This is where one can capture decrypted gpg output in a bash variable in a bash script. Depending on the environment in which it is executed, it may need more or less --options to execute without failure. Adding --homedir /home/you/.gnupg will help if the environment in which the key is needed differs from that in which it was created. Or you can move the ,gnupg containing this key to anywhere more convenient and mention --homedir /somewhere/more/convenient/.gnupg Read man gpg. The following bash script is an example script:


ASECRET="$( /usr/bin/gpg -q --no-tty --homedir /home/you/.gnupg --passphrase thepassphraseyouchoseforthiskey --decrypt asecret.txt.gpg )"

exit 0

Note that the passphrase in this bash script is in cleartext, is human readable. You can use gpg options that read the passphrase from a different file that has the passphrase in human readable form but if you want to do that it depends on the environment and how much you want to keep things contained in one place or not. There are better ways to do this if you look for them but for a starting framework this can avoid storing human readable secrets and instead store them im .gpg files and human readable passphrases.

Anyway, the example bash script is a starting point for decrypting more gpg encrypted things without user interaction.

gpg decrypt bash script