Commands tagged GPG (30)

  • Very useful in shell scripts because you can run a task nicely in the background using job-control and output progress until it completes. Here's an example of how I use it in backup scripts to run gpg in the background to encrypt an archive file (which I create in this same way). $! is the process ID of the last run command, which is saved here as the variable PI, then sleeper is called with the process id of the gpg task (PI), and sleeper is also specified to output : instead of the default . every 3 seconds instead of the default 1. So a shorter version would be sleeper $!; The wait is also used here, though it may not be needed on your system. echo ">>> ENCRYPTING SQL BACKUP" gpg --output archive.tgz.asc --encrypt archive.tgz 1>/dev/null & PI=$!; sleeper $PI ":" 3; wait $PI && rm archive.tgz &>/dev/null Previously to get around the $! not always being available, I would instead check for the existance of the process ID by checking if the directory /proc/$PID existed, but not everyone uses proc anymore. That version is currently the one at http://www.askapache.com/linux-unix/bash_profile-functions-advanced-shell.html but I plan on upgrading to this new version soon. Show Sample Output


    13
    sleeper(){ while `ps -p $1 &>/dev/null`; do echo -n "${2:-.}"; sleep ${3:-1}; done; }; export -f sleeper
    AskApache · 2009-09-21 07:36:25 1
  • According to the gpg(1) manual: --gen-random 0|1|2 count Emit count random bytes of the given quality level 0, 1 or 2. If count is not given or zero, an endless sequence of random bytes will be emitted. If used with --armor the output will be base64 encoded. PLEASE, don't use this command unless you know what you are doing; it may remove precious entropy from the system! If your entropy pool is critical for various operations on your system, then using this command is not recommended to generate a secure password. With that said, regenerating entropy is as simple as: du -s / This is a quick way to generate a strong, base64 encoded, secure password of arbitrary length, using your entropy pool (example above shows a 30-character long password). Show Sample Output


    11
    gpg --gen-random --armor 1 30
    atoponce · 2011-07-20 15:32:49 4
  • (Please see sample output for usage) Use any script name (the read command gets it) and it will be encrypted with the extension .crypt, i.e.: myscript --> myscript.crypt You can execute myscript.crypt only if you know the password. If you die, your script dies with you. If you modify the startup line, be careful with the offset calculation of the crypted block (the XX string). Not difficult to make script editable (an offset-dd piped to a gpg -d piped to a vim - piped to a gpg -c directed to script.new ), but not enough space to do it on a one liner. Sorry for the chmod on parentheses, I dont like "-" at the end. Thanks flatcap for the subshell abbreviation to /dev/null Show Sample Output


    6
    read -p 'Script: ' S && C=$S.crypt H='eval "$((dd if=$0 bs=1 skip=//|gpg -d)2>/dev/null)"; exit;' && gpg -c<$S|cat >$C <(echo $H|sed s://:$(echo "$H"|wc -c):) - <(chmod +x $C)
    rodolfoap · 2013-03-10 08:59:45 9
  • (Please see sample output for usage) script.bash is your script, which will be crypted to script.secure script.bash --> script.secure You can execute script.secure only if you know the password. If you die, your script dies with you. If you modify the startup line, be careful with the offset calculation of the crypted block (the XX string). Not difficult to make script editable (an offset-dd piped to a gpg -d piped to a vim - piped to a gpg -c directed to script.new ), but not enough space to do it on a one liner. Show Sample Output


    5
    echo "eval \"\$(dd if=\$0 bs=1 skip=XX 2>/dev/null|gpg -d 2>/dev/null)\"; exit" > script.secure; sed -i s:XX:$(stat -c%s script.secure): script.secure; gpg -c < script.bash >> script.secure; chmod +x script.secure
    rodolfoap · 2013-03-09 11:16:48 6
  • Bash process substitution which curls the website 'hashbang.sh' and executes the shell script embedded in the page. This is obviously not the most secure way to run something like this, and we will scold you if you try. The smarter way would be: Download locally over SSL > curl https://hashbang.sh >> hashbang.sh Verify integrty with GPG (If available) > gpg --recv-keys 0xD2C4C74D8FAA96F5 > gpg --verify hashbang.sh Inspect source code > less hashbang.sh Run > chmod +x hashbang.sh > ./hashbang.sh


    5
    sh <(curl hashbang.sh)
    lrvick · 2015-03-15 21:02:01 2
  • The coolest way I've found to backup a wordpress mysql database using encryption, and using local variables created directly from the wp-config.php file so that you don't have to type them- which would allow someone sniffing your terminal or viewing your shell history to see your info. I use a variation of this for my servers that have hundreds of wordpress installs and databases by using a find command for the wp-config.php file and passing that through xargs to my function. Show Sample Output


    4
    eval $(sed -n "s/^d[^D]*DB_\([NUPH]\)[ASO].*',[^']*'\([^']*\)'.*/_\1='\2'/p" wp-config.php) && mysqldump --opt --add-drop-table -u$_U -p$_P -h$_H $_N | gpg -er AskApache >`date +%m%d%y-%H%M.$_N.sqls`
    AskApache · 2009-08-18 07:03:08 0
  • This is a quick and easy way of encrypting files in a datastream, without ever really creating an output file from gpg. Useful with cron also, when file(s) have to be sent based on a set schedule.


    3
    cat private-file | gpg2 --encrypt --armor --recipient "Disposable Key" | mailx -s "Email Subject" [email protected]
    slashdot · 2009-10-19 20:38:37 0
  • Create a encrypted tar.gz file from a directory on the fly. The encryption is done by GPG with a public key. The resulting filename is tagged with the date of creation. Very usefull for encrypted snapshots of folders.


    2
    tar -cvz /<path>/ | gpg --encrypt --recipient <keyID> > /<backup-path>/backup_`date +%d_%m_%Y`.tar.gz.gpg
    kaiserkailua · 2011-02-23 14:19:08 2
  • For instance, if people have signed your key, this will fetch the signers' keys.


    1
    gpg --list-sigs | sed -rn '/User ID not found/s/^sig.+([a-FA-F0-9]{8}).*/\1/p' | xargs -i_ gpg --keyserver-options no-auto-key-retrieve --recv-keys _
    lingo · 2011-07-22 16:31:25 2
  • In this example, where the users gpg keyring has a password, the user will be interactively prompted for the keyring password. If the keyring has no password, same as above, sans the prompt. Suitable for cron jobs. ~/.gnupg/passwd/http-auth.gpg is the encrypted http auth password, for this particular wget use case. This approach has many use cases. example bash functions: function http_auth_pass() { gpg2 --decrypt ~/.gnupg/passwd/http-auth.gpg 2>/dev/null; } function decrypt_pass() { gpg2 --decrypt ~/.gnupg/passwd/"$1" 2>/dev/null; }


    1
    wget --input-file=~/donwloads.txt --user="$USER" --password="$(gpg2 --decrypt ~/.gnupg/passwd/http-auth.gpg 2>/dev/null)"
    kyle0r · 2012-12-13 00:14:55 0
  • Replace KEY with GPG key. This command will load GPG key and add it to your system so you can use software from third party repos etc. Show Sample Output


    1
    x=KEY; gpg --keyserver subkeys.pgp.net --recv $x; gpg --export --armor $x | sudo apt-key add -
    sxiii · 2013-11-26 10:49:32 0
  • From time to time one forgets either thier gpg key or other passphrases. This can be very problematic in most cases. But luckily there's this script. Its based off of pwsafe which is a unix commandline program that manages encrypted password databases. For more info on pwsafe visit, http://nsd.dyndns.org/pwsafe/. What this script does is it will help you store all your passphrases for later on and allow you to copy it to your clipboard so you can just paste it in, all with one password. Pretty neat no? You can find future releases of this and many more scripts at The Teachings of Master Denzuko - denzuko.wordpress.com. Show Sample Output


    0
    pwsafe -qa "gpg keys"."$(finger `whoami` | grep Name | awk '{ print $4" "$5 }')"
    denzuko · 2009-05-07 14:49:56 0
  • Make sure the file contents can't be retrieved if anyone gets ahold of your physical hard drive. With hard drive partition: gpg --default-recipient-self -o /path/to/encrypted_backup.gpg -e /dev/sdb1 && shred -z /dev/sdb1 WARNING/disclaimer: Be sure you... F&%k it--just don't try this.


    0
    gpg -e --default-recipient-self <SENSITIVE_FILE> && shred -zu "$_"
    h3xx · 2011-07-24 05:51:47 0

  • 0
    gpg -c file.txt
    kev · 2011-09-17 04:53:03 0

  • 0
    gpg -c sensitive.txt; gpg sensitive.txt.gpg
    evandrix · 2012-09-05 22:52:26 0
  • Shows a sigclass 0x20 (Key revocation) signature packet on a key, including all subpackets. Subpacket 2 is the date of revocation, subpacket 26 the relevant policy, subpacket 29 the reason of revocation (cf. http://rfc.askapache.com/rfc4880/rfc4880.html#section-5.2.3.23 ) and subpacket 16 the issuer of the revocation certificate (usually should be the same as the revoked key). Show Sample Output


    0
    gpg --export 0xDEADBEEF | gpg --list-packets | grep -Pzao ':signature packet:.*\n\t.*sigclass 0x20(\n\t.*)*'
    claudius · 2013-03-05 14:11:11 1
  • The original command doesn't work for me - does something weird with sed (-r) and xargs (-i) with underscores all over... This one works in OSX Lion. I haven't tested it anywhere else, but if you have bash, gpg and perl, it should work. Show Sample Output


    0
    for i in `gpg --list-sigs | perl -ne 'if(/User ID not found/){s/^.+([a-fA-F0-9]{8}).*/\1/; print}' | sort | uniq`; do gpg --keyserver-options no-auto-key-retrieve --recv-keys $i; done
    hank · 2013-03-10 09:15:15 1
  • Decrypt with: gpg -o- foo.tgz.gpg | tar zxvf -


    0
    tar zcf - foo | gpg -c --cipher-algo aes256 -o foo.tgz.gpg
    skkzsh · 2013-03-13 09:44:39 0
  • Need to encrypt something from the command line? I've used this before to encrypt passwords with a master password that was shared amongst a team. To decrypt: ~$ echo -n 'jA0EAwMCPdknsznAww5gySL1/quqhXg6QgQkIz5abzGP5EZgTbXCFU+y6dP8ySWovytc' | base64 --decode | gpg --decrypt gpg: CAST5 encrypted data Enter passphrase: secret gpg: encrypted with 1 passphrase HelloWorld! Show Sample Output


    0
    echo 'HelloWorld!' | gpg --symmetric | base64
    ryanchapman · 2013-07-06 08:30:35 1
  • The subject in a gpg mail isn't encrypted. For people without imagination this often becomes a drama. Requirement: 1. Install polygen sudo apt-get install polygen 2. Download "Bastard Operator From Hell Excuses" dictionary: cd ~/.icedove/xxxxxxx.default/ && wget http://www.polygen.org/polygen/source/ita/bofh.grm Show Sample Output


    0
    icedove --compose subject=$(polygen ~/.icedove/xxxxxxx.default/bofh.grm)
    vinc3nt · 2013-10-08 16:29:16 0
  • This will list all the gpg keys that were accepted and installed for yum. Show Sample Output


    0
    rpm -qa gpg-pubkey --qf "%{version}-%{release} %{summary}\n"
    krizzo · 2014-12-09 21:23:28 0
  • This will remove the gpg-pubkey-1aa043b8-53b2e946 from rpm/yum and you'll be prompted to add it back from the given repo. Show Sample Output


    0
    rpm -e --allmatches gpg-pubkey-1aa043b8-53b2e946
    krizzo · 2014-12-09 21:27:08 0

  • 0
    tar --create --file - | gpg --encrypt --recipient --output .tar.gpg
    plivox · 2016-01-15 16:41:44 0
  • Requires: signing-party (on Debian). Note: you need a working MTA on your machine.


    -1
    caff <keyid>
    raphink · 2009-02-18 14:09:03 0
  • echo "ls" > script.bash; This is my script, a simple 'ls'. gpg -c script.bash; Here I encrypt and passord-protect my script. This creates file script.bash.gpg. cat script.bash.gpg | gpg -d --no-mdc-warning | bash Here I open file script.bash.gpg, decrypt it and execute it.


    -2
    echo "ls" > script.bash; gpg -c script.bash; cat script.bash.gpg | gpg -d --no-mdc-warning | bash
    betsubetsu · 2013-03-10 09:34:12 1
  •  1 2 > 

What's this?

commandlinefu.com is the place to record those command-line gems that you return to again and again. That way others can gain from your CLI wisdom and you from theirs too. All commands can be commented on, discussed and voted up or down.

Share Your Commands


Check These Out

Monitor all DNS queries made by Firefox Mac OS X version

Open a Remote Desktop (RDP) session with a custom resolution.
Using a widescreen monitor, I often get annoyed that the RDP window is too high, or too narrow for what I want to display. In this example, I'm on a 1680 x 1050 display.

run last command with root
you will be sad after you run a command and find out it needs root, so you should run it again but with prefix sudo. so this line is to make it simple. just 'sudo !!'

Find out when your billion-second anniversary is (was). (on OS X)
This is the same command as this one, but for OS X. http://www.commandlinefu.com/commands/view/3053/find-out-when-your-billion-second-anniversary-is-was.

List last opened tabs in firefox browser
Tuned for short command line - you can set the path to sessionstore.js more reliable instead of use asterixes etc. Usable when you are not at home and really need to get your actual opened tabs on your home computer (via SSH). I am using it from my work if I forgot to bookmark some new interesting webpage, which I have visited at home. Also other way to list tabs when your firefox has crashed (restoring of tabs doesn't work always). This script includes also tabs which has been closed short time before.

Find usb device in realtime
Using this command you can track a moment when usb device was attached.

Delete backward from cursor, useful when you enter the wrong password

Detect illegal access to kernel space, potentially useful for Meltdown detection
Based on capsule8 agent examples, not rigorously tested

dmesg with colored human-readable dates
Use sed to color the output of a human-readable dmesg output

Get the ip registered to a domain on OpenWRT
I use this in a script on my openwrt router to check if my DynDNS needs to be updated, saves your account from being banned for blank updates.


Stay in the loop…

Follow the Tweets.

Every new command is wrapped in a tweet and posted to Twitter. Following the stream is a great way of staying abreast of the latest commands. For the more discerning, there are Twitter accounts for commands that get a minimum of 3 and 10 votes - that way only the great commands get tweeted.

» http://twitter.com/commandlinefu
» http://twitter.com/commandlinefu3
» http://twitter.com/commandlinefu10

Subscribe to the feeds.

Use your favourite RSS aggregator to stay in touch with the latest commands. There are feeds mirroring the 3 Twitter streams as well as for virtually every other subset (users, tags, functions,…):

Subscribe to the feed for: