34

  1. Can I do something like:

    gpg --public-key my.pub  -e file.txt

  2. If I can, any reason that I should not do that?

P/s: I think I don't need to know about the recipient because my machine only has one public key at a time.
But that key will change soon (and I can delete all the old encrypted files, so no need to keep them).

F1Linux
  • 207
  • 2
  • 6
nvcnvn
  • 443
  • 1
  • 4
  • 6

4 Answers4

31

GnuPG does not support encrypting to a recipient specified by a key file. The key must be imported in advance, and the recipient defined with either his mail address or key ID.

I'd recommend to use a cleaner approach as expected by GnuPG and hard-code either the key's fingerprint, or a user ID given by that key and import it as usual.

If you really do not want to import the key, you could do following as workaround (which actually imports the key, but to a temporary GnuPG home directory):

  1. Import the key to a temporary folder, for example using

    gpg --homedir /tmp/gnupg --import my.pub

  2. Determine the key ID of the key stored in the file:

    KEYID=`gpg --list-public-keys --batch --with-colons --homedir /tmp/gnupg | head -n1 | cut -d: -f5`

  3. Encrypt a message to the recipient

    gpg --homedir /tmp/gnupg --recipient ${KEYID} --encrypt

  4. Clean up temporary GnuPG home directory

    rm -f /tmp/gnupg

You could of course save this as a script to make using it more convenient.

Yaroslav Fedorina
  • 3
  • 2
Jens Erat
  • 23,446
  • 12
  • 72
  • 96
  • i get `gpg: keyblock resource '/tmp/gnupg/pubring.kbx': No such file or directory` after the first command – Grayden Hormes May 23 '19 at 21:41
  • This looks like an indication GnuPG realized no keyring exists so far but is getting initalized now; is it working anyway? If so, you can simply ignore this message. – Jens Erat May 24 '19 at 18:19
17

Since GnuPG 2.1.14 there is a new option allowing to encrypt from a keyfile: --recipient-file FILENAME. It works from an binary or an ascii armored file.

Check the release notes or the dev mailing list.

Dorsug
  • 171
  • 1
  • 3
6

It appears from reviewing your question that you're interested in encrypting using your own public key which you'd already have (my.pub in the example).

Indeed, not only is it possible, it's desirable as it serves to provide non-interactive automation of encryption. If it's YOUR public key, then you trust it implicitly and can do the following without worry:

gpg --batch --yes --trust-model always -r $GPGPUBKEYRECIPIENTEMAIL -e ./file.txt

No interactive prompts that require an answer so encryption can be scripted. NOTE: I upload my PUBLIC key to the public server I want to protect data on, keeping the PRIVATE key apart from it.

However, if you're NOT encrypting with your own key, the --trust-model always switch could be dodgy. Also note that when decrypting, you'll be prompted for a password unless you automate that of course. HTH bud- Terrence Houlahan

F1Linux
  • 207
  • 2
  • 6
4

As far as I know, the recipient's public key IDs, key Validity dates, name, and email address are embedded in the GPG ASCII Armor file (GnuPG Manual )

pub  1024D/BB7576AC 1999-06-04 Alice (Judge) <alice@cyb.org>

So using pub key file / Key ID / Name / Email to identify which public key to use should all be equivalent.

BUT I don't have access to a linux machine right now, so can't check.

Mike Ounsworth
  • 57,707
  • 21
  • 150
  • 207