There are several options, but they all could leave you with a decrypted file on disk, waiting to be undeleted later. Shred might even have problems securely deleting a file (if there's a log/journal, redundant writes / RAID, temporary caches, compressed filesystems) and an SSD could swap sectors silently too. Even using a tmpfs
filesystem is subject to being written out to swap. And the editing program you use could leave even more temporary/cache files. If your entire filesystem and swap is encrypted that helps a lot, but then do you really need more encryption?
If you're just saving basic text (like passwords) I'd suggest using a purpose-built program like KeePass(X/XC), LastPass, etc. Or a different encryption method, one that encrypts files like eCryptfs, EncFS, or that encrypts devices like LUKS, or a TrueCrypt successor.
But with just GPG, you could use one of these options
--passphrase-fd n
Read the passphrase from file descriptor n. Only the first line will be
read from file descriptor n. If you use 0 for n, the passphrase will be
read from STDIN. This can only be used if only one passphrase is supplied.
Note that this passphrase is only used if the option --batch has also
been given. This is different from GnuPG version 1.x.
--passphrase-file file
Read the passphrase from file file
. Only the first line will be read from
file file
. This can only be used if only one passphrase is supplied.
Obviously, a passphrase stored in a file is of questionable security if
other users can read this file. Don't use this option if you can avoid
it. Note that this passphrase is only used if the option --batch has
also been given. This is different from GnuPG version 1.x.
--passphrase string
Use string as the passphrase. This can only be used if only one
passphrase is supplied. Obviously, this is of very questionable security
on a multi-user system. Don't use this option if you can avoid it. Note
that this passphrase is only used if the option --batch has also been
given. This is different from GnuPG version 1.x.
For the above options, you'll probably need either --pinentry-mode loopback
(allows entering new info, for example a new filename if there's a conflict) or --batch
otherwise gpg will just ignore the passphrase options and still ask the agent for a passphrase (a bug IMO).
This might be useful too:
--passphrase-repeat n
Specify how many times gpg will request a new passphrase be repeated.
This is useful for helping memorize a passphrase. Defaults to 1 repetition.
You could only type the passphrase once and read
/ store it in a shell/bash variable (say $password
), recalling it later with --passphrase="$password"
. Something like
until gpg --pinentry-mode loopback --passphrase="$password" --output $file_to_edit $ecrypted_file;
do read -r password;
done
#Got out of the loop with a correct password, now
echo "Some edit" >> $file_to_edit
gpg --pinentry-mode loopback --passphrase="$password" --output $ecrypted_file --yes --symmetric $file_to_edit
(--yes
to overwrite)
Note:
--pinentry-mode
is available only for gpg 2.x (not for gpg 1.x). Also, there's no need for--batch
option with gpg 1.x. – francescop21 – 2018-09-14T16:15:15.8831That's true, with gpg 1 --passphrase [& --passphrase-file & --passphrase-fd] actually worked without needing extra tricks ;-) Another surprise is that gpg will remember the passphrase for a while (minutes?) and decrypt the same file again without asking for the passphrase – Xen2050 – 2018-09-15T09:14:39.267