gpg usage
Page 1 of 1

Author:  bluefrog [ Tue Mar 08, 2016 11:27 am ]
Post subject:  gpg usage


I'm attempting to hash a file using gpg with SHA512.

have tried the following:
$ cat > t.dat <<<"A test"
$ gpg --s2k-digest-algo SHA512 t.dat
but get an error
gpg: no valid OpenPGP data found.

Also, how could I get the string back unhashed?

Author:  uhelp [ Tue Mar 08, 2016 11:32 am ]
Post subject:  Re: gpg usage

no need for gpg.

There are already tools providing this functionality.
Typing sha<tab><tab> should give something like this:
sha1sum sha224sum sha256sum sha384sum sha512sum

Hence just a sha512sum <SomeFileOrPathName> is needed.

Author:  bluefrog [ Tue Mar 08, 2016 1:05 pm ]
Post subject:  Re: gpg usage

ok, thanks. is there a way to get the unhashed value of what was hashed in a file?

Author:  jeo [ Tue Mar 08, 2016 1:49 pm ]
Post subject:  Re: gpg usage

Hey bluefrog, are you trying to encrypt the contents of the file? A hash is more like a "fingerprint"... A way to verify that a file hasn't been altered. The contents of the file are not contained in the hash. If you want to be able to encrypt a file and decrypt it later with a password, you can use gpg for that. The -c option tells it to encrypt the file.

# Use something like this to encrypt a single file
# You will be prompted to pick a passphrase
# The resulting file will be named t.dat.gpg
$ gpg -c t.dat

# You could even specify the algorithm, like in your example, but that only relates to the passphrase, not the contents of the file itself:
$ gpg --s2k-digest-algo SHA512 -c t.dat

# To decript the file, simply run the following
# You will be prompted for a passphrase. This will be the passphrase that you used when you encrypted the file.
$ gpg t.dat.gpg

I hope this helps!

Author:  uhelp [ Tue Mar 08, 2016 1:58 pm ]
Post subject:  Re: gpg usage

And you just CAN'T get back the unhashed string from a hash.
They are one-way tickets by design.

jeo told you how to en- and decrypt.

Author:  bluefrog [ Tue Mar 08, 2016 2:08 pm ]
Post subject:  Re: gpg usage

Hi Jeo,

thanks, got it. Is there a way to bypass the password phrase, so instead of -c, use some kind of AES signature?

Author:  bluefrog [ Wed Mar 09, 2016 3:55 am ]
Post subject:  Re: gpg usage

Not sure how to solve this.
I have a file, the contents of which are:
What I'm after is to encrypt the Passwords in the file (3rd column, delimited by":"), so the file contents would look as follows:
USER1:ENV1:% wify ergg"*() -hjg
USER2:ENV1:fhy 123yigfd
Where the 3rd column is now encrypted. I now need to unencrypt the 3rd column to get to the original text, without intervention from user input.
I'm sure gpg could be used, but not sure how though?

Author:  uhelp [ Wed Mar 09, 2016 8:45 am ]
Post subject:  Re: gpg usage

What is the goal you're trying to achieve?

Author:  jeo [ Thu Mar 10, 2016 12:35 am ]
Post subject:  Re: gpg usage

I think I see what you're saying. So, what's the purpose of UN-encrypting the password field?

If you're doing this for some kind of authentication system, you probably don't need to decrypt the password field. You would want to take a hash of the password (maybe this is what you were looking for in your original post?) and store the hash. Then to check against it later, you just hash the user's input and see if it matches.

Was the encrypted file from the first post different from the encrypted passwords?

You can generate the hash with something like...
$ echo -n "PASSWORD" | md5sum | cut -d' ' -f1

Author:  bluefrog [ Fri Mar 11, 2016 5:17 am ]
Post subject:  Re: gpg usage

Hi Jeo

thanks for the reply, the reason that I have to "decrypt" or "unhash" the string is that it is used for authentication into an Oracle command line utility, so the sample file I posted would be USER1 = oracle user, ENV = database name and Pass1 = password.

So although I could hash the string "Pass1"
echo "Pass1" | md5sum
I would need to "unhash" in order for it to be used. I have a utlity which currently uses the apache xerces open source java library, but I would dearly like to remove java as a dependency and rely on what is available on a linux server, whether it be gpg, openssl or whatever hashing is available.

The problem with hashing, based on what uhelp has mentioned and from what I've read, is that it would probably won't server my purpose as I've just described, since it is only one way. You can use hashing for authentication since you can compare what is hashed with what has been entered, but there is no input in this case.

Author:  jeo [ Fri Mar 11, 2016 9:39 am ]
Post subject:  Re: gpg usage

Hi bluefrog!

I actually think I figured out what you were trying to do shortly after I posted that, but hadn't had time to put any thought into it. You're going to need some kind of passphrase either way, but you could have the passphrase to decrypt the passwords in the script that uses them. It totally defeats the purpose though, if the password file and the script are stored together. I've actually been working on a similar problem in an environment where I need to manage 50+ Linux servers and I'm not allowed to use SSH keys... I don't want passwords stored in plain text, but encrypting them and storing them right next to the script that contains the passphrase to decrypt them would just be bad practice...

Ok, that was kind of a tangent... Now, on to how to do it! You *Could* use gpg for this, but you won't get a nice string to store in the nicely formatted file you have spec'd. Let's use OpenSSL for this instead. Here's an example:

> echo password | openssl enc -base64 -a -salt -pass pass:mypass

> echo cGFzc3dvcmQK | openssl enc -base64 -a -d -salt -pass pass:mypass

The example is pretty simple. You might want to use a stronger encryption (see the man page for openssl for options). There are also different options for how to get the passphrase (mypass) used to en/decrypt your password string. Those are also in the man page, and include things like an environment variable, or a separate file.

I hope this helps gets you started!

Author:  bluefrog [ Fri Mar 11, 2016 10:25 am ]
Post subject:  Re: gpg usage

that is awesome!!!! wow...
i got something to go on now.
So so grateful, thank you very much!!!

Still needs a bit of work though, will probably store the phrase in some file. Will have to chat to the sysadmin and see what he reckons, but I think he'll be happy with this for a "good enough" local solution.

Author:  uhelp [ Fri Mar 11, 2016 12:15 pm ]
Post subject:  Re: gpg usage

Don't get too excited.

This does not really solve the problem.
It just moves the task from reading stored passwords to call the decrypt routine.

What you want to achieve is not doable with these means.

This just stores the password encrypted.

Author:  bluefrog [ Sat Mar 12, 2016 7:04 am ]
Post subject:  Re: gpg usage

To a degree what you stated is true, but I am replicating an existing working system which was created by others, using a file similar to the sample I posted above and using bash along with the apache xerces library. I would like to at least remove java as a dependency, but as you say, the password problem will remain, but at least I can hide the executable decrypting the password from other unix accounts, and it helps with integration testing, since users no longer have to type in a password based on a "read" at the unix terminal. Software releases can now be driven by a cron job or some other tool like Control-M or autosys, without human intervention. Password configuration of Oracle users is now simply a one-off configured task, instead of requiring daily intervention.

Page 1 of 1 All times are UTC - 6 hours
© 2000, 2002, 2005, 2007 phpBB Group •