NAME¶
gpgdir - recursive directory encryption with GnuPG
SYNOPSIS¶
gpgdir -e|-d <directory> [options]
DESCRIPTION¶
gpgdir is a perl script that uses the CPAN GnuPG::Interface perl module
to recursively encrypt and decrypt directories using gpg.
gpgdir
recursively descends through a directory in order to make sure it encrypts or
decrypts every file in a directory and all of its subdirectories. By default
the mtime and atime values of all files will be preserved upon encryption and
decryption (this can be disabled with the
--no-preserve-times option).
Note that in
--encrypt mode, gpgdir will delete the original files that
it successfully encrypts (unless the
--no-delete option is given).
However, upon startup gpgdir first asks for a the decryption password to be
sure that a dummy file can successfully be encrypted and decrypted. The
initial test can be disabled with the
--skip-test option so that a
directory can easily be encrypted without having to also specify a password
(this is consistent with
gpg behavior). Also, note that gpgdir is
careful not encrypt hidden files and directories. After all, you probably
don't want your ~/.gnupg directory or ~/.bashrc file to be encrypted. The key
gpgdir uses to encrypt/decrypt a directory is specified in ~/.gpgdirrc.
Finally,
gpgdir can use the
wipe program with the
--Wipe
command line option to securely delete the original unencrypted files after
they have been successfully encrypted. This elevates the security stance of
gpgdir since it is more difficult to recover the unencrypted data associated
with files from the filesystem after they are encrypted (unlink() does not
erase data blocks even though a file is removed).
OPTIONS¶
- -e, --encrypt <directory>
- Recursively encrypt all files in the directory specified on
the command line. All original files will be deleted (a password check is
performed first to make sure that the correct password to unlock the
private GnuPG key is known to the user).
- -d, --decrypt <directory>
- Recursively decrypt all files in the directory specified on
the command line. The encrypted .gpg version of each file will be
deleted.
- --sign <directory>
- Recursively sign all files in the directory specified on
the command line. For each file, a detached .asc signature will be
created.
- --verify <directory>
- Recursively verify all .asc signatures for files in the
directory specified on the command line.
- -g, --gnupg-dir <directory>
- Specify which .gnupg directory will be used to find GnuPG
keys. The default is ~/.gnupg if this option is not used. This option
allows gpgdir to be run as one user but use the keys of another user
(assuming permissions are setup correctly, etc.).
- -p, --pw-file <pw-file>
- Read decryption password from pw-file instead of
typing it on the command line.
- -t, --test-mode
- Run an encryption and decryption test against a dummy file
and exit. This test is always run by default in both --encrypt and
--decrypt mode.
- -S, --Symmetric
- Instruct gpgdir to encrypt to decrypt files using a
symmetric cipher supported by GnuPG (CAST5 is commonly used). This results
in a significant speed up for the encryption/decryption process.
- -T, --Trial-run
- Show what encrypt/decrypt actions would take place without
actually doing them. The filesystem is not changed in any way in this
mode.
- -I, --Interactive
- Prompt the user before actually encrypting or decrypting
each file. This is useful to have fine-grained control over gpgdir
operations as it recurses through a directory structure.
- -F, --Force
- Tell gpgdir to ignore non-fatal error conditions,
such as the inability to encrypt or decrypt individual files because of
permissions errors.
- --Exclude <pattern>
- Instruct gpgdir to skip all files that match pattern
as a regex match against each filename. This is similar to the
--exclude option in the standard GNU tar command.
- --Exclude-from <file>
- Instruct gpgdir to exclude all files matched by patterns
listed in file. This is similar to the --exclude-from the
GNU tar command.
- --Include <pattern>
- Instruct gpgdir to only include files that match
pattern as a regex match against each filename.
- --Include-from <file>
- Instruct gpgdir to only include files matched by patterns
listed in file.
- -W, --Wipe
- Use the wipe program to securely delete files after
they have been successfully encrypted.
- -O, --Obfuscate-filename
- Tell gpgdir to obfuscate the file names of files
that it encrypts (in -e mode). The names of each file are stored within
the file .gpgdir_map_file for every sub-directory, and this file is itself
encrypted. In decryption mode (-d), the -O argument reverses the process
so that the original files are restored.
- --overwrite-encrypted
- Overwrite encrypted files even if a previous
<file>.gpg file already exists.
- --overwrite-decrypted
- Overwrite decrypted files even if the previous unencrypted
file already exists.
- -K, --Key-id <id>
- Manually specify a GnuPG key ID from the command line.
Because GnuPG supports matching keys with a string, id does not
strictly have to be a key ID; it can be a string that uniquely matches a
key in the GnuPG key ring.
- -D, --Default-key
- Use the key that GnuPG defines as the default, i.e. the key
that is specified by the default-key variable in ~/.gnupg/options.
If the default-key variable is not defined within ~/.gnupg/options, then
GnuPG tries to use the first suitable key on its key ring (the initial
encrypt/decrypt test makes sure that the user knows the corresponding
password for the key).
- -a, --agent
- Instruct gpgdir to acquire gpg key password from a
running gpg-agent instance.
- -A,
--Agent-info <connection info>
- Specify the value of the GPG_AGENT_INFO environment
variable as returned by the gpg-agent --daemon command. If the
gpgdir --agent command line argument is used instead of
--Agent-info, then gpgdir assumes that the GPG_AGENT_INFO
environment variable has already been set in the current shell.
- -s, --skip-test
- Skip encryption and decryption test. This will allow
gpgdir to be used to encrypt a directory without specifying a
password (which normally gets used in encryption mode to test to make sure
decryption against a dummy file works properly).
- -q, --quiet
- Print as little as possible to the screen when encrypting
or decrypting a directory.
- --no-recurse
- Instruct gpgdir to not recurse through any subdirectories
of the directory that is being encrypted or decrypted.
- --no-password
- Instruct gpgdir to not ask the user for a password. This is
only useful when a gpg key literally has no associated password (this is
not common).
- --no-delete
- Instruct gpgdir to not delete original files at encrypt
time.
- --no-preservetimes
- Instruct gpgdir to not preserve original file mtime and
atime values upon encryption or decryption.
- -l, --locale <locale>
- Provide a locale setting other than the default
"C" locale.
- --no-locale
- Do not set the locale at all so that the default system
locale will apply.
- -v, --verbose
- Run in verbose mode.
- -V, --Version
- Print version number and exit.
- -h, --help
- Print usage information and exit.
FILES¶
~/.gpgdirrc
Contains the key id of the user gpg key that
will be used to encrypt or decrypt the files within a directory.
EXAMPLES¶
The following examples illustrate the command line arguments that could be
supplied to gpgdir in a few situations:
To encrypt a directory:
$ gpgdir -e /some/dir
To encrypt a directory, and use the wipe command to securely delete the original
unencrypted files:
$ gpgdir -W -e /some/dir
To encrypt a directory with the default GnuPG key defined in ~/.gnupg/options:
$ gpgdir -e /some/dir --Default-key
To decrypt a directory with a key specified in ~/.gpgdirrc:
$ gpgdir -d /some/dir
To encrypt a directory but skip all filenames that contain the string
"host":
$ gpgdir -e /some/dir --Exclude host
To encrypt a directory but only encrypt those files that contain the string
"passwd":
$ gpgdir -e /some/dir --Include passwd
To acquire the GnuPG key password from a running gpg-agent daemon in order to
decrypt a directory (this requires that gpg-agent has the password):
$ gpgdir -A /tmp/gpg-H4DBhc/S.gpg-agent:7046:1 -d /some/dir
To encrypt a directory but skip the encryption/decryption test (so you will not
be prompted for a decryption password):
$ gpgdir -e /some/dir -s
To encrypt a directory and no subdirectories:
$ gpgdir -e /some/dir --no-recurse
To encrypt root's home directory, but use the GnuPG keys associated with the
user "bob":
# gpgdir -e /root -g /home/bob/.gnupg
DEPENDENCIES¶
gpgdir requires that gpg, the Gnu Privacy Guard (
http://www.gnupg.org) is
installed.
gpgdir also requires the GnuPG::Interface perl module from
CPAN, but it is bundled with
gpgdir and is installed in /usr/lib/gpgdir
at install-time so it does not pollute the system perl library tree.
SEE ALSO¶
gpg(1)
AUTHOR¶
Michael Rash <mbr@cipherdyne.org>
CONTRIBUTORS¶
Many people who are active in the open source community have contributed to
gpgdir; see the
CREDITS file in the gpgdir sources.
BUGS¶
Send bug reports to mbr@cipherdyne.org. Suggestions and/or comments are always
welcome as well.
DISTRIBUTION¶
gpgdir is distributed under the GNU General Public License (GPL), and the
latest version may be downloaded from
http://www.cipherdyne.org