JAMS GnuPG Samples

Follow

 

JAMS GnuPG Samples

This article shows how to create Jobs that take advantage of GnuPG’s ability to encrypt/decrypt/sign/verify files. To make use of these, Gpg4Win must first be installed and configured.

 

In this Article:

 


Passphrases

 

When doing encryption, decryption, or digital signing, GnuPG will request a passphrase through a popup dialog. For unattended Jobs, this is almost always undesired behavior, since it usually results in a hung Job, waiting for a user to respond and interact with a dialog. To prevent this, you can remove a passphrase from the private key, so no passphrase will be requested. Users can remove a passphrase from a key by running “gpg --passwd <<keyname>>”, and supplying a blank passphrase.

Back to Top

 


User IDs

Certain GnuPG commands will require a user to specify users (e.g., which user is the message being encrypted for). A user refers to anyone who owns a public/private key pair. To perform a GnuPG command that requires a certain user as an argument, or to decrypt (or verify) a file from a certain user, the user first needs to import that user’s public key into your keyring. To do this:

  1. Obtain their public key file, e.g., bob.pub
  2. Run “gpg --import bob.pub” to import the public key

A user can be specified several different ways; e.g., by key id, fingerprint, OpenPGP user ID, email address, rfc2253 DN, keygrip, name, or substring match. This article simply sticks to email addresses. A users can always run “gpg --list-keys” to view all of the users’ public keys that have currently been imported, along with associated email addresses. In this article, the <<keyname>> parameter identifies one’s own key, and <<recipient>> identifies another user’s key.

Generating Keys

Keys can also be generated using the "gpg --gen-key" command from a command prompt.  Once this command is used it will prompt for options to create the key, and will be automatically stored in the keyring.

Back to Top

 


Encrypting Files

Before encrypting a file, a user must first know who the encrypted file is for (this can be yourself) - only that person will be able to decrypt it. This is the <<RECIPIENT>> parameter.

Here is a job that will encrypt a file, <<INPUT_FILE>>, and store the result in <<OUTPUT_FILE>>:

Job name and description:

Job Source:

gpg --encrypt --armor --yes --recipient "<<RECIPIENT>>" --output "<<OUTPUT_FILE>>" "<<INPUT_FILE>>"

Job Parameters:


Sample job submission:

NOTE: When encrypting using UNC Paths, replace backslashes "\" with forward slashes "/".

Sample input file:

01234 this is a test 56789

Sample output file:

-----BEGIN PGP MESSAGE-----
Version: GnuPG v2.0.17 (MingW32)
hQEMA/s5cwsJ2FkeAQgAtG00ToyH/Tvx5vDv+uwsDL9aXN6TYPDKHncAV7dpDfsn
entfi0CGDRBfOf1vArH9OUQyFmOOIl77OAhgcU+ydNWyGS7rOreELURDgYQr2qin
evw9kLBVAqjSvtLFzRS1z3EmsECL2DklU7SLWkR4BdY8SCdZIiT/g4aAubUaZbu6
eIoTDBk4tC2zYYumVT1eWxNe971jlzQjXf1EFMGoYmgb/8paZ1liQ65MgxT9uc4U
HtskPuz9Jmx06z6SXeBCcjA/o81rJ66A7rJOk8YRGapEh+l8fFyhrlnsEKTxualv
H89S6vRM0fJJhFjqvSn7t/xkWI+NNUWRlpeRd86yKtJeAWq9khNOU5NCj4xTmCbY
gYVRMDuIqzvLwMWItvMe7ube02hpW1fbaR+et8a6MRrYXAgVM4wg53jVDDmrqp4e
3xY9NYrVam5zEIofIyfCu9or0rPXO05Kx5UDIEtQJg==
=RMom
-----END PGP MESSAGE-----

Back to Top

 

 


Encrypting Multiple Files

It is possible to Encrypt multiple files by following the listed steps, using the script below.

  • Create a JAMS Job with the PowerShell execution method
  • Job Source
gpg --keyring C:\Users\Username\AppData\Roaming\gnupg\pubring.gpg --encrypt-files --armor --trust-model always --yes --recipient "<<RECIPIENT>>" "<<INPUT_FILE>>"
  • Give the Job RECIPIENT and INPUT_FILE Parameters
  • In Job Properties under Submit Options, set the Home Directory path to the folder where the target files reside
  • NOTE: When encrypting using UNC Paths, replace backslashes "\" with forward slashes "/".
  • On Submission, set the INPUT_FILE Parameter to the file extension of the files to be encrypted (usually *.txt)

NOTE: Files encrypted using this method will have an extension of ".asc" due to the --armor in the script. To produce Encrypted files with .gpg extensions, remove --armor from the script

Back to Top

 

 


Decrypting Files

A user can decrypt a file only if it was encrypted for them.

Here is a Job that will decrypt a file, <<INPUT_FILE>>, and store the unencrypted message in <<OUTPUT_FILE>>:

Job name and description:


Job Source:

gpg --decrypt --yes --output "<<OUTPUT_FILE>>" "<<INPUT_FILE>>"

Job Parameters:


Job Submission:

NOTE: When decrypting using UNC Paths, replace backslashes "\" with forward slashes "/".

Sample input file:

-----BEGIN PGP MESSAGE-----
Version: GnuPG v2.0.17 (MingW32)

hQEMA/s5cwsJ2FkeAQgAtG00ToyH/Tvx5vDv+uwsDL9aXN6TYPDKHncAV7dpDfsn
entfi0CGDRBfOf1vArH9OUQyFmOOIl77OAhgcU+ydNWyGS7rOreELURDgYQr2qin
evw9kLBVAqjSvtLFzRS1z3EmsECL2DklU7SLWkR4BdY8SCdZIiT/g4aAubUaZbu6
eIoTDBk4tC2zYYumVT1eWxNe971jlzQjXf1EFMGoYmgb/8paZ1liQ65MgxT9uc4U
HtskPuz9Jmx06z6SXeBCcjA/o81rJ66A7rJOk8YRGapEh+l8fFyhrlnsEKTxualv
H89S6vRM0fJJhFjqvSn7t/xkWI+NNUWRlpeRd86yKtJeAWq9khNOU5NCj4xTmCbY
gYVRMDuIqzvLwMWItvMe7ube02hpW1fbaR+et8a6MRrYXAgVM4wg53jVDDmrqp4e
3xY9NYrVam5zEIofIyfCu9or0rPXO05Kx5UDIEtQJg==
=RMom
-----END PGP MESSAGE-----

Sample output file:

01234 this is a test 56789

Back to Top

 

 


Decrypting Multiple Files

It is possible to Decrypt multiple files utilizing the following:

  • Create a JAMS Job with the PowerShell Execution Method
  • Customize and paste the script into the Job's Source
  • gpg --homedir C:\Users\Username\AppData\Roaming\gnupg --batch --try-all-secrets --decrypt-files --yes "<<INPUT_FILE>>"
  • Create a Text Parameter with the name INPUT_FILE:
  • In Job Properties under Submit Options, set the Home Directory path to the folder where the target files reside
  • NOTE: When decrypting using UNC Paths, replace backslashes "\" with forward slashes "/".
  • On Submission, set the value of INPUT_FILE Parameter to the file extension on the target files (the extension should be *.asc or *.gpg)

Back to Top

 

 


Creating Digital Signatures

A digital signature is verifiable by anyone who knows the users public key.

To create a digital signature for the file <<INPUT_FILE>>, and store the result in <<OUTPUT_FILE>> the following can be utilized.

Job Source:

gpg --detach-sign --armor --yes --output "<<OUTPUT_FILE>>" "<<INPUT_FILE>>" 

Job Parameters:

 

Job Submission:

NOTE: When using UNC Paths, replace backslashes "\" with forward slashes "/".

Sample input file:

01234 this is a test 56789

Sample output file:

-----BEGIN PGP MESSAGE-----
Version: GnuPG v2.0.17 (MingW32)

owEBWgGl/pANAwACAcL5GpLpawEXAawqYgpzYW1wbGUudHh0TlfiWjAxMjM0IHRo
aXMgaXMgYSB0ZXN0IDU2Nzg5iQEcBAABAgAGBQJOV+JaAAoJEML5GpLpawEXpyYH
/AzjUPfgSiytWNwpfQlO12T4YJb3g2QWDOoRhiB6kF3lckjipYbFPnRD2+76IuX4
A2izNlznAF9f3TaDd2P9oZ+jYRhfQ6uAAdRIYlMdamEAe7t9V0uy+jsva8HrnJLo
GWECJH6yraog5GBOTJu5h++91vrk3PmagWOKaA3KE4djcKzcGO8fa/qEsLaD7yXZ
SR9a85zvHJ44gouQYf7C+WhKJIzhmza9G6jEn+qfqBiUPYrPSY+rGE1HbqhGgGCz
PIxGYJgsI9H2+IhavwU6kMJbMr8+7hwe7MoDtpRbm1scUYNAOu6yVI+CkjntSnG3
FpaJALcghpJ3F9GxyNypSCY=
=Xh1p
-----END PGP MESSAGE-----

Back to Top

 

 


Verifying Signatures

 

To verify that the signature <<SIGNATURE_FILE>> is valid for the file <<INPUT_FILE>>.

Job Name and Description:


Job Source:

gpg --verify "<<SIGNATURE_FILE>>" "<<INPUT_FILE>>"

Job Parameters:


Job submission:

NOTE: When using UNC Paths, replace backslashes "\" with forward slashes "/".

Sample Job output:

gpg: enabled debug flags: memstat
gpg: Signature made 08/26/11 15:01:33 Eastern Daylight Time using RSA key ID E96B0117
gpg: Good signature from "Jay Sullivan "
random usage: poolsize=600 mixed=0 polls=0/0 added=0/0
outmix=0 getlvl1=0/0 getlvl2=0/0
secmem usage: 0/32768 bytes in 0 blocks

Back to Top

 

 

Have more questions? Submit a request

Comments