NOTE: The instructions here are no longer considered JAMS Best Practice.
As of JAMS V6.5.41, users should instead use the Key Ring Encryption cmdlets, outlined in our Encrypt and Decrypt with JAMS PowerShell cmdlets article.
The instructions below should ONLY be used if the JAMS environment cannot be upgraded past V6.5.41.
JAMS GnuPG Samples
This article shows how to create Jobs that take advantage of GnuPG’s ability to encrypt/decrypt/sign/verify files. To make use of these, Gpg4Win must first be installed and configured.
In this Article:
- Passprahses
- User IDs
- Encrypting Files
- Encrypting Multiple Files
- Decrypting Files
- Decrypting Multiple Files
- Creating Digital Signatures
- Verifying Signatures
Passphrases
When doing encryption, decryption, or digital signing, GnuPG will request a passphrase through a popup dialog. For unattended Jobs, this is almost always undesired behavior, since it usually results in a hung Job, waiting for a user to respond and interact with a dialog. To prevent this, you can remove a passphrase from the private key, so no passphrase will be requested. Users can remove a passphrase from a key by running “gpg --passwd <<keyname>>”, and supplying a blank passphrase.
User IDs
Certain GnuPG commands will require a user to specify users (e.g., which user is the message being encrypted for). A user refers to anyone who owns a public/private key pair. To perform a GnuPG command that requires a certain user as an argument, or to decrypt (or verify) a file from a certain user, the user first needs to import that user’s public key into your keyring. To do this:
- Obtain their public key file, e.g., bob.pub
- Run “gpg --import bob.pub” to import the public key
A user can be specified several different ways; e.g., by key id, fingerprint, OpenPGP user ID, email address, rfc2253 DN, keygrip, name, or substring match. This article simply sticks to email addresses. A users can always run “gpg --list-keys” to view all of the users’ public keys that have currently been imported, along with associated email addresses. In this article, the <<keyname>> parameter identifies one’s own key, and <<recipient>> identifies another user’s key.
Generating Keys
Keys can also be generated using the "gpg --gen-key" command from a command prompt. Once this command is used it will prompt for options to create the key, and will be automatically stored in the keyring.
Encrypting Files
Before encrypting a file, a user must first know who the encrypted file is for (this can be yourself) - only that person will be able to decrypt it. This is the <<RECIPIENT>> parameter.
Here is a job that will encrypt a file, <<INPUT_FILE>>, and store the result in <<OUTPUT_FILE>>:
Job name and description:
Job Source:
gpg --encrypt --armor --yes --recipient "<<RECIPIENT>>" --output "<<OUTPUT_FILE>>" "<<INPUT_FILE>>"
Job Parameters:
Sample job submission:
NOTE: When encrypting using UNC Paths, replace backslashes "\" with forward slashes "/".
Sample input file:
01234 this is a test 56789Sample output file:
-----BEGIN PGP MESSAGE----- Version: GnuPG v2.0.17 (MingW32) hQEMA/s5cwsJ2FkeAQgAtG00ToyH/Tvx5vDv+uwsDL9aXN6TYPDKHncAV7dpDfsn entfi0CGDRBfOf1vArH9OUQyFmOOIl77OAhgcU+ydNWyGS7rOreELURDgYQr2qin evw9kLBVAqjSvtLFzRS1z3EmsECL2DklU7SLWkR4BdY8SCdZIiT/g4aAubUaZbu6 eIoTDBk4tC2zYYumVT1eWxNe971jlzQjXf1EFMGoYmgb/8paZ1liQ65MgxT9uc4U HtskPuz9Jmx06z6SXeBCcjA/o81rJ66A7rJOk8YRGapEh+l8fFyhrlnsEKTxualv H89S6vRM0fJJhFjqvSn7t/xkWI+NNUWRlpeRd86yKtJeAWq9khNOU5NCj4xTmCbY gYVRMDuIqzvLwMWItvMe7ube02hpW1fbaR+et8a6MRrYXAgVM4wg53jVDDmrqp4e 3xY9NYrVam5zEIofIyfCu9or0rPXO05Kx5UDIEtQJg== =RMom -----END PGP MESSAGE-----
Encrypting Multiple Files
It is possible to Encrypt multiple files by following the listed steps, using the script below.
- Create a JAMS Job with the PowerShell execution method
- Job Source
gpg --keyring C:\Users\Username\AppData\Roaming\gnupg\pubring.gpg --encrypt-files --armor --trust-model always --yes --recipient "<<RECIPIENT>>" "<<INPUT_FILE>>"
- Give the Job RECIPIENT and INPUT_FILE Parameters
- In Job Properties under Submit Options, set the Home Directory path to the folder where the target files reside
- NOTE: When encrypting using UNC Paths, replace backslashes "\" with forward slashes "/".
- On Submission, set the INPUT_FILE Parameter to the file extension of the files to be encrypted (usually *.txt)
NOTE: Files encrypted using this method will have an extension of ".asc" due to the --armor in the script. To produce Encrypted files with .gpg extensions, remove --armor from the script
Decrypting Files
A user can decrypt a file only if it was encrypted for them.
Here is a Job that will decrypt a file, <<INPUT_FILE>>, and store the unencrypted message in <<OUTPUT_FILE>>:
Job name and description:
Job Source:
gpg --decrypt --yes --output "<<OUTPUT_FILE>>" "<<INPUT_FILE>>"
Job Parameters:
Job Submission:
NOTE: When decrypting using UNC Paths, replace backslashes "\" with forward slashes "/".
Sample input file:
-----BEGIN PGP MESSAGE----- Version: GnuPG v2.0.17 (MingW32) hQEMA/s5cwsJ2FkeAQgAtG00ToyH/Tvx5vDv+uwsDL9aXN6TYPDKHncAV7dpDfsn entfi0CGDRBfOf1vArH9OUQyFmOOIl77OAhgcU+ydNWyGS7rOreELURDgYQr2qin evw9kLBVAqjSvtLFzRS1z3EmsECL2DklU7SLWkR4BdY8SCdZIiT/g4aAubUaZbu6 eIoTDBk4tC2zYYumVT1eWxNe971jlzQjXf1EFMGoYmgb/8paZ1liQ65MgxT9uc4U HtskPuz9Jmx06z6SXeBCcjA/o81rJ66A7rJOk8YRGapEh+l8fFyhrlnsEKTxualv H89S6vRM0fJJhFjqvSn7t/xkWI+NNUWRlpeRd86yKtJeAWq9khNOU5NCj4xTmCbY gYVRMDuIqzvLwMWItvMe7ube02hpW1fbaR+et8a6MRrYXAgVM4wg53jVDDmrqp4e 3xY9NYrVam5zEIofIyfCu9or0rPXO05Kx5UDIEtQJg== =RMom -----END PGP MESSAGE-----Sample output file:
01234 this is a test 56789
Decrypting Multiple Files
It is possible to Decrypt multiple files utilizing the following:
- Create a JAMS Job with the PowerShell Execution Method
- Customize and paste the script into the Job's Source
-
gpg --homedir C:\Users\Username\AppData\Roaming\gnupg --batch --try-all-secrets --decrypt-files --yes "<<INPUT_FILE>>"
- Create a Text Parameter with the name INPUT_FILE:
- In Job Properties under Submit Options, set the Home Directory path to the folder where the target files reside
- NOTE: When decrypting using UNC Paths, replace backslashes "\" with forward slashes "/".
- On Submission, set the value of INPUT_FILE Parameter to the file extension on the target files (the extension should be *.asc or *.gpg)
Creating Digital Signatures
A digital signature is verifiable by anyone who knows the users public key.
To create a digital signature for the file <<INPUT_FILE>>, and store the result in <<OUTPUT_FILE>> the following can be utilized.
Job Source:
gpg --detach-sign --armor --yes --output "<<OUTPUT_FILE>>" "<<INPUT_FILE>>"
Job Parameters:
Job Submission:
NOTE: When using UNC Paths, replace backslashes "\" with forward slashes "/".
Sample input file:
01234 this is a test 56789
Sample output file:
-----BEGIN PGP MESSAGE----- Version: GnuPG v2.0.17 (MingW32) owEBWgGl/pANAwACAcL5GpLpawEXAawqYgpzYW1wbGUudHh0TlfiWjAxMjM0IHRo aXMgaXMgYSB0ZXN0IDU2Nzg5iQEcBAABAgAGBQJOV+JaAAoJEML5GpLpawEXpyYH /AzjUPfgSiytWNwpfQlO12T4YJb3g2QWDOoRhiB6kF3lckjipYbFPnRD2+76IuX4 A2izNlznAF9f3TaDd2P9oZ+jYRhfQ6uAAdRIYlMdamEAe7t9V0uy+jsva8HrnJLo GWECJH6yraog5GBOTJu5h++91vrk3PmagWOKaA3KE4djcKzcGO8fa/qEsLaD7yXZ SR9a85zvHJ44gouQYf7C+WhKJIzhmza9G6jEn+qfqBiUPYrPSY+rGE1HbqhGgGCz PIxGYJgsI9H2+IhavwU6kMJbMr8+7hwe7MoDtpRbm1scUYNAOu6yVI+CkjntSnG3 FpaJALcghpJ3F9GxyNypSCY= =Xh1p -----END PGP MESSAGE-----
Verifying Signatures
To verify that the signature <<SIGNATURE_FILE>> is valid for the file <<INPUT_FILE>>.
Job Name and Description:
Job Source:
gpg --verify "<<SIGNATURE_FILE>>" "<<INPUT_FILE>>"
Job Parameters:
Job submission:
NOTE: When using UNC Paths, replace backslashes "\" with forward slashes "/".
Sample Job output:
gpg: enabled debug flags: memstat gpg: Signature made 08/26/11 15:01:33 Eastern Daylight Time using RSA key ID E96B0117 gpg: Good signature from "Jay Sullivan "
random usage: poolsize=600 mixed=0 polls=0/0 added=0/0
outmix=0 getlvl1=0/0 getlvl2=0/0
secmem usage: 0/32768 bytes in 0 blocks
Comments