Search code examples
encryptiongnupg

GnuPG: How to encrypt/decrypt files using a certain key?

Long story short, my question is: How can I force GnuPG which private/public key to use when encrypting/decrypting files?

Some explanation / Long story

I have an application that must encrypt files before sending them to S3.

Users can download their files using their browsers from my website, in which case I must first decrypt the files before serving them.

Client side (delphi 2010): I'm most likely going to opt for OpenPGPBlackbox

Server side (PHP 5), I need to figure out how to encrypt/decrypt files with non-interactive commands.

I installed GnuPG on my server, tried this code:

clear_file='/full/path/my-file.zip'
encrypted_file='/full/path/my-file.zip.pgp'

# Encrypt file
/usr/bin/gpg2 --encrypt "$clear_file"

# Decrypt file
/usr/bin/gpg2 --decrypt "$encrypted_file"

But it seems that I can't specify, in the commandline, which keys to use.

Each user will have its own public/private key, so I need to be able to specify which key to use to encrypt/decrypt the file in question.

My question is: How can I force GnuPG which private/public key to use when encrypting/decrypting files?

Solution

  • The options you are looking for are:

    --default-key $name$
          Use $name$ as the default key to sign with. If this option is not used, the default key is
          the first key found in the secret keyring.  Note that -u or --local-user overrides  this
          option.
--local-user $name$
   -u     Use  $name$  as  the  key  to sign with. Note that this option overrides --default-key.

    or possibly:

    --recipient $name$
   -r     Encrypt for user id $name$. If this option or --hidden-recipient is not specified, 
          GnuPG asks for the  user-id unless --default-recipient is given.
--default-recipient $name$
          Use  $name$  as default recipient if option --recipient is not used and don't ask if 
          this  is a  valid  one. $name$ must be non-empty.

    These can be used to specify who is the intended recipient, e.g. which public key to use for signing/encryption. When decrypting the files GnuPG automatically selects correct key if it exists in the current keyring, which can be selected with --keyring option, if multiple exist. GnuPG can be also configured to fetch necessary keys from a keyserver if they are available there.

    You might be also interested in option --batch which makes sure that no interactive questions are asked during excecution.

    I suggest you read through the GnuPG man page. There are lot of options that might be useful now and then.