LinuxCommandLibrary

gpg-zip

Encrypt and compress files using GPG

TLDR

Encrypt a directory into archive.gpg using a passphrase

$ gpg-zip [[-c|--symmetric]] [[-o|--output]] [archive.gpg] [path/to/directory]
copy

Decrypt archive.gpg into a directory of the same name
$ gpg-zip [[-d|--decrypt]] [path/to/archive.gpg]
copy

List the contents of the encrypted archive.gpg
$ gpg-zip --list-archive [path/to/archive.gpg]
copy

SYNOPSIS

gpg-zip [options] files...
gpg-zip -d encrypted_file.gpg

PARAMETERS

-r RECIPIENT, --recipient RECIPIENT
    Specifies the recipient's user ID, name, or fingerprint for public-key encryption. Multiple -r options can be used for multiple recipients.

-c, --symmetric
    Encrypts with a symmetric cipher using a passphrase. The passphrase will be prompted interactively unless provided via --passphrase.

-o FILE, --output FILE
    Specifies the name of the output file. If not provided, a default name (e.g., archive.zip.gpg for encryption) is used.

-d, --decompress
    Decrypts and decompresses the specified .gpg archive.

-v, --verbose
    Shows more detailed output about the encryption and archiving process.

-z LEVEL, --compress-level LEVEL
    Sets the compression level for zip (0-9). 0 means no compression, 9 means best compression.

-f, --force
    Overwrites the output file if it already exists without prompting.

--gpg-path PATH
    Specifies the full path to the gpg executable.

--zip-path PATH
    Specifies the full path to the zip executable.

DESCRIPTION

gpg-zip is a utility that simplifies the process of encrypting and archiving multiple files. It acts as a wrapper around the zip archiving tool and the gpg (GnuPG) encryption suite.

Its primary purpose is to create secure, compressed archives suitable for distribution or backup. Instead of manually piping zip output to gpg, gpg-zip automates this sequence. Users can choose between symmetric (passphrase-based) and asymmetric (public-key-based) encryption.

When encrypting, it typically first compresses the input files into a .zip archive, then encrypts this archive using GnuPG. When decrypting, it reverses the process: decrypts the .gpg file and then extracts the contents of the .zip archive. This integration makes it convenient for users who need to bundle and protect multiple documents or data sets securely.

CAVEATS

Dependency: gpg-zip is typically a shell script that relies on both gpg (GnuPG) and zip being installed and accessible in the system's PATH. If either is missing, the command will fail.

Passphrase Security: Using the --passphrase option directly on the command line is generally insecure as the passphrase might be visible in process listings (e.g., ps -ef) or command history. It's recommended to allow gpg-zip or GnuPG to prompt for the passphrase interactively.

Temporary Files: During operation, gpg-zip may create temporary files for the zipped archive before encryption or after decryption. These are usually cleaned up automatically, but in rare cases of unexpected termination, they might remain.

Wrapper Limitations: As a wrapper script, gpg-zip might not expose all advanced options of gpg or zip. For highly specific or complex scenarios, directly chaining zip and gpg commands might be necessary.

ENCRYPTION MODES

gpg-zip supports two primary encryption modes via GnuPG:

Public-key encryption: Activated using the -r or --recipient option. This mode encrypts the archive for one or more specific recipients whose public keys are known to GnuPG. Only the holders of the corresponding private keys can decrypt the archive.

Symmetric encryption: Activated using the -c or --symmetric option. This mode encrypts the archive using a passphrase that you provide. Anyone with the correct passphrase can decrypt the archive. This is often used for self-encrypted backups or when sharing with individuals not using GnuPG key pairs.

WORKFLOW

The typical workflow for gpg-zip involves:

Encryption:
a. Compression: The specified input files are first compressed into a temporary .zip archive.
b. Encryption: This temporary .zip archive is then encrypted using GnuPG, resulting in a .zip.gpg (or similar) file.

Decryption:
a. Decryption: The .zip.gpg file is decrypted using GnuPG (requiring the correct passphrase or private key).
b. Decompression: The resulting temporary .zip archive is then decompressed, extracting the original files.

This automated two-step process simplifies secure multi-file management.

HISTORY

gpg-zip is not a standalone project with a long, distinct history like GnuPG itself. It emerged as a convenient wrapper script, often distributed alongside GnuPG as part of its utilities or examples, to simplify a common cryptographic workflow: bundling multiple files, compressing them, and then encrypting the resulting archive.

Its development focus has been on providing a user-friendly abstraction over the manual piping of zip to gpg, reflecting a common need among users for secure multi-file archiving. It leverages the mature and robust capabilities of gpg for encryption and zip for compression, rather than reinventing these functionalities.

SEE ALSO

gpg(1), zip(1), unzip(1), tar(1), shred(1)

Copied to clipboard