Powershell, String Encryption, and GPG

I finally added support for GnuPG to Library-StringCrypto. The previous functionality to encrypt strings in process is still present and continues to work as expected. Now a couple more parameters have been added to support symmetric and asymmetric encryption using GnuPG.
The new parameters are ‘gnupg’, to enable use of gpg.exe, and ‘recipient’, to identify the person the encrypted message is for. When using GnuPG passwords/passphrases may be supplied in ‘password’ parameter or via the console to the gpg.exe process.

To use symmetric encryption, with GnuPG just add the gnupg switch parameter.

Write-EncryptedString message secret -gnupg

You can also omit the password from the command line and enter it interactivly.

Write-EncryptedString message -gnupg

To use asymmetric encryption, omit the password and use the recipient parameter.

Write-EncryptedString message -gnupg -recipient ‘John Doe’

Write-EncryptedString returns the ASCII armored version of the ciphertext. Read-EncryptedString will be able to detect the ASCII armor and automatically process it using gpg.exe. Decryption should just work as expected. The password parameter can be used for both symmetric and asymmetric encrypted messages. Also the passphrase may be interactively entered via the console to gpg.exe.

Usage notes: The command ‘gpg’ is expected to resolve to gpg.exe, so you may need to add a path entry or alias gpg to wherever your copy of gpg.exe is.
When the password is given via the password parameter, it is passed to gpg.exe as the first line of its standard input. This means the password will not show up in its command line. This also means that passphrases are limited to one line. No check is performed to ensure the password is not longer than one line. If the passphrase is longer than one line then only the first line will be used as key material, the rest will appear at the start of the decrypted message.

Some cryptanalytic stuff: Using GnuPG via this script should be no less secure than using GnuPG by any other method in Powershell. However, because this involves communication with another process, using GnuPG does have a larger attack surface for side channel attacks than simply performing the encryption using the CLR. i.e. Either your installation of the .NET Framework or your installation gpg.exe may be compromised, but gpg.exe alone being compromised does not effect the .NET Framework.

Download Library-StringCrypto.ps1 here.


~ by lunaticexperimentalist on October 23, 2009.

2 Responses to “Powershell, String Encryption, and GPG”

  1. Hi..

    Your script is fine for a string.. but I am in a need of encrypting/Decryption of the files using GPG and Powershell..
    Would you please help me to get move on..

    Thanks In advance..

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: