Skip to main content

Notebook entry

Tutorial: GPG Encryption and Automated Decryption on Linux

Lovell Felix 2 min read

Archive note: the tools and versions have moved on. I have kept this entry because the debugging path and the underlying constraint may still be useful.

A recurring problem in sysadmin work: a partner or vendor drops encrypted files onto an FTP server on their own schedule, and something on your side needs to pick them up and decrypt them without a human watching the folder. GPG handles the encryption side well. The part that takes more care is running it unattended, reliably, as part of a batch job.

Key management, a single decrypt, and the batch job, as a gist:

A few notes on what's there.

The revocation certificate matters more than it seems like it should. Generate it right after creating the key, while everything's intact, not after something's already gone wrong.

The flags on the decrypt command matter for scripting specifically: --batch and --no-tty stop GPG from prompting interactively (it'll fail instead of hanging if something's missing), and --yes skips the overwrite confirmation on the output file. Without those three, this works fine by hand and then hangs the first time it runs from cron.

DECRYPT_MULTIPLE_FILES wraps the single decrypt in a loop to handle a directory of dropped files, then archives the originals so the job is safe to re-run. Drop that on a cron schedule that matches how often the vendor actually delivers files, and the FTP drop turns into decrypted, archived output with no one watching it happen.

The passphrase problem

--passphrase 1234 above is exactly the anti-pattern it looks like: a secret sitting in plain text inside a script, readable by anyone who can read the file. It works, which is why it's tempting, and it's still wrong. The better options are gpg-agent with a cached passphrase, or reading the passphrase from a file with 600 permissions that only the job's service account can open, or pulling it from whatever secrets manager the rest of the environment already uses. Pick one before this goes anywhere near a shared server.

About the author

Lovell Felix

Infrastructure and reliability engineer working on Linux platforms, configuration delivery, and deployment safety at fleet scale.

@lovellfelix

Continue through the notebook