GnuPG - How to edit the file without decrypt and save to local disk first?

Question

Hi, I'm using GNUPG to encrypt my ascii files.

I learnt to generate a key, also how to use the it to encrypt and decrypt a file.

There are two ways I used:

gpg -d foo.txt.gpg

&

gpg --output foo.txt --decrypt foo.txt.gpg

I realized the first method will display the decrypted file on the screen, for example when I executed the command over SSH.

With regard to the second method, I concerned if it will leave a trace on the local pc - the foo.txt file.

Most importantly, I don't know how to edit the contents of the foo file on the fly. Ideally, I would like to open the file over SSH use nano/pico, type my passphrase to decrypt, then edit the file, save it and encrypt it. I very much like to avoid save any files to the local disk.

Any comments are welcome.

Thank you in advance.

Answer 1

If your editor can read input from a pipe, and save to a pipe, then you can actually use the version of gpg that decrypts to stdout and encrypts from stdin. Unfortunately, for nano, reading from a pipe is only planned for 2.4. E.g. for gvim, you can bind decryption and encryption (through pipes) to a key.

Answer 2

One way is using vim. See this page and this related question.

If you need more flexibility or don't want to use vim, writing a short program to read the decrypted text coming from STDOUT, edit to your liking, and then re-encrypt isn't too difficult. For example, you could use this minimal Python code (104 lines!) to give you the bare bones editor, and then add the stream reading and writing functionality yourself.

Answer 3

An alternative is to have a tmp filesystem in ram using tmpfs then when you power off it's gone for ever.

Answer 4

One thing to bear in mind is that holding unencrypted data in memory is no guarantee that it wont find its way to disk. If the system in question is under heavy load any unencrypted data may be written to the swap partition. Similarly, if the system is put into sleep mode, the state of any suspended processes will be stored to disk. If your program is running on a embedded system, it's conceivable that your memory and "disk" are one and the same.

The mlock() system call will protect allocated memory from getting swapped to disk. However, this requires administrative privileges and limits you to a low-level language where you are directly responsible for memory management.

That said, it is prudent to avoid creating files with unencrypted data. Just know that this doesn't offer you 100% safety if the underlying system is compromised.

Answer 5

To open gpg files, editing them and then ecrypt/save again use: kgpg icon in systray has option: Editor... Press on it, then open the gpg file, then on the bottom there is a button to decrypt it and voila you have your file in the editor, after you made any changes just press Encrypt and then save it.

Answer 6

Just today I have found out about a way of doing all that in vim!

here is the link: full howto on setting up vim for gpg files

works like a charm, just in that tutorial, the link to the plugin is url to a page so not to wget it, but go to the page and select the one you want to download.

Answer 7

I detest vi, so i had to make up some glue around nano. This is what i came up with. Downside is that you have to enter password again when encrypting.

alias file_ed="gpg file.txt.gpg; nano file.txt; gpg -c --force-mdc -o file.txt.gpg_temp file.txt; mv file.txt.gpg_temp file.txt.gpg; rm file.txt"

It isn't very secure from the filesystem point of view, but I fear other users and myself, not root.