4

We are setting up our first EDI system that relies on incoming and outgoing file encryption using OpenPGP. The incoming files that are encrypted with our public key, we can successfully decrypt using our private key using Gpg4win's command line option:

gpg --batch --passphrase "SOME_KEY" --decrypt-files "%decryptingdir%\*.pgp"

What I now need to do, is the reverse, and encrypt the outgoing files using our partners public key.

I have been unable to find any command line documentation around batch encryption using a public key. I assumed it would be something in the order of:

gpg --batch --encrypt-files "%encryptingdir%\*.pgp" --key "SOME_KEY_PATH"

Can anyone advise how I can achieve this encryption via the command line?

rene
  • 41,474
  • 78
  • 114
  • 152
Eds
  • 533
  • 4
  • 16
  • 35

1 Answers1

6

Use the --recipient option to denote keys to encrypt for. GnuPG has a distinction between options and commands, while options should better go first.

gpg --batch --recipient [key-id] --encrypt-files "%encryptingdir%\*.pgp"

GnuPG expects keys to be imported to the keychain, so gpg --import [key-file] it first. There are hacks using --keyring [your-key-file], but simply importing the key file is the safer way to go.

For scripted/programmed operations, best practice is to always denote the full fingerprint. Read about key ID collisions to understand the issues with short key IDs.

rene
  • 41,474
  • 78
  • 114
  • 152
Jens Erat
  • 37,523
  • 16
  • 80
  • 96
  • Thanks for the advice. Once imported, the encrypt command gives me error: "There is no assurance this key belongs to the named user". Is it ok to follow the answer on this question: http://stackoverflow.com/questions/9460140/gpg-encrypt-file-without-keyboard-interaction and add the option --trust-model always ? – Eds Mar 30 '16 at 10:30
  • 1
    This is a message informing you that the key could not be verified through the web of trust. If you specify at least long key IDs or even better the full fingerprint, you already selected a specific key and can safely omit the trust verification with `--trust-model always` (but don't do this generally for all operations, consider twice before doing so). – Jens Erat Mar 30 '16 at 11:32