You are here

portable GnuPG and GPG Shell

21 posts / 0 new
Last post
jps
Offline
Last seen: 13 years 8 months ago
Joined: 2007-06-09 13:23
portable GnuPG and GPG Shell

The thunderbird and enigmail bundle is nice. But there are some function limitations. You can`t download files from the internet and then check if the signature matches the downloaded file.

For non portable use gpg4win works fine. But there is no portable version and making portable is hard.

Many frontends are out.
http://www.gnupg.org/related_software/frontends.en.html

Any that could be used portable?

jps
Offline
Last seen: 13 years 8 months ago
Joined: 2007-06-09 13:23
Silence. No one using

Silence. Sad

No one using pgp?
No portable gui at all?

BuddhaChu
BuddhaChu's picture
Offline
Last seen: 6 years 4 weeks ago
Joined: 2006-11-18 10:26
Nope

Don't use PGP or any other file encryption anymore. If I did need to use encryption, 256-bit AES in 7-Zip is all I would probably need anyways.

Cancer Survivors -- Remember the fight, celebrate the victory!
Help control the rugrat population -- have yourself spayed or neutered!

jps
Offline
Last seen: 13 years 8 months ago
Joined: 2007-06-09 13:23
I also prefer 7-Zip or

I also prefer 7-Zip or TrueCrypt for file encryption.

But many people sign their files with OpenPGP. I need some portable gui to verify the integrity of the file.

BuddhaChu
BuddhaChu's picture
Offline
Last seen: 6 years 4 weeks ago
Joined: 2006-11-18 10:26
Due to the lack of response

Due to the lack of response to this thread, sounds like you need to learn NSIS scripting to make a GUI portable yourself. Good luck!

Cancer Survivors -- Remember the fight, celebrate the victory!
Help control the rugrat population -- have yourself spayed or neutered!

Dorkeybuzzard
Offline
Last seen: 13 years 1 week ago
Joined: 2009-11-12 12:45
The solution. Portable GPG.

PGP is a commercial program and, AFAIK, is not (lawfully) available as a portable app. Gnu Privacy Guard (GPG) is the free open source alternative and the requirements for a portable GPG app for Windows are well known. These are:

From an installed version of GnuPG 1.49 or 1.4.10 (http://www.gnupg.org/download/) extract to a folder the (minimum required) files gpg.exe and iconv.dll. Add to these files an (optional) options file gpg.conf and (optional) manual gpg.man renamed to gpgman.txt. Add keyrings secring.gpg pubring.gpg and trustdb.gpg.

USE: (winXP) Add a batch file called local.bat
setlocal
set GNUPGHOME=.
cmd.exe
endlocal

Run the local.bat file. It will use the local files and keyrings. "gpg --version" command and "gpg --list-keys" may be used to test the install.

WARNING0: Think about what you are doing. You want to use someone else's Windows computer to encrypt and decrypt sensitive information? Are you crazy??? Just food for thought. If the FBI, CIA, NSA, or KGB or Chinese government aren't after you, well I suppose you might chance it. Human rights workers in hostile territory, God bless and please be careful.

WARNING1. The loss of a usb presumptively compromises for all purposes all private keys in secring.gpg (mainly because everyone uses ludicrously insecure passwords). Thus, it is unwise to keep high value private keys on a portable device. If you simply MUST.. symmetric encrypt them with "gpg -c filename" using a
STRONG password. Then decrypt when needed. Alternatively use (thoughtfully) a throwaway usbkey. Note that you may encrypt to others, even to yourself, using only public keys, which are not secret (the ids might still be confidential). Still, maybe that's all you need in a portable app.

WARNING2. GPGShell is a nifty program (gpg4win is also coming along nicely), but is designed for an installation. I've tried to make it portable, because it is quite nifty. But it automatically resets config settings and doesn't always use the local files. Sorry. You should also beware those who glibly tell you it works portably. You can still do what you need from the command line.

==common commands (use the local.bat first)
gpg --version (check version)
gpg --list-keys (list keys on keyrings)
gpg -c --cipher-algo S7 filename (symmetric encrypt filename using AES)
gpg - e filename (rem public key encrypt file to key (request key))
gpg -o outfile -d filename (decrypt filename to outfile)

salute

Dorkeybuzzard
Offline
Last seen: 13 years 1 week ago
Joined: 2009-11-12 12:45
Additional comment

GPG is opensource (GPL) and may be freely used for all purposes. PGP has a freeware version of their program for personal use, but any commercial use requires a license. PGP is a registered trademark of PGP Corporation, located in California USA. Misuse and unauthorized appropriation of trademarks can have serious consequences.

The earlier mentioned portable GPG is a minimum configuration for Windows which may be run from any portable USB device, with or without administrative privileges It uses the command line. Additional GPG files may be added if desired. GPG v2 from gpg4win may also be used as portable, but requires additional files from the distro to be installed on the USB.

vrillusions
Offline
Last seen: 9 years 4 months ago
Joined: 2013-07-26 21:44
Updates since post

I also got tired of not having a simple, basic, portable gnupg version. FWIW my use case is I wanted to have a separate app, inside a truecrypt volume, that I use for work only. At any rate here's the updates

First you need to download the v1.4 windows binary the website tells you to go to gpg4win. Well they don't have v1.4, only v2.x. I actually got v2 to work by copying over the gpg2.exe and then keep adding dll's it says it's missing until it worked. Then I tried to test creating a key and it complained about gpg-agent and I gave up on it and hunted around for v1.4. But I'm getting sidetracked. windows binaries are at least as of July 2013 still available by gnupg and at ftp://ftp.gnupg.org/gcrypt/binary/ . In firefox you can click on "Last Modified" to sort on that and get the latest version. As of today that's v1.4.14.

Once you have the .exe extract it somewhere with 7zip or something. You can then follow Dorkey's instructions. Couple things I did change though. My local.bat looks like the following (the TEMP and TMP ones are from trying to get gpg v2 to play nice)

@ECHO OFF
setlocal
set GNUPGHOME=.\gnupg_home
set TEMP=.\temp
set TMP=.\temp
cmd.exe
endlocal

Then create two folder, gnupg_home and temp. In gnupg_home I recommend creating a gpg.conf with the following options at a minimum

personal-digest-preferences SHA256
cert-digest-algo SHA256
default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed

That shifts your preferences to SHA256 which is more secure than the default SHA1.

By copying over gpgkeys_hkp and adding "keyserver hkp://pool.sks-keyservers.net" to your gpg.conf you can now pull public keys from key servers.

Hope this is of use to people that are still wanting to do this.

(edit)
I've since created a github repo for this to demonstrate it. As I say in readme you shouldn't use it verbatim. GPG should be obtained from gnupg's site and verified. https://github.com/vrillusions/gnupg-portable

alaricd
Offline
Last seen: 5 years 4 months ago
Joined: 2010-07-07 10:59
Please don't add confusion

PGP is asymmetric encryption. AES, DES, 3DES etc are symmetric encryption.

http://www.suse.de/~garloff/Writings/mutt_gpg/node3.html

They serve 2 needs for encryption.

ottosykora
Offline
Last seen: 2 days 24 min ago
Joined: 2007-10-11 17:48
winpt

winpt portable is on my stick , I think search here in forum might give you some result.
The lates version of winpt works nice as portable.

Otherwise gpg4win works too.

Nice is also portable pgp (search here or google). This is nice java app which is also prepared so that it will work with the java exported in common files in portable apps.

all those work fine.

And for pure mail, enigma adon for thunderbird is useful too.

Otto Sykora
Basel, Switzerland

Dorkeybuzzard
Offline
Last seen: 13 years 1 week ago
Joined: 2009-11-12 12:45
thank you.

I am a longtime user of WinPT. However, the developer Timo Schulz has recently discontinued the project ( http://winpt.gnupt.de/int/?p=200 ), and the project has been dropped from gpg4win. But please be good to post your method of making the WinPT program portable. Include where to get WinPT and any configuration. Test it on a machine that does not have GPG already installed. Thank you.

Portable PGP is a java program under early development. It also appears to be using its own encryption code. Impressive, but... does it work reliably and is it crypto safe to use? (Its name might also draw some legal criticism.)

I am also a longtime user of enigmail. The portable enigmail/thunderbird combination provides a specific GPG distribution https://portableapps.com/support/thunderbird_portable#encryption . If you are using that on a USB, and trust the distro, you can also use that GPG as a portable app in the manner I earlier described.

GPG v2 is still relatively new and under development. However the project gpg4win develops it and has the requisite expertise, so I regard these as usable. To use GPG v2 portably from the command line use GPG v2 files from the gpg4win distribution, and include all distro flles on the usb. Not all are needed but many are. Just copy them all. These provide roughly the same functionality as ver 1.

People have had ten years or more to develop a simple, easy to use GUI front end for GPG. There have been several successes (GPGShell, WinPT, GPA) but getting them to work reliably and securely as portable apps on Windows has been problematic. My advice is if you have only occasional need, the command line with a short text cheat (help) sheet of commands, is keeping it simple. KISS.

ottosykora
Offline
Last seen: 2 days 24 min ago
Joined: 2007-10-11 17:48
portable pgp first

ok, for the name I have no idea, but the name pgp alone is used widely since beginning, so I dont hink it is real problem.

Then to the encryption. Yes it is fully compatible to open pgp standard. (yes you see also this is called pgp)
I did many tests personally before the first release, discovered some incompatibilities and the authors did clear those very fast.
Some small incompatibilities with let say old pgp263 remained, but those are also within the open pgp standard so.

It is not an early beta, it is developed long time ago and works portably very well. Since pure java, you can runit under linux or macos on sun workstation if you like.

The encryption libs the guys did use are nothing exotic, they are generic parts and the guys built with it also other more commercial things like smart card apps and similar.
I am not able to review the functions and security of the libs, but it is all open source and used for other things as well.
The compatibility is given in the current release, any opene pgp compatible software like gnupg is also compatible with this.

I dont know where the paf compatible launcher get lost from the portable pgp site on SF, I will ask the authors to place it somewhere so all can get it.
Otherwise if you want just try get it from my archive:
http://www.box.net/shared/402l6p4lml

Otto Sykora
Basel, Switzerland

ottosykora
Offline
Last seen: 2 days 24 min ago
Joined: 2007-10-11 17:48
now winpt

ok, initially I got pafed one from here :
https://portableapps.com/node/11404

then downloaded the latest version from timo schulz and copied it into the the paf structure, I think made few corrections in in may be, dont remamber so much. But it works very fine this way, could not discover any incompatibility with it , running gpg either in thunderbird folder or in in common files on my pa stick, both works well. Have also IDEA algo enabled in gpg, all works with it as well.
And no gpg installed on any of my machines, all runs from stick. Simply install gpg portable, or you can use also enigma plugin to your thunderbird and point winpt to use that executables and conf files of gpg. (gpg.exe and gpg.conf and key rings)

and because there was not much work done for some time does not mean all is dead.

http://winpt.gnupt.de/int/?p=137

will tell you that some new versions are underway.

Otto Sykora
Basel, Switzerland

Dorkeybuzzard
Offline
Last seen: 13 years 1 week ago
Joined: 2009-11-12 12:45
thank you for your replys

"portable pgp" is interesting. Thank you for bringing it to my attention.

Initially I thought you were one of the developers.
To be usable the program should be (1) available, (2) easy to install (3) kind to the user's machine, and above all (4) accepted by the crypto community. It seems far enough along that it would be nice to see a few experts review what has been done so far.

A different name might also be considered for the program.
PGP is a registered trademark of PGP Corporation. PGP Corp has long been a strong supporter of Open Source development of encryption software based on PGP. We might still doubt that their generosity extends to an appropriation of their product name and trademark.

Portable WinPT, regretfully, has various problems too numerous to mention. For me it did not accept GPG 1.4.7 installed with thunderbird and required an upgrade to version 1.4.9. This dependency on GPG version is both inconvenient and concerning. Even more seriously, its method of acquiring its working preferences (locations) is seriously flawed, actually dangerous. It specifically failed to encrypt to keys in the selected preference location and instead picked up a keyring from another location and tried to use that.. while still pointing at the original selected location. We can't have that. It also kept wanting to pick up my machine gpg install, a further serious concern for portable users. Closing and re-running WinPT or a change in disk assignment for the USB starts the whole selection problem anew. Other bugs. I cannot recommend portable WinPT for the serious user while it is in this condition. No disrespect intended to Timo.

GPG 1 was intended as a command line program, period. It is magnificent for what it is and does. The GPG4Win crew has now taken things in another direction to accommodate GUI development and incorporation in small devices. It is hard to know whether to cheer their vision of a brave new world, or fear it, but it appears the inevitable future.

ottosykora
Offline
Last seen: 2 days 24 min ago
Joined: 2007-10-11 17:48
ok my notes

>Initially I thought you were one of the developers.To be usable the program should be (1) available, (2) easy to install(3) kind to the user's machine, and above all (4) accepted by the crypto community. It seems far enough along that it would be nice to see a few experts review what has been done so far.A different name might also be considered for the program.
PGP is a registered trademark of PGP Corporation. PGP Corp has long been a strong supporter of Open Source development of encryption software based on PGP.Portable WinPT, regretfully, has various problems too numerous to mention. For me it did not accept GPG 1.4.7 installed with thunderbird and required an upgrade to version 1.4.9. Closing and re-running WinPT or a change in disk assignment for the USB starts the whole selection problem anew. GPG 1 was intended as a command line program, period.

Otto Sykora
Basel, Switzerland

Dorkeybuzzard
Offline
Last seen: 13 years 1 week ago
Joined: 2009-11-12 12:45
thanks for the information

Just to clear up a few things,

A) I'm not a developer or beta tester.

I also do not recommend programs with serious flaws, inadequate documentation, difficult to install or chaotic in response, or which fail to meet basic requirements for programs of their type. Acceptance by the crypto community is a particularly critical requirement for any crypto software, and to be adequately reviewed it will normally need to be open source.

gpg4usb however appears quite interesting. It is not adequately described at their site but its a zip with no install and appears to provide a front end for GPG. I substituted my GNU distribution GPG 1.4.9 (described above) and it seemed to work fine, thus eliminating security objections about gpg sourcing. It is 10 MB, which seem large for its function. Why? It emphasizes text encryption, which is easy to do and useful, and will do files (one at a time, asc armored only). I consider the file encryption options inadequate. Key management (minimum capabilities) is present. All features are limited, web description inadequate, claims to be GP but source code has not been made available for download. Conclusion: This program might be a limited version of a commercial project. Just an opinion, for what its worth. Text encryption seems to work ok. I mainly do file encryption, so.. I'll personally pass on it. Others may wish to consider it.

B) I'm familiar with US Trademark and Copyright law in the US and I am aware Switzerland has similar laws. It appears from your statements you are not fully familiar with either of these laws. Therefore, I offer the gentle suggestion, for the third time, that your associates doing "portable pgp" get some legal advice before proceeding with that project name.

C) I know of no program called "java pgp". There is a "java openpgp library" for java programmers. Please provide a url for the "java pgp".

ottosykora
Offline
Last seen: 2 days 24 min ago
Joined: 2007-10-11 17:48
keep calm

>I also do not recommend programs with serious flaws, inadequate documentation, difficult to install or chaotic in response, or which fail to meet basic requirements for programs of their type.B) I'm familiar with US Trademark and Copyright law in the US and I am aware Switzerland has similar laws. It appears from your statements you are not fully familiar with either of these laws. Therefore, I offer the gentle suggestion, for the third time, that your associates doing "portable pgp" get some legal advice before proceeding with that project name.C) I know of no program called "java pgp". There is a "java openpgp library" for java programmers.

Otto Sykora
Basel, Switzerland

Dorkeybuzzard
Offline
Last seen: 13 years 1 week ago
Joined: 2009-11-12 12:45
Summing up. The 10% solution.

Ah, so there is no "java pgp", you just made that up in order to bolster a different mistake? OK. So now you explain, as near as I can interpret, that you were really talking about programs based on the "Java OpenPGP Library", that some folks are working on. Excellent, well that's great news.

Anyway, returning to the subject at hand, I'll do the sum up for us.

THE TEN PERCENT SOLUTION

To paraphrase Ted Sturgeon: Ninety percent of cryptography programs are crap. Of course, some love to wallow in crap, while others seek the elusive ten percent. Still others are merely trying to stay alive in a dangerous world. To each his own.

At present, having reviewed the current field 2009, I have no recommendations for PORTABLE front ends for GPG. A competent advocate might alter my view, but alas, Sturgeon's Law.

For Windows desktops I do recommend and use PGP (commercial), GPG4Win (GPL), and Axcrypt (GPL). For portable apps I use the minimal GPG (1.4.10) (see above "The solution. Portable GPG") and Axcrypt2go. These work and won't break the host machine.

Axcrypt - http://www.axantum.com/AxCrypt/
GPG4Win - http://www.gpg4win.org/

Once the above functionality is provided some additional features and various PORTABLE front-ends may be considered for the portable GPG. If you are serious about what you do, build from a solid core, and test carefully.

Good luck.

ottosykora
Offline
Last seen: 2 days 24 min ago
Joined: 2007-10-11 17:48
i di d not make it up

>

Ah, so there is no "java pgp", you just made that up in order to bolster a different mistake? OK. So now you explain, as near as I can interpret, that you were really talking about programs based on the "Java OpenPGP Library", that some folks are working on. Excellent, well that's great news.For Windows desktops I do recommend and use PGP (commercial),Once the above functionality is provided some additional features and various PORTABLE front-ends may be considered for the portable GPG. If you are serious about what you do, build from a solid core, and test carefully.

Otto Sykora
Basel, Switzerland

ottosykora
Offline
Last seen: 2 days 24 min ago
Joined: 2007-10-11 17:48
java pgp

well this is also a thing used for commercial purposes, for smart cards, some cash machines or so. Here it is just packed to a gui to enable us human to use it in a way on the screen etc.
It is not an invetion of the authors as whole, those are standard cryptographic libs used for thousands other things worldwide. Nothing proprietary behind that.
It is now full compatible to open pgp standards, few things can be made full compatible, but those are not used any more today.

I mean, when you want produce some software using let say 3DES, you will also not find out how the 3DES work in detail, just pick the generic well known source from place like coders net and make your software around it. No need to discover the wheel again and again.

Otto Sykora
Basel, Switzerland

Undintel
Offline
Last seen: 11 years 1 week ago
Joined: 2006-07-08 11:41
You can give look at this

You can give look at this :

http://www.gnupt.de/wp/index.php?lang=en

and it's completely portable !

Log in or register to post comments