Encryption/Decryption using stdout without have an output file

[Siddhartha Bose]

The encryption decryption module takes an output parameter which lets you create a non .gpg file from encrypted file and vice versa for decryption. but this means there will be 2 files at any given point of time post encryption/decryption. Is there a way encryption and decryption module encryptes and decryptes the file to stdout and then replaces the original file so in disk at any given point of time only 1 file exists. This is because the single file is size is big and the disk has a limitation.

[Vinay Sajip]

If you read the documentation carefully, you'll see that encryption and decryption can be done in different ways, and even without a single file on disk! By the way, why is having two files a problem? Is this some kind of class assignment, or some other academic exercise? Or is there some scenario where having two files is a problem in practice?

[Siddhartha Bose]

Sorry, I couldn't find it in the documentation, that was my first place to look for it. This is production grade code which was already deployed. Currenly we are using it inside aws lambda and it has a limitation of 500 mb disk space, and the source file I am getting is around 261 MB and could grow more so having 2 files of that size is failing the code.

[Vinay Sajip]

> This is production grade code which was already deployed. Currenly we are using it inside aws lambda and it has a limitation of 500 mb disk space

OK, I see. But which part of the documentation isn't clear? The output parameter is optional, so you don't have to use it. The link I posted shows examples for both encryption and decryption which don't use any external files.

[Siddhartha Bose]

Thanks Vinay for the reply. yes output is optional, However when I am not passing it, status of decryption is 'ok' but it doesn't replace the filename.zip.gpg to filename.zip. But does it mean it is decrypted and I just have to rename the file?

gpg = gnupg.GPG(gnupghome='/tmp')

import_result = gpg.import_keys(key_data)

import_result.count

2

local_file_name = '/tmp/Test_EXTRACT_2021_JUN_1.zip.gpg'

with open(local_file_name, 'rb') as d_file:

     status = gpg.decrypt_file(d_file)

print (status.status)

decryption ok

print (status.stderr)

[GNUPG:] ENC_TO D15FE17E0EA5B96F 1 0

[GNUPG:] KEY_CONSIDERED 56A1C38138ABFD4A1A17E836D72E5ED3654FDF66 0

[GNUPG:] KEY_CONSIDERED 56A1C38138ABFD4A1A17E836D72E5ED3654FDF66 0

[GNUPG:] DECRYPTION_KEY E62E660B971FD1C9B76C132AD15FE17E0EA5B96F 56A1C38138ABFD4A1A17E836D72E5ED3654FDF66 -

[GNUPG:] KEY_CONSIDERED 56A1C38138ABFD4A1A17E836D72E5ED3654FDF66 0

gpg: encrypted with 2048-bit RSA key, ID D15FE17E0EA5B96F, created 2019-11-13

      "Test-Key"

[GNUPG:] BEGIN_DECRYPTION

[GNUPG:] DECRYPTION_COMPLIANCE_MODE 23

[GNUPG:] DECRYPTION_INFO 2 7

[GNUPG:] PLAINTEXT 62 1628214591 Test_EXTRACT_2021_JUN_1.zip.gpg

[GNUPG:] DECRYPTION_OKAY

[GNUPG:] GOODMDC

[GNUPG:] END_DECRYPTION

os.listdir('/tmp/')

['hsperfdata_jenkins', 'S.gpg-agent', 'S.gpg-agent.extra', 'S.gpg-agent.browser', 'S.gpg-agent.ssh', 'Test_EXTRACT_2021_JUN_1.zip.gpg', 'pubring.kbx~', 'pubring.kbx', 'trustdb.gpg', 'private-keys-v1.d']

[Vinay Sajip]

Did you understand the following bit of the documentation, specifically regarding decrypt and decrypt_file?

" These methods both return an object such that str(decrypted_data) gives the decrypted data in a non-binary format. If decryption succeeded, the returned object’s ok attribute is set to True. Otherwise, the returned object’s ok attribute is set to False and its status attribute (a message string) provides more information as to the reason for failure (for example, 'bad passphrase' or 'decryption failed')."

You need to see what the methods do and then adapt that to your needs; the methods do what they do (decrypt data), which is not necessarily what you need done (save to a particular place).The first sentence is the key bit.

[Siddhartha Bose]

Thanks Vinay for the response. Requirement is simple and was working find with output parameter in decrypt_file module. Files are either .csv, .txt or in this case .zip. Because we have a limitation of space now, the .zip.gpg file decryption is failing because it can't create a file .zip as there is no space. So I was looking if we can manage with single file.

Now as you said both decryption method returns an object that str(decrypted_data) can provide decrypted data. However in this case it's a zip file which should be the decrypted object, can we achieve that. Sorry but I am no gpg expert, that is why I am seeking for solution. 

[Siddhartha Bose]

Hi Vinay,

  Now I understand what you were trying to say, and I tested it, it works fine without output parameter. Now this mechanism works fine for .txt and .csv file, because I then create a new file and push the content of str(decrypted_data). However the issue is with .zip files, as it is a binary file, it doesn't work. So is there an extra_args which allows to specify the format of encryption/decryption?

Thanks

Sid

[Vinay Sajip]

Then you can use the data attribute of the returned object from the decrypt/decrypt_file call.

[Siddhartha Bose]

Thanks a lot Vinay, I was able to get it working with data attribute. Last question the compression ratio shouldn't differ if output parameter is used or not right?