Score:1

gpg symmetric encryption decrypts without asking for the symmetric key when --decrypt option is used

us flag
If you encrypt with:

gpg -o gpg.symmetric.test.gpg --symmetric gpg.symmetric.test

and then decrypt with:

gpg -o gpg.symmetric.test1 --decrypt gpg.symmetric.test.gpg  # --decrypt option mistakenly included

the output gives:

gpg: AES256.CFB encrypted data
gpg: encrypted with 1 passphrase

and decrypts the file WITHOUT ASKING FOR THE KEY!  This would allow anybody
to decrypt any symmetrically encrypted file.  The --decrypt option is not
needed or supposed to be used, but the result is a disaster.

I tested with a small ascii text file and did a diff on the original and the
decrypted file.  They are identical.  I ran 'file' on the encrypted file:

file gpg.symmetric.test.gpg
gpg.symmetric.test.gpg: GPG symmetrically encrypted data (AES256 cipher)

I redid the test without the --decrypt option and the symmetric key was
queried for.
SAI Peregrinus avatar
si flag
IIRC GPG uses the default key on your machine as the encryption/decryption key, and the passphrase is to allow for decryption to work with other machines. Essentially it secretly creates and stores the actual encryption key, and then encrypts that with the passphrase and combines the encrypted key and the encrypted plaintext into the output.
SAI Peregrinus avatar
si flag
On that note, I strongly recommend [age](https://age-encryption.org) over GPG for encryption, it's much easier to use.
dave_thompson_085 avatar
cn flag
**The agent remembers it.** Crossdupe https://security.stackexchange.com/questions/103034/gnupg-decryption-not-asking-for-passphrase https://unix.stackexchange.com/questions/395875/gpg-does-not-ask-for-password https://superuser.com/questions/1346376/gpg-decrypt-not-asking-for-password-and-just-decrypting-why https://askubuntu.com/questions/1093848/gpg-decrypts-files-without-asking-for-password
mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.