GPG encrypted files for Amazon Glacier storage

SaraSara_Ice_cube_2I am no big fan of cloud solutions, mainly because I don’t like to entrust my data to people I don’t know. But like with any other tool, the cloud is still just a tool and it really depends on the way you decide to use it.

I was looking at the Amazon Glacier storage prices and it occurred to me that I could actually find it useful. There are important data that simply shouldn’t leave the premises, but I also have some data that are worth keeping, but not so critical that I would include them in my redundancy plans. They include some really old stuff (10+ years obsolete and non-existent websites about Ultima Online in php3) that I keep mostly for nostalgic reasons than anything else, some old OS installation images – nothing I would really miss should my disk fail, and not important enough to bother with having two copies of them in separate locations. So I decided to entrust them to Glacier, it’s a cheap solution, it’s reasonably safe to presume that the data won’t be lost over time and that the data is so mundane that no employee-turned-evil with access to them would be actually interested in them. All that said, the thought of putting my data somewhere out there felt weird, even if there is absolutely nothing private or secret in there. This is where GPG comes useful.

This command asks you for a password and creates an encrypted copy of a file using AES256 cipher:

gpg -c --cipher-algo AES256 file.txt

This command can restore the file:

gpg -d file.txt.gpg > file.txt

The thing is, I had a directory with dozens of archived files and it simply wouldn’t do to repeat the process for all of them and enter the passphrase manually over and over again. So this is a workaround to make things more automated:

1. We store the password in a file. Be sure to delete this file afterwards and keep the permissions to 0600

echo -n PASSWORD > password_file

2. We pass the password to the gpg command. We can either use yes command and gpg with file descriptor option –passphrase-fd to feed the file to gpg. Or we can use gpg with the –passphrase-file option.

yes | gpg --passphrase-fd 3 -c --cipher-algo AES256 file.txt 3

3. We need to repeat the process for every file in the given directory, find - exec will take care of that:

find . -name "*.*" -type f -exec bash -c 'gpg --passphrase-file pass -c --cipher-algo AES256 "$0"' {} \; -exec echo {} \;


find . -name "*.*" -type f -exec bash -c 'yes | gpg --passphrase-fd 3 -c --cipher-algo AES256 "$0" 3<phrase' {} \; -exec echo {} \;

The files are reasonably safe from prying eyes now and ready to be uploaded to Glacier.