How to decrypt a symmetrically encrypted OpenPGP message using PHP?

imin picture imin · Apr 4, 2016 · Viewed 12.3k times · Source

I have an OpenPGP message which looks something like this given to me in a file:

-----BEGIN PGP MESSAGE-----
Version: GnuPG v1.4.9 (MingW32)

jA0EAgMCtCzaGHIQXY9g0sBnAeDOQ9GuVA/uICuP+7Z2dnjNCLgRN0J/TzJs1qcW
aJYBTkH5KQCClCxjwTYbHZCox1sENfIS+KxpCKJQqAX3SNEFm0ORNE6RNwEgb1Zj
uOdIw8auxUsjmQKFLAcZIPKjBjyJqSQVfmEoteVn1n+pwm8RdIZevCHwLF2URStB
nBVuycaxcaxcaxcxccxcxacqweqweqwe123fsMqQPaTusOBGpEQrWC9jArtvYEUpY
aNF6BfQ0y2CYrZrmzRoQnmtnVu10PagEuWmVxCucyhVwlthVgN0iBog9jhjliQkc
rrDTupqB4IimMEjElGUHtkuvrCQ0jQnOHEAJmmefMDH0NkYKGd5Ngt21I5ge5tob
/uBjHKMxjNgg1nWfg6Lz4jqoKe/EweuEeg==
=+N9N
-----END PGP MESSAGE-----

and was given a 15 character passphrase to decrypt it, I suppose. But I really don't have any idea to decrypt the file using PHP. I take a look at PHP's GnuPG manual page and under the gnugpg_decrypt() example it gives this code:

$res = gnupg_init();
gnupg_adddecryptkey($res,"8660281B6051D071D94B5B230549F9DC851566DC","test");
$plain = gnupg_decrypt($res,$encrypted_text);
echo $plain;

So taking a look at this function gnupg_adddecryptkey, it mentioned I need a fingerprint. What is that actually? And where can I get it?

Answer

Jens Erat picture Jens Erat · Apr 4, 2016

The fingerprint is a hash sum calculated on the public key and some meta data like key creation time. It is also returned after importing a key through gnupg_import as fingerprint attribute.

This is for public/private key cryptography, which you're seemingly not using: when encrypting with a passphrase, you're omitting the public/private key cryptography part and directly use symmetric encryption for the message, with a session key (sometimes also called cipher block or symmetric key) derived from your passphrase.

Symmetric encryption is not supported by PHP's GnuPG module. There are no functions to perform symmetric decryption, and this limitation is also described in the module's source documentation:

This class provides an object oriented interface to GNU Privacy Guard (GPG).

Though GPG can support symmetric-key cryptography, this class is intended only to facilitate public-key cryptography.

You will have to perform decryption manually by calling gpg. An example command line would be

gpg --symmetric --decrypt [file]

(alternatively, you can also provide the input through STDIN). For handing over the passphrase, have a look at GnuPG's --passphrase... options:

--passphrase-fd n

Read the passphrase from file descriptor n. Only the first line will be read from file descriptor n. If you use 0 for n, the passphrase will be read from STDIN. This can only be used if only one passphrase is supplied.

--passphrase-file file

Read the passphrase from file file. Only the first line will be read from file file. This can only be used if only one passphrase is supplied. Obviously, a passphrase stored in a file is of questionable security if other users can read this file. Don't use this option if you can avoid it.

--passphrase string

Use string as the passphrase. This can only be used if only one passphrase is supplied. Obviously, this is of very questionable security on a multi-user system. Don't use this option if you can avoid it.

Be aware that all other users of a computer can read all other user's command line arguments, so especially for shared hosting platforms, --passphrase is a definite no-go.