PGP Encryption

skathaitrooney · Post by **skathaitrooney** » Mon Jun 01, 2015 4:22 am

Hello Guys,

I am using a shell script to encrypt a .csv file using pgp encryption and calling the script in Execute Command activity stage.

I am just using this command in my script:

Code: Select all

gpg -e -r "$KeyName" $SRCDIR/$FNAME

This scripts is successfully able to encrypt the files when i run the script manually through command line but this fails when i run the script using datastage.

Error is:

Code: Select all

gpg: WARNING: unsafe ownership on configuration file `/opt/IBM/dev/IIS/common/home/dsadm/.gnupg/gpg.conf'
gpg: can't access `/opt/IBM/dev/IIS/common/home/dsadm/.gnupg/trustdb.gpg': Permission denied
gpg: Fatal: can't init trustdb: Trust DB error

Any idea anyone? Its not a permission issue, i have 777 permissions for dsadm on trustdb.gpg

chulett · Post by **chulett** » Mon Jun 01, 2015 7:17 am

Just because you have 777 on the file itself doesn't mean it isn't a permissions issue. You need proper access all the way down.

priyadarshikunal · Post by **priyadarshikunal** » Mon Jun 01, 2015 1:26 pm

GPG program throws an error even with 777. Change the owner of trustdb and the folder to dsadm and then reduce the permission to 700.

If someone else can manipulate the key on the server then its identified as security issue by GPG and is not allowed. With 777 you are putting file security at risk.

By default, the gnupg directory has its Permissions set to 700 and the files it contains have their permissions set to 600. Only the owner of the directory has permission to read, write and access the files (r,w,x). This is for security purposes and should not be changed. In case this directory or any file inside it does not follow this security measure, you will get warnings about unsafe file and home directory permissions.

chulett · Post by **chulett** » Mon Jun 01, 2015 2:47 pm

Just a point about attribution - if you are going to copy text from another site, at the very least give credit to where it comes from, in this case the Arch Wiki entry for GnuPG. Or better yet just link to it.

priyadarshikunal · Post by **priyadarshikunal** » Tue Jun 02, 2015 10:25 pm

yes Craig, last para is from Arch wiki. I generally put the excerpt and then link to it. But in this case I copied from the saved pages so didn't bother to find the link.