Automate PGP Encryption (Windows)

TL;DR

This guide shows you how to automate encrypting files with GnuPG (PGP) on Windows using a batch script. It covers installing GnuPG, creating a key pair if needed, and then scripting the encryption process.

1. Install GnuPG

1. Download Gpg4win from https://www.gpg4win.org/. Choose the ‘full’ installation option.
2. Follow the on-screen instructions to complete the installation. Make sure to add GnuPG to your system PATH during setup (usually checked by default). This allows you to run `gpg` commands from any command prompt window.
3. Verify the installation: Open a new Command Prompt and type gpg --version. You should see version information printed if it’s installed correctly.

2. Create a GPG Key Pair (if you don’t have one)

If you already have a GPG key pair, skip this step.

1. Open Kleopatra (part of the Gpg4win suite).
2. Click ‘Create a new key pair’.
3. Follow the wizard. Choose RSA and RSA (default 4096 bits is fine). Set an expiration date if desired, and enter your name and email address.
4. Set a strong passphrase for your key. This is crucial!
5. Move your mouse randomly within the Kleopatra window to generate entropy.
6. Once created, export your public key (File -> Export Certificates). Save it somewhere safe. You’ll need this to share with people you want to encrypt files *from*.

3. Create a Batch Script for Encryption

This script will automate the encryption process.

1. Open Notepad (or your preferred text editor).
2. Paste the following code into the file:

@echo off
setlocal

:: Set variables
set "inputFile=%1"
set "outputFile=%2"
set "recipientId=%3"

if "%inputFile%" == "" ( 
echo Usage: encrypt.bat <input_file> <output_file> <recipient_id>
exits /b 1
)

if "%outputFile%" == "" ( 
echo Usage: encrypt.bat <input_file> <output_file> <recipient_id>
exits /b 1
)

if "%recipientId%" == "" ( 
echo Usage: encrypt.bat <input_file> <output_file> <recipient_id>
exits /b 1
)

gpg --encrypt --recipient "%recipientId%" --output "%outputFile%" "%inputFile%"

echo File encrypted successfully!
endlocal

3. Save the file as encrypt.bat (or any name you prefer) in a convenient location.

4. Understanding the Script

Let’s break down what the script does:

• @echo off: Disables command echoing.
• setlocal and endlocal: Creates a local environment for variables, preventing conflicts with other scripts.
• Variable definitions: Sets variables for input file, output file, and recipient ID (the email address or key fingerprint of the person you’re encrypting for).
• Input validation: Checks if all required arguments are provided.
• gpg --encrypt --recipient "%recipientId%" --output "%outputFile%" "%inputFile%": This is the core encryption command.
  • --encrypt: Tells GnuPG to encrypt the file.
  • --recipient "%recipientId%": Specifies the recipient of the encrypted file using their key ID (email address or fingerprint).
  • --output "%outputFile%": Sets the name and location of the output (encrypted) file.
  • "%inputFile%": The input file to be encrypted.
• Success message: Prints a confirmation message if encryption is successful.

5. Encrypting Files

1. Open a Command Prompt window.
2. Navigate to the directory where you saved encrypt.bat.
3. Run the script with the following syntax: encrypt.bat <input_file> <output_file> <recipient_id>.
   • Replace <input_file> with the path to the file you want to encrypt (e.g., C:Documentsmysecret.txt).
   • Replace <output_file> with the desired name and location for the encrypted file (e.g., C:Encryptedmysecret.gpg).
   • Replace <recipient_id> with the recipient’s email address or key fingerprint that you exported earlier.
4. Example: encrypt.bat C:Documentsmysecret.txt C:Encryptedmysecret.gpg myrecipient@example.com
5. You will be prompted for your GPG passphrase to unlock the key used for encryption.

6. Troubleshooting

• ‘gpg is not recognized as an internal or external command…’: This means GnuPG isn’t in your system PATH. Reinstall Gpg4win and ensure ‘Add to PATH’ is checked during setup, or manually add the GnuPG installation directory (usually C:Program Files (x86)GnuPGbin) to your system PATH environment variable.
• Incorrect recipient ID: Double-check that you are using the correct email address or key fingerprint for the recipient.
• Passphrase issues: Ensure you’re entering the correct passphrase for your GPG key.