gpg_encrypt() is a PHP function that will allow you to easily use GnuPG to encrypt data to your public
PGP key and mail that encrypted data to yourself, where it can be securely decrypted with your private key.
This is designed primarily for use with web-based forms but can be used to encrypt any data.
Requires PHP >=4.3.0
$gpg = gpg_encrypt($secret_message, /usr/local/bin/gpg, /home/www/.gnupg, 0x123456)
The 4 required arguments are:
- $secret_message The data to be encrypted
- /path/to/gpg The full path to your gpg program
- /path/to/.gnupg The full path to the GnuPG home directory (keyring)
- 0x123456 Key ID to encrypt the message to
- /path/to/.gnupg needs to be readable by your web server, and should NOT contain any secret keys.
The ONLY keys that should be stored there are the public keys you are encrypting to.
- You can specify multiple key IDs - make sure each one is listed as a separate argument after the first key ID.
Returned to the $gpg array:
- $gpg = PGP encrypted message (standard out from GnuPG)
- $gpg = Notices and warnings (standard error from GnuPG)
- $gpg = Exit status from gpg command (GnuPG exit status)
The example code will email an encrypted message
if GnuPG succeeds or display gpg diagnostic warnings and notices if GnuPG fails.
It is intended to be easy to modify for your own needs, without any need to modify the gpg_encrypt() function.
Unlike quick and dirty methods of PGP encryption in PHP this function provides these benefits:
- no sniffing of sensitive data though `ps`
- escaping or filtering of special characters is not required*
* but may be done automatically - check your "magic_quotes_gpc" setting
- encrypt to as many keys as you want
- standard out, standard error and exit status are all available from gpg
Security is only as strong as it's weakest link.
This is not intended to provide ultimate security (whatever that is).
Bear these things in mind:
- How is the data getting to your form? SSL? TLS?
- Are your web-server, PHP, GnuPG and operating system secure?
- Can the secret message be written to disk cache?
- Is your secret-key stored on the server?
- Are the permissions for www's keyring set correctly?
If your web server is running as user "www", your keyring directory will have to be readable by www.
If your web server is running as your UID then you have a different list of concerns.
Note that this function bypasses the trust checking that GnuPG normally uses,
and assumes that any key it's told to use is trusted.
This might not make sense at first,
but it doesn't open up any security holes that don't already exist when your
gpg home directory (keyring) lives on a web server.
If you're concerned that an attacker might add their key without you knowing about it,
consider including the function file, any scripts that use it,
and your public keyring in a list of files to be checked by a file integrity application,
It is not the intent of this function to sign any data.
Signing data on auto-pilot would require either
1) your signing key to be stored without a pass-phrase or
2) your secret pass-phrase to be stored unencrypted.
In the event that your web server were to be compromised, an attacker could easily get your signing key.
With that in mind, signing data under such conditions provides no real security,
but it does provide a real chance that your secret key may be compromised.
Keeping any secret key on a web server, especially if it's readable by the web server, is a bad idea.
Keeping such a key without a pass-phrase or with a pass-phrase stored in clear text is an incredibly bad idea.
That's why this function is only meant to encrypt, not sign.
With OpenPGP an encryption key can be public, so if an attacker gets their hands on your encryption key,
all they can do with it is encrypt messages that only you can decrypt:
If an attacker gets their hands on your secret key, they can ruin your day.
See also: The GNU Privacy Guard
More open source scripts
Contact & Support