Unable to encrypt in PHP using GnuPG-CodePudding

My program is supposed to encrypt a file using GnuPG but I'm unable to make it work. I've tried encrypting the files using command directly on the server and that works. But when I run my PHP code, the files aren't encrypted. I've tried encrypt single string and still failed. Mind to help?

<? php
   
   putenv("GNUPGHOME=/home/admin/.gnupg");

   $gpg=new gnupg();
   $gpg->addencryptkey("CB416DC6B06BF75D1C8DA888A552533206"); //fingerprint
   $enc=$gpg->encrypt("hi");
   echo $enc;

 ?>

I've run the geterror and it return "no key for encryption set". And may I know am I setting the homedir correctly and what is the exact permission for the GnuPG homedir?

Thank you in advance!

CodePudding user response：

Make sure your syntax is correct and that the fingerprint you are using is actually available.

Check that you have the key

$ gpg --list-keys 
/home/jaroslav/.gnupg/pubring.kbx
---------------------------------
pub   rsa3072 2021-10-20 [SC] [expires: 2023-10-20]
      C1CFDC84CA8A42DBF03371E75B9ED4CB2025188B
uid           [ultimate] Jaroslav Rakhmatoullin <[email protected]>
sub   rsa3072 2021-10-20 [E] [expires: 2023-10-20]

Run the example

$ php gpg.php 
-----BEGIN PGP MESSAGE-----

hQGMAxqCDajFlhqQAQv8DwOnlRKYLBmlS5ItBcPPhz9lV7sBqHRdkzmpNF1fC0NE
uH/6A160IYJ24nA8e5CbnsFReEoohiC03wM4hfGmPQJ0K73aE8jsJU9UyoL8CK b
l9WubvMK2a4/gHoD837y8U6L72mXvyKvvxW35h7CXLUHOb5R9iNkUBS4YyFbO05p
OETjMwN1nb9s2h/Z/IdKx8YOPieub RoVs6WijE9BnsAeHRgG7QyrQ97a xn3/lG
a0g/h65jFGYj0ocQgKANORwlfUEurZ 8tad5c0d M5y JZTDsYecKS1lNAQAu0tE
FTp hbef3Tsec4mG7oJt4tXGxunr D1hu31lqmo/nhzqIBPiPdVJuMX2vEwBZnYX
GP1c7k8tyhoRWdvKuU9aBoADiPSPY90EppXUBma9Y X6bOPjsdHM3wxDLQIw7Xir
WByNb6/pxB8efe8nETSwIxcqyr Lut4eBIk5lk0pnWf3goCawnENrLhsWOGhtN/x
S9wqI 9kC2LO y3qcQkF0j0Bgq/5hQUWyQwN7mLmDvn3hUuSFs744UmrG Uz0LqY
S3R3cQmKWgnVWonjV/X9vJ aLB3VbubIDd0VW9I5
=HGmP
-----END PGP MESSAGE-----

Fix the syntax (<? php is very wrong)

$ cat gpg.php 
<?php
putenv("GNUPGHOME=/home/jaroslav/.gnupg");

$gpg=new gnupg();
$gpg->addencryptkey("C1CFDC84CA8A42DBF03371E75B9ED4CB2025188B"); //fingerprint

if ($enc = $gpg->encrypt("hi")) {
    echo $enc;
} else {
    echo $gpg->geterror() . PHP_EOL ;
}

If you are actually running this in a browser / server, then make sure the user who is running the web server can read the .gnupg folder and files in there.

Ok. for my user:

$ namei -l /home/jaroslav/.gnupg/trustdb.gpg 
f: /home/jaroslav/.gnupg/trustdb.gpg
drwxr-xr-x root     root     /
drwxr-xr-x root     root     home
drwxr-xr-x jaroslav jaroslav jaroslav
drwx------ jaroslav jaroslav .gnupg
-rw------- jaroslav jaroslav trustdb.gpg

No bueno for apache user (you will probably have a www-data user)

$ sudo -u apache namei -l /home/jaroslav/.gnupg/trustdb.gpg 
f: /home/jaroslav/.gnupg/trustdb.gpg
drwxr-xr-x root     root     /
drwxr-xr-x root     root     home
drwxr-xr-x jaroslav jaroslav jaroslav
drwx------ jaroslav jaroslav .gnupg
                             trustdb.gpg - Permission denied

If I run the php script as the apache user, I get the same error as you:

$ sudo -u apache php gpg.php 
no key for encryption set

You can work around this issue by allowing the www-data user (or the actual user that runs the web server or the php-fpm process) to access the .gnupg folder.

setfacl -R -m u:www-data:rwx /home/admin/.gnupg
setfacl -R -m u:apache:rwx /home/admin/.gnupg

You don't need both of the commands, just one.

This command will allow the www-data user to read everything in the .gnupg folder. This is dangerous and someone could steal your private key.

If I were you I would instead create a .gnupg directory for the www-data user instead of using the one belonging to the admin, but that's up to you. Be careful in your production environment especially if you plan on doing something non-trivial or something involving money.