gpgdir -e|-d <directory> [options]
gpgdir is a perl script that uses the CPAN GnuPG::Interface perl module
to recursively encrypt and decrypt directories using gpg. gpgdir
recursively descends through a directory in order to encrypt, decrypt,
sign, or verify every file in a directory and all of its subdirecto-
ries. By default, the mtime and atime values of all files will be pre-
served upon encryption and decryption (this can be disabled with the
--no-preserve-times option). Note that in --encrypt mode, gpgdir will
delete the original files that it successfully encrypts (unless the
--no-delete option is given). However, upon startup gpgdir first asks
for a the decryption password to be sure that a dummy file can success-
fully be encrypted and decrypted. The initial test can be disabled
with the --skip-test option so that a directory can easily be encrypted
without having to also specify a password (this is consistent with gpg
behavior). Also, note that gpgdir is careful not encrypt hidden files
and directories. After all, you probably don't want your ~/.gnupg
directory or ~/.bashrc file to be encrypted. The GnuPG key gpgdir uses
to encrypt/decrypt a directory is specified in ~/.gpgdirrc. Also,
gpgdir can use the wipe program with the --Wipe command line option to
securely delete the original unencrypted files after they have been
successfully encrypted. This elevates the security stance of gpgdir
since it is more difficult to recover the unencrypted data associated
with files from the filesystem after they are encrypted (unlink() does
not erase data blocks even though a file is removed).
Note that gpgdir is not designed to be a replacement for an encrypted
filesystem solution like encfs or ecryptfs. Rather, it is an alterna-
tive that allows one to take advantage of the cryptographic properties
offered by GnuPG in a recursive manner across an existing filesystem.
-e, --encrypt <directory>
Recursively encrypt all files in the directory specified on the
command line. All original files will be deleted (a password
check is performed first to make sure that the correct password
to unlock the private GnuPG key is known to the user).
-d, --decrypt <directory>
Recursively decrypt all files in the directory specified on the
command line. The encrypted .gpg version of each file will be
Recursively sign all files in the directory specified on the
command line. For each file, a detached .asc signature will be
Run an encryption and decryption test against a dummy file and
exit. This test is always run by default in both --encrypt and
Instruct gpgdir to encrypt to decrypt files using a symmetric
cipher supported by GnuPG (CAST5 is commonly used). This
results in a significant speed up for the encryption/decryption
Show what encrypt/decrypt actions would take place without actu-
ally doing them. The filesystem is not changed in any way in
Prompt the user before actually encrypting or decrypting each
file. This is useful to have fine-grained control over gpgdir
operations as it recurses through a directory structure.
Tell gpgdir to ignore non-fatal error conditions, such as the
inability to encrypt or decrypt individual files because of per-
Instruct gpgdir to skip all files that match pattern as a regex
match against each filename. This is similar to the --exclude
option in the standard GNU tar command.
Instruct gpgdir to exclude all files matched by patterns listed
in file. This is similar to the --exclude-from the GNU tar com-
Instruct gpgdir to only include files that match pattern as a
regex match against each filename.
Instruct gpgdir to only include files matched by patterns listed
Use the wipe program to securely delete files after they have
been successfully encrypted.
Tell gpgdir to obfuscate the file names of files that it
encrypts (in -e mode). The names of each file are stored within
the file .gpgdir_map_file for every sub-directory, and this file
is itself encrypted. In decryption mode (-d), the -O argument
-K, --Key-id <id>
Manually specify a GnuPG key ID from the command line. Because
GnuPG supports matching keys with a string, id does not strictly
have to be a key ID; it can be a string that uniquely matches a
key in the GnuPG key ring.
Use the key that GnuPG defines as the default, i.e. the key that
is specified by the default-key variable in ~/.gnupg/options.
If the default-key variable is not defined within
~/.gnupg/options, then GnuPG tries to use the first suitable key
on its key ring (the initial encrypt/decrypt test makes sure
that the user knows the corresponding password for the key).
Instruct gpgdir to acquire gpg key password from a running gpg-
-A, --Agent-info <connection info>
Specify the value of the GPG_AGENT_INFO environment variable as
returned by the gpg-agent --daemon command. If the gpgdir
--agent command line argument is used instead of --Agent-info,
then gpgdir assumes that the GPG_AGENT_INFO environment variable
has already been set in the current shell.
Skip encryption and decryption test. This will allow gpgdir to
be used to encrypt a directory without specifying a password
(which normally gets used in encryption mode to test to make
sure decryption against a dummy file works properly).
Print as little as possible to the screen when encrypting or
decrypting a directory.
Instruct gpgdir to not recurse through any subdirectories of the
directory that is being encrypted or decrypted.
Instruct gpgdir to not ask the user for a password. This is
only useful when a gpg key literally has no associated password
(this is not common).
Instruct gpgdir to not delete original files at encrypt time.
Instruct gpgdir to not preserve original file mtime and atime
values upon encryption or decryption.
-l, --locale <locale>
Contains the key id of the user gpg key that will be used to
encrypt or decrypt the files within a directory.
The following examples illustrate the command line arguments that could
be supplied to gpgdir in a few situations:
To encrypt a directory:
$ gpgdir -e /some/dir
To encrypt a directory, and use the wipe command to securely delete the
original unencrypted files:
$ gpgdir -W -e /some/dir
To encrypt a directory with the default GnuPG key defined in
$ gpgdir -e /some/dir --Default-key
To decrypt a directory with a key specified in ~/.gpgdirrc:
$ gpgdir -d /some/dir
To encrypt a directory but skip all filenames that contain the string
$ gpgdir -e /some/dir --Exclude host
To encrypt a directory but only encrypt those files that contain the
$ gpgdir -e /some/dir --Include passwd
To acquire the GnuPG key password from a running gpg-agent daemon in
order to decrypt a directory (this requires that gpg-agent has the
$ gpgdir -A /tmp/gpg-H4DBhc/S.gpg-agent:7046:1 -d /some/dir
To encrypt a directory but skip the encryption/decryption test (so you
will not be prompted for a decryption password):
$ gpgdir -e /some/dir -s
To encrypt a directory and no subdirectories:
Michael Rash <firstname.lastname@example.org>
Many people who are active in the open source community have contrib-
uted to gpgdir; see the CREDITS file in the gpgdir sources.
Send bug reports to email@example.com. Suggestions and/or comments are
always welcome as well.
gpgdir is distributed under the GNU General Public License (GPL), and
the latest version may be downloaded from http://www.cipherdyne.org
Linux May, 2007 GPGDIR(1)
Man(1) output converted with