10.10 Encrypt or sign files into an archive

gpgtar encrypts or signs files into an archive. It is an gpg-ized tar using the same format as used by PGP’s PGP Zip.

gpgtar is invoked this way:

gpgtar [options] filename1 [filename2, ...] directory [directory2, ...]

gpgtar understands these options:

--create

Put given files and directories into a vanilla “ustar” archive.

--extract

Extract all files from a vanilla “ustar” archive. If no file name is given (or it is "-") the archive is taken from stdin.

--encrypt

-e

Encrypt given files and directories into an archive. This option may be combined with option --symmetric for an archive that may be decrypted via a secret key or a passphrase.

--decrypt

-d

Extract all files from an encrypted archive. If no file name is given (or it is "-") the archive is taken from stdin.

--sign

-s

Make a signed archive from the given files and directories. This can be combined with option --encrypt to create a signed and then encrypted archive.

--list-archive

-t

List the contents of the specified archive. If no file name is given (or it is "-") the archive is taken from stdin.

--symmetric

-c

Encrypt with a symmetric cipher using a passphrase. The default symmetric cipher used is AES-128, but may be chosen with the --cipher-algo option to gpg.

--recipient user

-r user

Encrypt for user id user. For details see gpg.

--local-user user

-u user

Use user as the key to sign with. For details see gpg.

--output file

-o file

Write the archive to the specified file file.

--verbose

-v

Enable extra informational output.

--quiet

-q

Try to be as quiet as possible.

--skip-crypto

Skip all crypto operations and create or extract vanilla “ustar” archives.

--dry-run

Do not actually output the extracted files.

--directory dir

-C dir

Extract the files into the directory dir. The default is to take the directory name from the input filename. If no input filename is known a directory named GPGARCH is used. For tarball creation, switch to directory dir before performing any operations.

--files-from file

-T file

Take the file names to work from the file file; one file per line.

--null

Modify option --files-from to use a binary nul instead of a linefeed to separate file names.

--utf8-strings

Assume that the file names read by --files-from are UTF-8 encoded. This option has an effect only on Windows where the active code page is otherwise assumed.

--openpgp

This option has no effect because OpenPGP encryption and signing is the default.

--cms

This option is reserved and shall not be used. It will eventually be used to encrypt or sign using the CMS protocol; but that is not yet implemented.

--batch

Use batch mode. Never ask but use the default action. This option is passed directly to gpg. This option is also required to activate the log-file in common.conf for this program.

--yes

Assume "yes" on most questions. Often used together with --batch to overwrite existing files. This option is passed directly to gpg.

--no

Assume "no" on most questions. This option is passed directly to gpg.

--require-compliance

This option is passed directly to gpg.

--status-fd n

Write special status strings to the file descriptor n. See the file DETAILS in the documentation for a listing of them.

--with-log

When extracting an encrypted tarball also write a log file with the gpg output to a file named after the extraction directory with the suffix ".log".

--set-filename file

Use the last component of file as the output directory. The default is to take the directory name from the input filename. If no input filename is known a directory named GPGARCH is used. This option is deprecated in favor of option --directory.

--no-compress

This option tells gpg to disable compression (i.e., using option -z0). It is useful for archiving only large files which are already compressed (e.g., a set of videos).

--gpg gpgcmd

Use the specified command gpgcmd instead of gpg.

--gpg-args args

Pass the specified extra options to gpg.

--tar-args args

Assume args are standard options of the command tar and parse them. The only supported tar options are --directory, --files-from, and --null. This is an obsolete options because those supported tar options can also be given directly.

--tar command

This is a dummy option for backward compatibility.

--version

Print version of the program and exit.

--help

Display a brief help page and exit.

The program returns 0 if everything was fine, 1 otherwise.

Some examples:

Encrypt the contents of directory mydocs for user Bob to file test1:

gpgtar --encrypt --output test1 -r Bob mydocs

List the contents of archive test1:

gpgtar --list-archive test1