无法使用 GnuPG 在 PHP 中加密

Question

My program is supposed to encrypt a file using GnuPG but I'm unable to make it work. I've tried encrypting the files using command directly on the server and that works. But when I run my PHP code, the files aren't encrypted. I've tried encrypt single string and still failed. Mind to help?

<? php
   
   putenv("GNUPGHOME=/home/admin/.gnupg");

   $gpg=new gnupg();
   $gpg->addencryptkey("CB416DC6B06BF75D1C8DA888A552533206"); //fingerprint
   $enc=$gpg->encrypt("hi");
   echo $enc;

 ?>

I've run the geterror and it return "no key for encryption set". And may I know am I setting the homedir correctly and what is the exact permission for the GnuPG homedir?

Thank you in advance!

Answer 1

Make sure your syntax is correct and that the fingerprint you are using is actually available.

Check that you have the key

$ gpg --list-keys 
/home/jaroslav/.gnupg/pubring.kbx
---------------------------------
pub   rsa3072 2021-10-20 [SC] [expires: 2023-10-20]
      C1CFDC84CA8A42DBF03371E75B9ED4CB2025188B
uid           [ultimate] Jaroslav Rakhmatoullin <jazzoslav@gmail.com>
sub   rsa3072 2021-10-20 [E] [expires: 2023-10-20]

Run the example

$ php gpg.php 
-----BEGIN PGP MESSAGE-----

hQGMAxqCDajFlhqQAQv8DwOnlRKYLBmlS5ItBcPPhz9lV7sBqHRdkzmpNF1fC0NE
uH/6A160IYJ24nA8e5CbnsFReEoohiC03wM4hfGmPQJ0K73aE8jsJU9UyoL8CK+b
l9WubvMK2a4/gHoD837y8U6L72mXvyKvvxW35h7CXLUHOb5R9iNkUBS4YyFbO05p
OETjMwN1nb9s2h/Z/IdKx8YOPieub+RoVs6WijE9BnsAeHRgG7QyrQ97a+xn3/lG
a0g/h65jFGYj0ocQgKANORwlfUEurZ+8tad5c0d+M5y+JZTDsYecKS1lNAQAu0tE
FTp+hbef3Tsec4mG7oJt4tXGxunr+D1hu31lqmo/nhzqIBPiPdVJuMX2vEwBZnYX
GP1c7k8tyhoRWdvKuU9aBoADiPSPY90EppXUBma9Y+X6bOPjsdHM3wxDLQIw7Xir
WByNb6/pxB8efe8nETSwIxcqyr+Lut4eBIk5lk0pnWf3goCawnENrLhsWOGhtN/x
S9wqI+9kC2LO+y3qcQkF0j0Bgq/5hQUWyQwN7mLmDvn3hUuSFs744UmrG+Uz0LqY
S3R3cQmKWgnVWonjV/X9vJ+aLB3VbubIDd0VW9I5
=HGmP
-----END PGP MESSAGE-----

Fix the syntax ( <? php is very wrong)

$ cat gpg.php 
<?php
putenv("GNUPGHOME=/home/jaroslav/.gnupg");

$gpg=new gnupg();
$gpg->addencryptkey("C1CFDC84CA8A42DBF03371E75B9ED4CB2025188B"); //fingerprint

if ($enc = $gpg->encrypt("hi")) {
    echo $enc;
} else {
    echo $gpg->geterror() . PHP_EOL ;
}

If you are actually running this in a browser / server, then make sure the user who is running the web server can read the .gnupg folder and files in there.

Ok. for my user:

$ namei -l /home/jaroslav/.gnupg/trustdb.gpg 
f: /home/jaroslav/.gnupg/trustdb.gpg
drwxr-xr-x root     root     /
drwxr-xr-x root     root     home
drwxr-xr-x jaroslav jaroslav jaroslav
drwx------ jaroslav jaroslav .gnupg
-rw------- jaroslav jaroslav trustdb.gpg

No bueno for apache user (you will probably have a www-data user)

$ sudo -u apache namei -l /home/jaroslav/.gnupg/trustdb.gpg 
f: /home/jaroslav/.gnupg/trustdb.gpg
drwxr-xr-x root     root     /
drwxr-xr-x root     root     home
drwxr-xr-x jaroslav jaroslav jaroslav
drwx------ jaroslav jaroslav .gnupg
                             trustdb.gpg - Permission denied

If I run the php script as the apache user, I get the same error as you:

$ sudo -u apache php gpg.php 
no key for encryption set

You can work around this issue by allowing the www-data user (or the actual user that runs the web server or the php-fpm process) to access the .gnupg folder.

setfacl -R -m u:www-data:rwx /home/admin/.gnupg
setfacl -R -m u:apache:rwx /home/admin/.gnupg

You don't need both of the commands, just one.

This command will allow the www-data user to read everything in the .gnupg folder. This is dangerous and someone could steal your private key.

If I were you I would instead create a .gnupg directory for the www-data user instead of using the one belonging to the admin, but that's up to you. Be careful in your production environment especially if you plan on doing something non-trivial or something involving money.