Scripting GPG Encryption on Windows

30 November -0001

Often times your Windows machine generates a number of files that you might want to encrypt. While storing these files on an encrypted drive is often a suitable solution, there are times when a file or folder level encryption is more utilitarian. Using GPG file level encryption allows you to distinctly identify files by filename while still protecting their content.

Many programs, such as IM clients, produce unencrypted log files of sensitive data. It is useful to schedule a process to encrypt these files. On a Windows machine with GPG installed you can use a batch file to periodically check your log files and encrypt them. In this example I'll examine the creation of a batch file that will parse through logs created by Pidgin (, which is an open source cross protocol instant messaging client. Pidgin keeps all it's log files under the 'Documents and Settings' folder under the user account, then in a .purple file. This batch file will use the Windows system variables %HOMEDRIVE% and %HOMEPATH% to identify these log files.

In order to utilize this batch file you must have an identity (public/private key pair) set up with GPG. See my related article GPG for Encryption and Digital Signing for further details on this process. I'm utilizing this script on an encrypted volume, so deleting the data is just fine. However, if you wanted to securely wipe the data from an unencrypted location you would also need to install the open source encryption program AxCrypt (from Axantum Software AB - AxCrypt is used to wipe the original files after they've been encrypted. Replacing the "del" line with:

axcrypt -s "%%f" 

would use axcrypt to wipe the data securely off the machine.

I've also utilized some additional functionality. Because I'm on a Windows XP Pro machine I'm using the SMTP server installed as part of IIS to e-mail me whenever there is a problem moving the data. This is done by copying a .eml file into the 'pickup' directory under the mail root. If you want to use this functionality you'll have to enable it by going to "Add/Remove Programs" from your Control Panel and selecting the "Windows Components" button on the left. Then you can check "IIS" and install it. You'll have to start the service and make sure it's pointing at a real upstream mail provider too though.

So, without further ado, here's the completed batch file:

REM	GAIM encryption batch file
REM	Justin C. Klein Keane 
REM	Note that this program assumes both gpg is
REM	in your PATH variables

cd %HOMEDRIVE%%HOMEPATH%\"Application Data"\.purple\logs

REM	Note that the following line won't encrypt open files 
REM	meaning those currently in use

FOR /R %%f in (*.txt) do (
	gpg -r -a --encrypt "%%f"
	if errorlevel 1 (
		REM Leave this file alone (it is likely in use) 
		ECHO %temp%
		Echo X-Sender:>%temp%\file.eml
		Echo X-Receiver:>>%temp%\file.eml
		Echo From:>>%temp%\file.eml
		Echo To:>>%temp%\file.eml
		Echo Subject: Problem with eng_gaim.bat>>%temp%\file.eml
		Echo Content-Type: text/plain;>>%temp%\file.eml
		Echo There was a problem with the %%f at %date% %time%.>>%temp%\file.eml
		Move %temp%\file.eml C:\Inetpub\mailroot\Pickup\
	) ELSE (
		REM Note this just deletes the file, it is not a secure wipe!
		DEL "%%f"