Scripting GPG Encryption on Windows
Often times your Windows machine generates a number of files that you might want to encrypt. While storing these files on an encrypted drive is often a suitable solution, there are times when a file or folder level encryption is more utilitarian. Using GPG file level encryption allows you to distinctly identify files by filename while still protecting their content.
Many programs, such as IM clients, produce unencrypted log files of sensitive data. It is useful to schedule a process to encrypt these files. On a Windows machine with GPG installed you can use a batch file to periodically check your log files and encrypt them. In this example I'll examine the creation of a batch file that will parse through logs created by Pidgin (http://www.pidgin.im/), which is an open source cross protocol instant messaging client. Pidgin keeps all it's log files under the 'Documents and Settings' folder under the user account, then in a .purple file. This batch file will use the Windows system variables %HOMEDRIVE% and %HOMEPATH% to identify these log files.
In order to utilize this batch file you must have an identity (public/private key pair) set up with GPG. See my related article GPG for Encryption and Digital Signing http://www.madirish.net/?article=185 for further details on this process. I'm utilizing this script on an encrypted volume, so deleting the data is just fine. However, if you wanted to securely wipe the data from an unencrypted location you would also need to install the open source encryption program AxCrypt (from Axantum Software AB - http://www.axantum.com/AxCrypt/). AxCrypt is used to wipe the original files after they've been encrypted. Replacing the "del" line with:
axcrypt -s "%%f"
would use axcrypt to wipe the data securely off the machine.
I've also utilized some additional functionality. Because I'm on a Windows XP Pro machine I'm using the SMTP server installed as part of IIS to e-mail me whenever there is a problem moving the data. This is done by copying a .eml file into the 'pickup' directory under the mail root. If you want to use this functionality you'll have to enable it by going to "Add/Remove Programs" from your Control Panel and selecting the "Windows Components" button on the left. Then you can check "IIS" and install it. You'll have to start the service and make sure it's pointing at a real upstream mail provider too though.
So, without further ado, here's the completed batch file:
@ECHO OFF REM GAIM encryption batch file REM Justin C. Klein Keane
REM Note that this program assumes both gpg is REM in your PATH variables cd %HOMEDRIVE%%HOMEPATH%\"Application Data"\.purple\logs REM Note that the following line won't encrypt open files REM meaning those currently in use FOR /R %%f in (*.txt) do ( gpg -r email@example.com -a --encrypt "%%f" if errorlevel 1 ( REM Leave this file alone (it is likely in use) ECHO %temp% Echo X-Sender: firstname.lastname@example.org>%temp%\file.eml Echo X-Receiver: email@example.com>>%temp%\file.eml Echo From: firstname.lastname@example.org>>%temp%\file.eml Echo To: email@example.com>>%temp%\file.eml Echo Subject: Problem with eng_gaim.bat>>%temp%\file.eml Echo Content-Type: text/plain;>>%temp%\file.eml Echo.>>%temp%\file.eml Echo There was a problem with the %%f at %date% %time%.>>%temp%\file.eml Move %temp%\file.eml C:\Inetpub\mailroot\Pickup\ ) ELSE ( REM Note this just deletes the file, it is not a secure wipe! DEL "%%f" ) )