Is there a way to pad encrypted files with GPG?

February 11, 2022

I want to pad random characters to the start and end of a .zip file to make it less likely to be cracked. From what I understand, it doesn't appear that GPG adds a random amount of padding to the encrypted data. Is this correct, or is there some way I can add random padding to gpg-encrypted files? Would doing so be over-kill?

edit: for reference, I'm running `gpg --encrypt MyFile.zip`

Sauron · February 11, 2022

how would you know what the padding characters are when you try to open the archive?

February 11, 2022

You seem to be misunderstanding the question:

I have an unencrypted .zip file
I want to encrypt it with something like GPG
Since .zip files have a standard header, it is possible to analyze the first 'n' bytes of the encrypted file to try and crack the encryption
If there is a random few bytes of information at the start of the file, it makes that analysis much more difficult.

This isn't a new concept, it's a pretty well defined problem (and some cryptography methods actually require padding to make a message long enough to be encrypted). I'm just asking if there's a way to pad files with GPG (or a homebrew solution to accomplish the same thing).

February 11, 2022

Here's a quick example I worked out in 10 minutes to give the basic idea. I'm want to know if any existing programs (or a function in `gpg`) provide this type of functionality:

#!/bin/bash
###
# USAGE:
#     ./script.sh [mode]
#  [mode] can be either 0 or 1:
#       mode 0 is regularization (remove random data)
#       mode 1 is obfuscation (add random data)
###
#    Copyright (C) 2022 Yuri-Fury
#    This script comes with ABSOLUTELY NO WARRANTY;
#    This is a free script, and you are welcome to redistribute it;
###

mode=$1

#super-secret password
MyPass="KrustyKrabPizza"
Delim=`openssl passwd -6 -salt $MyPass $MyPass | cut -d'$' -f 4`

#file to encrypt
FNAME="MyFile.zip"
FNAME2="test.wav"

###############################################################################

if [[ $mode == 1 ]]; then
    #print 16K of random data (totally overkill; the amount can be randomized)
    dd if=/dev/urandom bs=4K count=4 > $FNAME2

    #print password
    echo "$Delim" >> $FNAME2

    #print file
    dd if=$FNAME >> $FNAME2

    #print password
    echo "$Delim" >> $FNAME2

    #print 16K of random data (still overkill)
    dd if=/dev/urandom bs=4K count=4 >> $FNAME2
	
	#encrypt
	gpg -c $FNAME2 --output $FNAME2.gpg
	rm $FNAME2
elif [[ $mode == 0 ]]; then
    #Decrypt
	gpg $FNAME2.gpg
    #Filter out random data
    #Locate obfuscation delimiters
    POS1=`grep -abo "$Delim" $FNAME2 | head -n 1 | cut -d':' -f 1`
    POS2=`grep -abo "$Delim" $FNAME2 | tail -n 1 | cut -d':' -f 1`
    
    #Offset POS1 by the size of the password
    POS1=`expr $POS1 + ${#Delim} + 1`
    
    #Compute size of actual contained data
    SIZE=`expr $POS2 - $POS1`
    #Filter
    dd if=$FNAME2 bs=1 skip=$POS1 count=$SIZE of="$FNAME"
else
    echo "MODE NOT RECOGNIZED"
fi