> For the complete documentation index, see [llms.txt](https://sarpers-organization.gitbook.io/ctftricks/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://sarpers-organization.gitbook.io/ctftricks/_chapter-intro-3/pgp/decryption-with-passphrase/trick-0326.md).

# Decrypt GPG File With Passphrase

***

To decrypt a GPG-encrypted file when you have the passphrase, use the `gpg` command-line tool.

The basic interactive method will prompt you for the passphrase:

```bash
gpg --output <output_file> --decrypt <encrypted_file.gpg>
```

For example, using the details from the notes:

```bash
gpg --output helmet_key.txt --decrypt helmet_key.txt.gpg
```

Alternatively, if you want to provide the passphrase directly in the command (useful in scripts or for automation), you can use the `--batch` and `--passphrase` options:

```bash
gpg --batch --passphrase '<passphrase>' --output <output_file> --decrypt <encrypted_file.gpg>
```

Using the example passphrase `plant42_can_be_destroy_with_vjolt`:

```bash
gpg --batch --passphrase 'plant42_can_be_destroy_with_vjolt' --output helmet_key.txt --decrypt helmet_key.txt.gpg
```

While the `--passphrase` option works, passing the passphrase directly on the command line can be insecure as it might be visible in process lists (`ps`). A more secure method for scripting is to use the `--passphrase-fd` option, which tells GPG to read the passphrase from a specific file descriptor. Using `--passphrase-fd 0` means reading the passphrase from standard input.

For automated decryption in scripts, especially when not running in a standard terminal environment, it might be necessary to set the `GPG_TTY` environment variable. This helps GPG connect to a TTY or pseudo-TTY for passphrase prompting, even when using non-interactive methods. You can often set this using `export GPG_TTY=$(tty)`.

You can pipe the passphrase to GPG's standard input using `echo` and redirecting it to file descriptor 0:

```bash
echo "mypassphrase" | gpg --batch --yes --passphrase-fd 0 --decrypt file.gpg
```

Here, `--batch` is used for non-interactive operation, `--yes` can be used to automatically overwrite the output file if it exists, and `--passphrase-fd 0` instructs GPG to read the passphrase from stdin, which receives the output of the `echo` command via the pipe.

Another way to use `--passphrase-fd 0` is to redirect a file containing the passphrase to standard input:

```bash
gpg --batch --passphrase-fd 0 --yes --decrypt file.gpg < passwordfile
```

In this case, the content of `passwordfile` is provided as standard input to GPG, and because `--passphrase-fd 0` is used, GPG reads the passphrase from there. Providing the password in a file and redirecting it to standard input using `<` is another common approach for automation.
