Encrypting Filespooler Jobs with GPG

Thanks to Filespooler’s support for decoders, data for filespooler can be Encrypted at rest and only decrypted when Filespooler needs to scan or process a queue.

The Compressing Filespooler Jobs page gives an introduction to Filespooler’s decoder support, and should be read before proceeding here, since it illustrates the concepts we will use.

This page discusses using Filespooler with GnuPG (GPG). Although often also done with GnuPG, Verifying Filespooler Job Integrity is a problem with some more unique nuances and is discussed on its own separate page.

Basics

You will generally set up one or more keypairs for the communication. You could have each node have its own keypair, or could share them between nodes; it’s up to you. For unattended, automated operation you will often set the secret keys to be passwordless, though something like GPG agent that can use a GUI pinentry and cache your passphrase can also be usable for more interactive work.

This is essentially the process of verifying data with GPG, just without the special verification step, so reading that page would be helpful.

Sending data

See “Creating the signed and encrypted packets” section on Verifying Filespooler Job Integrity for details. If you don’t desire the signatures, leave off --sign -u [keyid].

Receiving and decrypting data

You will be passing -d 'gpg -q -d - 2>/dev/null' to the fspl queue-* commands. That’s all there is to it!

See Also


Sometimes, one wants to verify the integrity and authenticity of a Filespooler job file before processing it.

Filespooler is a way to execute commands in strict order on a remote machine, and its communication method is by files. This is a perfect mix for Syncthing (and others, but this page is about Filespooler and Syncthing).

GnuPG (also known by its command name, gpg) is a tool primarily for public key Encryption and cryptographic authentication.

It seems that lately I’ve written several shell implementations of a simple queue that enforces ordered execution of jobs that may arrive out of order. After writing this for the nth time in bash, I decided it was time to do it properly. But first, a word on the why of it all.

Like the process described in Encrypting Filespooler Jobs with GPG, Filespooler can handle packets Encrypted with Age (Encryption). Age may be easier than GnuPG in a number of cases, particularly because it can use a person’s existing SSH keypairs for encryption.

Filespooler lets you request the remote execution of programs, including stdin and environment. It can use tools such as S3, Dropbox, Syncthing, NNCP, ssh, UUCP, USB drives, CDs, etc. as transport; basically, a filesystem is the network for Filespooler. Filespooler is particularly suited to distributed and Asynchronous Communication.