phpgp is a command-line utility designed for secure storage and usage of PGP keys on external drives (such as USB flash drives). The project provides a server component to handle cryptographic operations (sign, encrypt, decrypt) in memory, ensuring private keys do not remain on the host machine.
This README covers installation, usage, configuration, and other important details for working with phpgp.
- Secure PGP key storage on external drives (USB or similar)
- Server-based cryptographic operations: signing, encryption, and decryption happen in memory, reducing key exposure
- Automatic passphrase prompt when mounting the external drive.
- Detachable signatures or encryption of files using your private key, stored only on the external drive
- Cross-platform:
- Windows uses a TCP socket (default port 65432)
- macOS and Linux use a Unix Domain Socket (
/tmp/phpgp.sockby default)
- PID management in an OS-specific cache directory (e.g.,
%LOCALAPPDATA%\phpgpon Windows,~/Library/Caches/phpgpon macOS,~/.cache/phpgpon Linux)
- Python 3.7+ (recommended)
- GNUPG installed for local key imports (
load,unload) - psutil for detecting removable drives
- Click for building the CLI
- PGPy library for handling PGP operations in Python
Simply install it via pip:
pip install phpgpor via pipx (recommended):
pipx install phpgp-
Create or Obtain Your PGP Keys:
-
For testing, you can generate keys with GnuPG:
gpg --full-generate-key gpg --armor --export-secret-keys > private_key.asc gpg --armor --export > public_key.asc
-
Alternatively, you may have existing keys in
.ascformat.
-
-
Configure an External Drive:
-
Make sure your USB drive or removable storage is mounted.
-
Run:
phpgp configure
-
This will prompt you for paths to your private and public keys and copy them to the drive (e.g.,
X:\.phpgp\privateandX:\.phpgp\public). -
You can choose to delete the keys from your local disk for extra security (which is recommended).
-
Once installed, you have access to the phpgp command with various subcommands.
With phPGP you can either mount your USB or load keys from it.
When mounted, phPGP starts local server on your machine so you can do all PGP operations using this server and phpgp commands. This is better for security than just loading keys from USB.
Let's take a closer look at this.
-
Mount:
phpgp mount
- Select the external drive.
- Enter your passphrase to unlock your private key.
- The server starts in your terminal window.
- Optionally remove the key from the external drive.
-
Unmount:
phpgp unmount
- Reads the server PID from the OS cache directory (e.g.,
~/.cache/phpgp/phpgp_server.pid). - Terminates the server process.
- Removes the PID file.
- Reads the server PID from the OS cache directory (e.g.,
-
Load:
phpgp load
Imports keys from your external drive into your local GPG instance, allowing you to use GnuPG commands locally with those keys.
-
Unload:
phpgp unload
Removes the locally imported secret key from your GPG instance.
Note
For greater security, you can set your computer to delete the private key automatically with this command when you disconnect the USB. You can do the same with key downloading for convenience.
When you run the phPGP server via mount, you will want to perform operations using phpgp instead of gpg. This can be done with the appropriate commands: phpgp sign, phpgp encrypt, phpgp decrypt.
Important
These commands will only work when the server is started with phpgp mount.
-
Make sure the server is running (
phpgp mount). -
Sign a file:
phpgp sign path/to/file.txt
- Reads
file.txtin binary mode, base64-encodes it, sends it to the server. - A detached signature is saved to
file.txt.sig.
- Reads
-
Verify with GnuPG:
gpg --verify file.txt.sig file.txt
-
Encrypt:
phpgp encrypt path/to/file.txt path/to/recipient_public_key.asc
- The encrypted data is saved to
file.txt.enc.
- The encrypted data is saved to
-
Decrypt:
phpgp decrypt path/to/file.txt.enc
- Decrypted data is saved to
file.txt.enc.dec.
- Decrypted data is saved to
- Configuration:
- Creates a
.phpgpfolder on your external drive containingprivateandpublicfolders with the appropriate keys.
- Creates a
- Mounting:
- Starts a background server (
phpgp.server) with your private key loaded in memory. - For security, you can remove the key files from the USB drive after mounting (recommended).
- Starts a background server (
- Server:
- Listens on a socket (TCP on Windows, Unix Domain Socket elsewhere).
- Receives JSON requests for
sign,encrypt,decrypt. - PGP operations happen in memory; the private key is never saved on local disk after mounting and never exposed until the
unmountoperation.
- Client Commands (subcommands in
cli.py):- Communicate with the server using JSON messages.
- Return results (signatures, encrypted data, decrypted data).
phpgp/
├── __init__.py # Metadata
├── cli.py # Main CLI implemented with Click
├── server.py # The server handling sign/encrypt/decrypt
└── utils.py # Helper functions for drive selection & cache path
There is some issues now, feel free to fix them!
- Fork the repository on GitHub.
- Create a Feature Branch from
main. - Implement your feature or bug fix.
- Add Tests where and if applicable.
- Open a Pull Request describing your changes.
phpgp is licensed under the GNU General Public License v3.0.
You should have received a copy of the GNU General Public License along with this program. If not, see https://www.gnu.org/licenses/.
Enjoy secure and convenient PGP key usage with phPGP!