How to use the gpg command to encrypt Linux files | Virtual Reality
There are many reasons to encrypt files — even on a system that is well maintained and comparatively secure. The files may highly sensitive, contain personal information that you don’t want to share with anyone, or be backed up to some variety of online storage where you’d prefer it be extra secure.
Fortunately, commands for reliably encrypting files on Linux systems are easy to come by and quite versatile. One of the most popular is gpg.
gpg vs pgp and OpenPGP
Used both to encrypt files in place and prepare them to be sent securely over the Internet, gpg is related to, but not the same as, pgp and OpenPGP. While gpg is based on the OpenPGP standards established by the IETF, it is — unlike pgp — open source. Here’s the rundown:
- OpenPGP is the IETF-approved standard that defines encryption technology that uses processes that are interoperable with PGP.
- pgp is Symantec’s proprietary encryption solution.
- gpg adheres to the OpenPGP standard and provides an interface that allows users to easily encrypt their files.
Using gpg for symmetric encryption
Symmetric encryption means that you use the same key to both encrypt and decrypt a file. To encrypt a file with minimal effort, you could use a command like this:
$ gpg2 --symmetric myfile
This command will leave you with two files — myfile and myfile.gpg. Once you verify that the encrypted version of your original file has been created, you can use the shred command to securely remove the original file in a way that prevents it from being scraped off the disk with some disk recovery tool. During the encryption process, this command will also open up a tool on your desktop to prompt you twice to enter your passphrase. So, you have to be working on the desktop.
To do this kind of thing when you’re not working on the console, you can avoid having gpg trying to open up a GUI tool to prompt for your passphrase by supplying it on the command. In this case, you might use a command like this:
$ gpg --pinentry-mode loopback --passphrase 88bottlesOfBeer --symmetric myfile $ ls -l myfile.* -rw-r--r-- 1 shs shs 48721 Jul 30 19:52 myfile.gpg
NOTE: It’s bad practice to store your passphrase in clear text — even in your command history file, so be careful if you do this.
Using public and private keys
To use gpg for creating files that you want to share with other people, it’s generally best to use private/public keys. To share a file with a particular person, you encrypt it using their public key. In that case, that person is (presumably) the only one who can decrypt it. If you encrypt a file with your own public key, you’re the only one who can decrypt it.
To generate your public and private key set with gpg, you would use a command like this:
$ gpg --gen-key
Note that this command also requires that you be working on the console (GUI), not through an ssh session. The command is going to require that you produce some activity while your keys are bring generated — such typing or as moving your mouse cursor around the screen — to provide random data to the encryption process. It will also ask you to supply some information, such as your full name and the email address to be used for the key.
To encrypt a file for a particular recipient, you need to use a command that includes the –recipient argument to specify the recipient’s public key.
$ gpg --encrypt --recipient firstname.lastname@example.org instructions $ ls -l instructions.* -rw-rw-r-- 1 shs shs 51665 Jul 30 19:34 instructions.gpg
It’s interesting to note that while the private and public keys are linked (generated in a single operation), either key could play either role.
- If you encrypt with the public key, you could decrypt with the private key
- If you encrypt with the private key, you could decrypt with a public key
Convention dictates, however, that private keys are kept private.
We also haven’t looked at how public keys are used for authenticating senders.
Other command options
The gpg command offers many other options, as well. For example, if you prefer to use other than the default AES-128 encryption algorithm, you can specify the one you want to use with a command like this:
$ gpg --cipher-algo AES256 --symmetric myfile
You can list your keys with this command:
$ gpg --list-keys
While gpg commands can become quite complicated, the things you’re likely to do routinely can be accomplished without a lot of effort.