How To: Using GnuPG (gpg) to Encrypt Files In The Terminal
Part of the Series:”Encrypting Files With GnuPG”
GnuPG in the Terminal:
Almost every distro comes with gpg by default, but if it doesnt, seaching “gpg” with the package manager of choice should find the software just fine. The first thing you will want to do is create your key:
You’ll next be prompted to choose what kind of key you wish to create. Selections include:
- RSA and RSA (default)
- DSA and Elgamal
- DSA (sign only)
- RSA (sign only)
I typically stick with the default, which will sign and encrypt with the RSA specification. Next, gpg will ask you what keysize you want. The larger the keysize, the more complex it is. 1024 bit encryption used to be suggested years ago, but I typically choose at least 2048 to be safe, as I don’t believe it has been fully cracked yet. Correct me please if I am wrong. The interactive prompt will then ask how long you want this key to last. If you do not* want the key to expire, choose 0. Other available options:
- 0 = key does not expire
- <n> = key expires in n days
- <n>w = key expires in n weeks
- <n>m = key expires in n months
- <n>y=key expires in n years
Now, provide gpg with your “real name.” This is merely a “user ID” of sorts. Following this you’ll be asked for a comment line and email address. Setting this information is important, so be careful when entering the information. Confirm your submission after this with the capital letter O, or choose another option to revise information.
Next is setting the paraphrase. Since gpg is the encryption (with RSA by default), a paraphrase is used just to unlock the file, so there is really no need to make it 100 characters long 🙂
Now comes the fun part! Entropy! You’ll be asked to wildly flail the mouse around, punch keyboard keys, open programs, or whatever you wish to do. You need to create enough entropy to satisfy gpg, and once you do, the wizard will continue. If you are unsure if you have enough , wait some time and gpg will tell you if you did enough. If not, bang away on that keyboard and mouse some more!
Important things to remember:
GPG stores its keys in keyring files, typically one public and one private keyring.
- Your public keys are stored in ~/.gnupg/pubring.gpg
- Your secret keys are stored in ~/.gnupg/secring.gpg
To pull information on ALL keys that are available on your keyrings:
gpg --list-keys --fingerprint
To pull information only on YOUR keys (private secret keys):
gpg --list-secret-keys --fingerprint
Example of gpg key:
pub 2048R/01234567 2013-06-10 Key fingerprint = 0995 ECD6 3843 CBB3 C050 28CA E103 6EED 0123 4567 uid Mike T. Penguin <email@example.com> sub 4096g/FEDCBA98 2013-05-10
- Line 1 – pub – Denotes it being a public key, sec denotes secret
- Line 1- 2048R – Denotes the type of sign/encryption. In this case, 2048 bit RSA/RSA
- Line 1 – 01234567 – This is the eight digit hexadecimal number that denotes the ID number for your key
- Line 1 – 2013-06-10 – Date Key was created.
- Line 2 – Key Fingerprint – the fingerprint of your key, used to verify its identity.
- Line 3 – uid – The username ID information entered for this particular key.
- Line 4 – sub – This is available if you have one or more subkeys
Practice GOOD SECURITY practices:
- Never write down your paraphrase.
- Remember the paraphrase and don’t* lose the private key, or else your data will not be removable.
- Adjust permission with chmod so only you* have access to them.
- You could keep a copy of your public/private keys in a lock box, but always remember the paraphrase.
- Important: After your keypair is created you should immediately generate a revocation certificate for the primary public key using the option –gen-revoke (mykey being your key ID):
gpg --output revoke.asc --gen-revoke mykey
Sharing your public key:
- check that you have a config file first under ~/.gnupg/gpg.conf
- Add the keyserver of choice by entering this example line of text: (there are several available, such as MIT’s public server)
Now, send your public key by issuing (where the number is the key ID):
gpg --send-keys 01234567
Print copies of your public key:
gpg --fingerprint 01234567 >> key.txt
Open the file and print or print via the Terminal:
Receiving Keys (Step 1):
From someone else’s public key printout (see above) enter ID’s for keys you want to receive, and then sign them:
gpg --recv-keys E4758D1D
Sign the keys (Step 2):
gpg --sign-key E4758D1D
- If a key has multiple user IDs, GPG will ask if you want to sign all of them. Unless they seem suspicious to you, It is usually alright to sign all of the user IDs.
- Compare all of the information displayed by GPG with the information on the paper, only sign the key if it matches exactly.
- GPG will ask for the passphrase for your secret key, enter it and GPG will sign the other person’s key with yours.
Send the signatures (Step 3):
Don’t send the signed key back to the keyserver, but to each owner via email:
gpg --armor --output E4758D1D.signed-by.01234567.asc --export E4758D1D
Share your signed key (Step 4):
- Once you have received signature files from the other participants, import them into your keyring:
- You should see the signatures with:
gpg --list-sigs 01234567
- Send your key to the keyserver:
gpg --send-keys 01234567
Sending an encrypted file:
gpg --output doc.gpg --encrypt --recipient firstname.lastname@example.org doc
That’s it! Whew! Questions or comments, leave below.
Decrypting an encrypted file:
gpg --output doc --decrypt doc.gpg
“Documents may also be encrypted without using public-key cryptography. Instead, you use a symmetric cipher to encrypt the document. The key used to drive the symmetric cipher is derived from a passphrase supplied when the document is encrypted, and for good security, it should not be the same passphrase that you use to protect your private key. Symmetric encryption is useful for securing documents when the passphrase does not need to be communicated to others. A document can be encrypted with a symmetric cipher by using the –symmetric option.”
gpg --output doc.gpg --symmetric doc
- The GNU Priacy Handbook