[security] Introduction to encryption of files using GPG

04 Oct

Here’s a quick guide to create and encrypt files on the fly using GNU Privacy Guard (GnuPG or gpg, in short).

A. Keypair generation and key management

First, get GnuPG from here and install it.
Second, create your first private gpg key:

$ gpg --gen-key

It’ll then prompt you to choose a few options: first opt for 1 (DSA + RSA), then choose the maximum possible keylength (why not?). Then enter the validity period of the key — if you want to share the public key part, you should choose a finite validity period. However, for your own purpose you may choose a non-expiring key. Next enter required personal information: (a) real name, (b) comment (just a label for the key) and (c) email. Then verify the information and you’ll be asked to enter a passphrase. Choose a long but memorable passphrase.  It’ll generate a public and private key-pair in the ~/.gnupg directory.

You may want to check the installed keys on your keyring:

$ gpg --list-keys

If you want to get more information about a key, use

$ gpg -v --fingerprint <description>

The full form of <description> is ‘Real Name (comment) <your_email>’; but you may enter any part of it above since its purpose is just to identify the key. Probably the email is the most useful description for “uniquely” identifying a key. If you want to put more than one word in <description> in the above command, you must put quotes (`’) around the whole description string.

To delete a key, private or public (see below), using

$ gpg --delete-key <description>



B. Encryption for personal use

1. Encrypt a file on your computer, say filename.txt, using your private key:

$ gpg --encrypt --recipient <description> filename.txt

Here again <description> may be all or a part of the full description of the key. You may use terse forms of --encrypt (viz. -e ) and --recipient (viz. -r ) . You may save the output to a file of your choice (insead of the default, filename.txt.gpg) using --output or -o option. You may also want to delete the original unencrypted file, filename.txt.

2. In order to decrypt file.txt.gpg to new_file.txt, use

$ gpg --output new_file.txt --decrypt file.txt.gpg

It’ll ask for your passphrase.


C. Encryption for public sharing

1. Create an ASCII version of your public key already generated:

$ gpg --armor --output kousik_pubkey.txt --export <my_description>

You may freely distribute kousik_pubkey.txt to anyone who you want to share files with. Next time if your friend wants to send some files securely to you, s/he should encrypt it using your public key (of course, you should send him/her that first!) using the following technique.

2. The friend first will import my public key to his/her keyring:

$ gpg --import kousik_pubkey.txt

S/he should verify if it is in his/her keyring using
$ gpg --list-keys
As a security measure, s/he should also check if the fingerprint is OK (see above in key management part)

3. Then s/he’ll encrypt the  file, say securefile.txt, using my public key

$ gpg --encrypt --recipient <my_description> securefile.txt

and send me the encrypted securefile.txt.gpg as an email attachment.

4. I’ll decrypt the file in the usual manner, as if I encrypted it on my own computer (see above).


N.B. This may also be used in the same way as OpenSSL:

$ gpg --cipher-algo aes256 -c -o filename.txt.gpg filename.txt

Refereces: here and here, as well as on the GnuPG HowTo page.

About these ads

Posted by on October 4, 2009 in linux, osx, security, unix


Tags: , , , , , , , ,

5 responses to “[security] Introduction to encryption of files using GPG

  1. competitive intelligence

    November 21, 2009 at 1:36 PM


    i subscribed because i think this is the right place for me.

    bye :)

    competitive intelligence


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


Get every new post delivered to your Inbox.

Join 35 other followers

%d bloggers like this: