, , , , , , , ,

Here’s a quick guide to create and encrypt files on the fly using GNU Privacy Guard (GnuPG or gpg, in short).

A. Keypair generation and key management

First, get GnuPG from here and install it.
Second, create your first private gpg key:

$ gpg --gen-key

It’ll then prompt you to choose a few options: first opt for 1 (DSA + RSA), then choose the maximum possible keylength (why not?). Then enter the validity period of the key — if you want to share the public key part, you should choose a finite validity period. However, for your own purpose you may choose a non-expiring key. Next enter required personal information: (a) real name, (b) comment (just a label for the key) and (c) email. Then verify the information and you’ll be asked to enter a passphrase. Choose a long but memorable passphrase.  It’ll generate a public and private key-pair in the ~/.gnupg directory.

You may want to check the installed keys on your keyring:

$ gpg --list-keys

If you want to get more information about a key, use

$ gpg -v --fingerprint <description>

The full form of <description> is ‘Real Name (comment) <your_email>’; but you may enter any part of it above since its purpose is just to identify the key. Probably the email is the most useful description for “uniquely” identifying a key. If you want to put more than one word in <description> in the above command, you must put quotes (`’) around the whole description string.

To delete a key, private or public (see below), using

$ gpg --delete-key <description>



B. Encryption for personal use

1. Encrypt a file on your computer, say filename.txt, using your private key:

$ gpg --encrypt --recipient <description> filename.txt

Here again <description> may be all or a part of the full description of the key. You may use terse forms of --encrypt (viz. -e ) and --recipient (viz. -r ) . You may save the output to a file of your choice (insead of the default, filename.txt.gpg) using --output or -o option. You may also want to delete the original unencrypted file, filename.txt.

2. In order to decrypt file.txt.gpg to new_file.txt, use

$ gpg --output new_file.txt --decrypt file.txt.gpg

It’ll ask for your passphrase.


C. Encryption for public sharing

1. Create an ASCII version of your public key already generated:

$ gpg --armor --output kousik_pubkey.txt --export <my_description>

You may freely distribute kousik_pubkey.txt to anyone who you want to share files with. Next time if your friend wants to send some files securely to you, s/he should encrypt it using your public key (of course, you should send him/her that first!) using the following technique.

2. The friend first will import my public key to his/her keyring:

$ gpg --import kousik_pubkey.txt

S/he should verify if it is in his/her keyring using
$ gpg --list-keys
As a security measure, s/he should also check if the fingerprint is OK (see above in key management part)

3. Then s/he’ll encrypt the  file, say securefile.txt, using my public key

$ gpg --encrypt --recipient <my_description> securefile.txt

and send me the encrypted securefile.txt.gpg as an email attachment.

4. I’ll decrypt the file in the usual manner, as if I encrypted it on my own computer (see above).


N.B. This may also be used in the same way as OpenSSL:

$ gpg --cipher-algo aes256 -c -o filename.txt.gpg filename.txt

Refereces: here and here, as well as on the GnuPG HowTo page.