Linux: how to encrypt and decrypt files with GPG?

Protect your privacy with the Linux gpg command. Use first class encryption to keep your secrets safe. We will show you how to use gpg to work with keys, encrypt files and decrypt them.

GnuPrivacy Guard (GPG) allows you to encrypt files securely so that only the intended recipient can decrypt them. Specifically, GPG complies with the OpenPGP standard. It is based on a program called Pretty Good Privacy (PGP). PGP was written in 1991 by Phil Zimmerman.

GPG is based on the idea of ​​two encryption keys per person. Each person has a private key and a public key. The public key can decrypt something that was encrypted using the private key.

Send shielded files

To send a file securely, you must encrypt it with your private key and the recipient's public key. To decrypt the file, they need their private key and their public key.

You will see that public keys must be shared. You need to have the recipient's public key to be able to encrypt the file, and the recipient needs your public key to decrypt it. There is no danger in making your public keys so public.

In fact, there are Public Key Servers for the same purpose, as we will see. Private keys must be kept private. If your public key is in the public domain, then your private key must be kept secret and secure.

There are more steps to configure GPG than to use it. Fortunately, it is usually only necessary to configure it once.

Key generation

The gpg command was installed on all Linux distributions that were checked, including Ubuntu, Fedora and Manjaro.

You do not have to use GPG with email. You can encrypt the files and make them available for download or physically transmit them to the recipient. However, you need to associate an email address with the keys you generate, so choose the email address you will use.

Here is the command to generate your keys. The –full-generate-key option generates your keys in an interactive session within your terminal window. You will also be asked for a passphrase. Be sure to remember what the passphrase is. Three or four simple words linked to punctuation are a good and robust model for passwords and passphrases.

gpg –full-generate-key

You will be asked to choose an encryption type from a menu. Unless you have a good reason for not doing so, type 1 and press Enter.

You must choose a bit length for the encryption keys. Press Enter to accept the default value.

You must specify how long the key should last. If you are testing the system, enter a short duration of 5 for five days. If you are going to keep this password, enter a longer duration, such as 1 year, for one year. The key will have a duration of 12 months, so it will be necessary to renew it after one year. Confirm your choice with a Y.

You must enter your name and your email address. You can add a comment if you wish.

You will be asked for your password. You will need the passphrase every time you work with your keys, so make sure you know what it is.

Click the Accept button when you have entered your passphrase. You will see this window while working with gpg, so be sure to remember your passphrase.

The key generation will take place and will be returned to the command line.

Generation of a revocation certificate in Linux

If your private key is known to others, you will have to dissociate the old keys from your identity, in order to generate new keys. To do this, you will need a revocation certificate. We will do this now and keep it in a safe place.

The –output option on Linux must be followed by the file name of the certificate you want to create. The –gen-revoke option causes gpg to generate a revocation certificate. You must provide the email address you used when the keys were generated.

gpg –output ~ / revocation.crt –gen-revoke

You will be asked to confirm that you want to generate a certificate. Press Y and press Enter. You will be asked for the reason you are generating the certificate. As we are doing this in advance, we do not know for sure. Press 1 as a plausible assumption and press Enter.

You can enter a description if you wish. Press Enter twice to finish the description.

You will be asked to confirm your configuration, press Y and press Enter on the Linux command.

The certificate will be generated. You will see a message that reinforces the need to keep this certificate safe.

Mention someone named Mallory. Cryptography discussions have long used Bob and Alice as the two people who communicate. There are other support characters. Eve is a snooper, Mallory is a malicious attacker. All we need to know is that we must keep the certificate safe and secure.

At a minimum, let's remove all permissions other than ours from the certificate.

chmod 600 ~ / revocation.crt

Let's check with ls to see what the permit is now:

ls -l

That's perfect. No one but the owner of the file – us – can do anything with the certificate.

Import another person's public key

To encrypt a message that another person can decrypt, we must have their public key.

If your password has been provided in a file, you can import it with the following command. In this example, the key file is called «mary-geek.key».

The password is imported and the name and email address associated with that password are shown. Obviously, that should match the person from whom you received it.

There is also the possibility that the person from whom you need a password has uploaded your password to a public key server. These servers store the public keys of people around the world. The key servers synchronize with each other periodically so that the keys are universally available.

The MIT public key server is a popular and synchronized key server regularly, so the search there should be successful. If someone has recently uploaded a password, it may take a few days to appear.

The –keyserver Linux option must be followed by the name of the key server that you want to search. The –search-keys option must be followed by the name of the person you are looking for or your email address. We will use the email address:

gpg –keyserver –search-keys

The matches are listed for you and numbered. To import one, type the number and press Enter. In this case, there is only one match, so we write 1 and press Enter.

The password is imported and we are shown the name and email address associated with that password.

Verification and signing of a key in Linux

If someone you know has given you a public key file, you can safely say that it belongs to that person. If you have downloaded it from a public key server, you may feel the need to verify that the key belongs to the person to whom it is intended.

The –fingerprint option causes gpg to create a short sequence of ten sets of four hexadecimal characters. You can ask the person to send you the fingerprint of your key.

You can then use the –fingerprint option to generate the same sequence of fingerprints of hexadecimal characters and compare them. If they match, you know that the key belongs to that person.

gpg –fingerprint

The fingerprint is generated.

When you are satisfied that the password is authentic and belongs to the person with whom it is supposed to be associated, you can sign your password.

If you don't, you can continue using it to encrypt and decrypt messages to and from that person. But gpg will ask you each time if you want to continue because the key is not signed. We will use the –sign-key option and provide the email address of the person, so that gpg knows which password to sign.

gpg –sign-key

You will see information about the key and the person, and you will be asked to verify that you really want to sign the key. Press Y and press Enter to sign the key.

How to share your public key

To share your key as a file, we need to export it from the local gpg keystore. To do this, we will use the -export option, which must be followed by the email address used to generate the key. The –output option must be followed by the name of the file to which you want to export the key. The –armor option tells gpg to generate an ASCII armor output instead of a binary file.

gpg –output ~ / dave-geek.key –armor -export

We can take a look inside the key file with less.

less dave-geek.key

The key is shown in all its glory:

You can also share your public key on a public key server. The –send-keys option sends the key to the key server. The –keyserver option must be followed by the web address of the public key server. To identify which key to send, the fingerprint of the key must be provided on the command line. Note that there are no spaces between the four character sets.

(You can see the fingerprint of your key using the –fingerprint option.)

gpg –send-keys –keyserver 31A4E3BE6C022830A804DA0EE9E4D6D0F64EEED4

You will receive a confirmation that the key has been sent.

Files encryption

Finally we are ready to encrypt a file and send it to Mary. The file is called Raven.txt.

The –encrypt option tells gpg to encrypt the file, and the –sign option tells you to sign the file with your data. The –armor option tells gpg to create an ASCII file. The -r (recipient) section must be followed by the email address of the person to whom the file is being sent.

gpg –encrypt –sign –armor -r

The file is created with the same name as the original, but with ".asc" added to the file name. Let's take a look inside.

less Raven.txt.asc

The file is completely illegible, and can only be decrypted by someone who has your public key and Mary's private key. The only person who should have both should be Mary.

Now we can send the file to Mary with the assurance that no one else can decrypt it.

Decrypt files

Maria has sent an answer. It is in an encrypted file called coded.asc. We can decrypt it very easily using the –decrypt option. We will redirect the output to another file called plain.txt.

Keep in mind that we don't have to tell gpg whose file it is. You can fix it from the encrypted content of the file.

gpg – decrypt coded.asc> plain.txt

Let's look at the plain.txt file:

less simple.txt

The file has been successfully decrypted for us.

Refreshing your keys

Periodically, you can ask gpg to check the keys you have in front of a public key server and refresh the ones that have changed. You can do it every few months or when you receive a key from a new contact.

The –refresh-keys option causes gpg to check. The –keyserver option must be followed by the key server of your choice. Once the keys have been synchronized between the public key servers, it should not matter which one you choose.

gpg –keyserver –refresh-keys

gpg responds by listing the keys it checks and notifies you if one has changed and has been updated.

Privacy is a key issue in Linux

Linux privacy is never far from the news these days. Whatever your reasons for wanting to keep your information safe and private, gpg provides a simple means to apply incredibly strong encryption to your files and communications.

There are other ways to use gpg. You can get a plugin for Thunderbird called Enigmail. It connects directly to your gpg settings to allow you to encrypt email messages from Thunderbird.