GNU Privacy Guard (GnuPG or GPG) is a GPL Licensed alternative to the PGP suite of cryptographic software. GnuPG is compliant with RFC 4880, which is the current IETF standards track specification of OpenPGP. Current versions of PGP (and Veridis’ Filecrypt) are interoperable with GnuPG and other OpenPGP-compliant systems.
Solution 1 – Encrypt with a simmetric key
This is the easiest way to encrypt a file, you use a “password” to encrypt the file and when you want to decrypt the cyphertext you have to give the same password.
The key, in practice, represent a shared secret between two or more parties that can be used to maintain a private information, in general this solution is as good as the password you choose, can be a good solution to send a document via email and communicate the password with another media (telephone, instant message, chat).
In this example I’ll use a simple file, mysecretdocument.txt
that contains secret 1234
mint-desktop tmp # cat mysecretdocument.txt secret 1234 |
Now we can use the gpg option -c
(or --symmetric
) to encrypt with a symmetric cipher using a passphrase. The default symmetric cipher used is CAST5, but may be chosen with the --cipher-algo
option:
mint-desktop tmp # gpg -c mysecretdocument.txt gpg: directory `/root/.gnupg' created gpg: new configuration file `/root/.gnupg/gpg.conf' created gpg: WARNING: options in `/root/.gnupg/gpg.conf' are not yet active during this run gpg: keyring `/root/.gnupg/pubring.gpg' created |
This was my first use of gpg on this computer and so it has created the directory /root/.gnupg
and some files, this is normal if you have never used gpg, also it asked me twice for a passphradse, once that i typed it 2 times it create the new file, now I’ve on that directory the new encrypted file:
mint-desktop tmp # ls -alrt -rw-r--r-- 1 root root 12 Jan 10 23:13 mysecretdocument.txt -rw-r--r-- 1 root root 67 Jan 10 23:14 mysecretdocument.txt.gpg |
And we can do a cat
of the the new file, to verify that it has been encrypted, the default behaviour is to keep the same file name of the original and add at the end the suffix .gpg, :
mint-desktop tmp # cat mysecretdocument.txt.gpg |
This will show a bunch of unprintable characters, this is fine.
Now we can keep our secret file and delete the one in plain text, or send it via email and once we need to see our secret again, we can use the command:
mint-desktop tmp # gpg -d mysecretdocument.txt.gpg gpg: keyring `/root/.gnupg/secring.gpg' created gpg: CAST5 encrypted data gpg: gpg-agent is not available in this session gpg: encrypted with 1 passphrase secret 1234 gpg: WARNING: message was not integrity protected |
gpg with the -d
option print the output directly on standard output, to write it to a file you can use the gpg option -o outputfile.txt
:
mint-desktop tmp # gpg -o mynewfile.txt -d mysecretdocument.txt.gpg mint-desktop tmp # ls -l my* -rw-r--r-- 1 root root 12 Jan 10 23:37 mynewfile.txt -rw-r--r-- 1 root root 12 Jan 10 23:13 mysecretdocument.txt -rw-r--r-- 1 root root 67 Jan 10 23:14 mysecretdocument.txt.gpg |
Solution 2 – Encrypt with a public key
There is also another approach to encryption, GPG allows you to use public-private key encryption to encrypt and decrypt files on Windows and Linux. The benefit of public-private key encryption is that you can keep your public key out in the open, and use it from anywhere to encrypt files. Once encrypted with the public key, those files can only be decrypted with the private key.
So in the example we will adopt a system that will use a certificate that consists of two distinct keys, one private and one public.
The private key should remain exclusively in the hands of the owner of the certificate.
The owner will use it to decrypt files that are sent to him, that can now be sent also with insecure protocols (email, ftp, http upload)
The public key can be distributed to the whole world, without incurring in any risk of danger. It will be used to encrypt files addressed to the owner of the certificate, only the owner of the related private key can decrypt that file.
The public key can be distributed to anyone without any control. The fact that it falls into foreign hands will not constitute any danger. The greatest attention should be given exclusively to the private key, which must remain strictly in the hands of the legitimate owners.
As first thing, you must generate a public/private keypair. This keypair is generated with the --gen-key
option of gpg:
$ gpg --gen-key gpg (GnuPG) 1.4.11; Copyright (C) 2010 Free Software Foundation, Inc. This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Please select what kind of key you want: (1) RSA and RSA (default) (2) DSA and Elgamal (3) DSA (sign only) (4) RSA (sign only) Your selection? 1 RSA keys may be between 1024 and 4096 bits long. What keysize do you want? (2048) 4096 Requested keysize is 4096 bits Please specify how long the key should be valid. 0 = key does not expire = key expires in n days w = key expires in n weeks m = key expires in n months y = key expires in n years Key is valid for? (0) 0 Key does not expire at all Is this correct? (y/N) y You need a user ID to identify your key; the software constructs the user ID from the Real Name, Comment and Email Address in this form: "Heinrich Heine (Der Dichter) " Real name: Linuxaria admin Email address: admin@linuxaria.com Comment: You selected this USER-ID: "Linuxaria admin " Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o You need a Passphrase to protect your secret key. gpg: gpg-agent is not available in this session We need to generate a lot of random bytes. It is a good idea to perform some other action (type on the keyboard, move the mouse, utilize the disks) during the prime generation; this gives the random number generator a better chance to gain enough entropy. Not enough random bytes available. Please do some other work to give the OS a chance to collect more entropy! (Need 26 more bytes) ...........+++++ ........+++++ We need to generate a lot of random bytes. It is a good idea to perform some other action (type on the keyboard, move the mouse, utilize the disks) during the prime generation; this gives the random number generator a better chance to gain enough entropy. gpg: key A7B8B4DD marked as ultimately trusted public and secret key created and signed. gpg: checking the trustdb gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u pub 4096R/A7B8B4DD 2013-01-11 Key fingerprint = AF7B 310A 57FF 0524 91A6 E483 83F7 FE98 A7B8 B4DD uid Linuxaria admin sub 4096R/E427331B 2013-01-11 |
In this example I’ve created a RSA key 4096 bits long and set as user ID for the key which consists of the real name, e-mail address and optionally a comment “Linuxaria admin “, i can verify the new keys with the options --list-keys
and --list-secret-keys
mint-desktop ~ # gpg --list-keys; /root/.gnupg/pubring.gpg ------------------------ pub 4096R/A7B8B4DD 2013-01-11 uid Linuxaria admin sub 4096R/E427331B 2013-01-11 mint-desktop ~ # gpg --list-secret-keys /root/.gnupg/secring.gpg ------------------------ sec 4096R/A7B8B4DD 2013-01-11 uid Linuxaria admin ssb 4096R/E427331B 2013-01-11
Recent Comments