{"id":468,"date":"2012-07-04T16:33:18","date_gmt":"2012-07-04T08:33:18","guid":{"rendered":"http:\/\/rmohan.com\/?p=468"},"modified":"2013-03-28T17:37:22","modified_gmt":"2013-03-28T09:37:22","slug":"encrypt-files-using-gnupg","status":"publish","type":"post","link":"https:\/\/mohan.sg\/?p=468","title":{"rendered":"Encrypt Files Using GnuPG"},"content":{"rendered":"

Encrypt Files Using GnuPG <\/a><\/h1>\n

HowTo we will discuss to encypt files using GnuPG. Encryption is a method which protect data stored on your computer or sending over the network from compromise. It can be used to ensure and verify data comes from a rightful owner, and also to maintain confidentiality of the data. We will used a tool GnuPG (GNU Privacy Guard) to encrypt individual files or validate files.<\/p>\n

GnuPG is an opensource implementation of the OpenPGP public key encryption system. Public Key Encryption uses asymmetric encryption, in which a matching pair of public and private keys are used to encrypt or decrypt. A person who accomplished this has to generate two keys i.e Private Key and Public Key.<\/p>\n

Private Key is the one kept by owner secretly and what is encrypt by private key can decrypt by the one who has the matching public key or what is encrypt by the public key by anyone can decrypt by the private key owner. Beside encryption it also verify that messages comes from the holder of the private or public keys.<\/p>\n

1) Generate Keys<\/h3>\n

Use following command to generate Public and Private Keys.<\/p>\n

\n

gpg \u2013gen-key<\/span><\/p>\n

It will ask series of questions, you can answer as per your need but this is what I used for example.<\/p>\n

\n

Please select what kind of key you want:
(1) RSA and RSA (default)
(2) DSA and Elgamal
(3) DSA (sign only)
(4) RSA (sign only)
Your selection? Press Enter to have default RSA<\/p>\n<\/blockquote>\n

RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048) Press Enter<\/span><\/p>\n

Please specify how long the key should be valid.
0 = key does not expire
= key expires in n days
w = key expires in n weeks
m = key expires in n months
y = key expires in n years
Key is valid for? (0) Press Enter
Key does not expire at all
Is this correct? (y\/N) y<\/span><\/p>\n

 <\/p>\n

You need a user ID to identify your key; the software constructs the user ID
from the Real Name, Comment and Email Address in this form:
\u201cHeinrich Heine (Der Dichter) \u201d<\/p>\n

Real name: Mohan Ramadoss<\/span>
Email address: rmohan@rmohan.com<\/span>
Comment: Press Enter
You selected this USER-ID:
\u201cMohan Ramadoss\u201d<\/p>\n

Change (N)ame, (C)omment, (E)mail or (O)kay\/(Q)uit? o<\/span><\/p>\n

 <\/p>\n

\n

You need a Passphrase to protect your secret key.
fedorahat@123<\/span><\/p>\n<\/blockquote>\n

Use following commands to list your keys. You need to note the key-id to export your key. In below you can see the key-id after pub2048R <\/strong>which is ABF9DEAB<\/strong>.<\/p>\n

 <\/p>\n

gpg \u2013list-keys<\/span>
\/home\/rmohan\/.gnupg\/pubring.gpg
\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014-
pub 2048R\/ABF9DEAB 2012-02-16
uid Mohan Ramadoss
sub 2048R\/68DA88B7 2012-02-16
It will create a file named mohan-public.key on current location. Now transfer this file to your partner which you need to have it to decrypt or verify your files.<\/p>\n

Where -a is to put output in text rather than binary format. key-id will ensure we are using same key.<\/p>\n

scp mohan-public.key test@192.168.10.12:<\/p>\n

Now let your partner to import your public key.<\/p>\n

gpg \u2013import mohan-public.key<\/p>\n

gpg \u2013list-keys<\/span>
\/home\/rmohan\/.gnupg\/pubring.gpg
\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014-
pub 2048R\/ABF9DEAB 2012-02-16
uid Mohan Ramadoss
sub 2048R\/68DA88B7 2012-02-16<\/p>\n

2). Export Public Key<\/strong><\/p>\n

Use following command to export your public key.<\/p>\n

\u00a0\u00a0\u00a0 gpg -a -o mohan-public.key \u2013export ABF9DEAB<\/span><\/p>\n

It will create a file named mohan-public.key on current location. Now transfer this file to your partner which you need to have it to decrypt or verify your files.<\/p>\n

Where -a is to put output in text rather than binary format. key-id will ensure we are using same key.<\/p>\n

\u00a0\u00a0\u00a0 scp mohan-public.key test@192.168.10.12:<\/span><\/p>\n

Now let your partner to import your public key.<\/p>\n

gpg \u2013import mohan-public.key<\/span><\/p>\n

3) Encrypt and Decrypt the File.<\/strong><\/p>\n

Lets now test it by encrypting one file by test using mohan public key and then decrypt it.<\/p>\n

echo \u2018This text is encrpted and can only be view by using sohail public key\u2019 > decrypt.txt<\/p>\n

\u00a0 gpg \u2013encrypt -a -r ABF9DEAB decrypt.txt<\/span><\/p>\n

It will create encrypted file with appended .asc extension. where -r will require to pub recipient name or key-id to whom this encryption has done.<\/p>\n

ls
\u00a0\u00a0 decrypt-me.txt.asc<\/span><\/p>\n

Now transfer this file to your partner computer.<\/p>\n

\u00a0\u00a0\u00a0 scp test@192.168.10.12:decrypt.txt.asc .<\/span><\/p>\n

Now decrypt the file on your computer.<\/p>\n

First see what it contain.<\/p>\n

cat decrypt.txt.asc<\/span><\/p>\n

\u2014\u2013BEGIN PGP MESSAGE\u2014\u2013
Version: GnuPG v1.4.11 (GNU\/Linux)<\/p>\n

hQEMAy7GnyBo2oi3AQgAg1m\/6bcLj+RZ4IKSr0HitWWyWc3mkIUkZ6KAMJnY2kSx
JmZ6e0Sc+D\/D9CUy0cmD6PGQcO2LjfQvTKpPvups9Ug3mr9JCqJyjfeDb59uiKN1
8cvq2U0\/OVppLb+yf4Z19OryuCdX2MlDdkmhlUaNbftWOA3YlYubi5Db0Fwl+e+X
nt6SZv51XnQ1wM3fsGN0q5+DAfPsIYtmRkDHvMkkdojkdO8Oxnj4LNu3\/iFhgNTl<\/p>\n

\u2014\u2013END PGP MESSAGE\u2014\u2013<\/p>\n

Now decrypt and save output on a file named decrypted.txt, note it will require passphrase which you used while creating keys.<\/p>\n

\u00a0\u00a0\u00a0 gpg \u2013decrypt decrypttxt.asc > decrypted.txt<\/span><\/p>\n

You need a passphrase to unlock the secret key for
user: \u201cMohan Ramadoss\u201d
2048-bit RSA key, ID 68DA88B7, created 2012-02-16 (main key ID ABF9DEAB)<\/p>\n

gpg: encrypted with 2048-bit RSA key, ID 68DA88B7, created 2012-02-16
\u201cMohan Ramadoss\u201d<\/p>\n

cat decrypted.txt<\/p>\n

This text is encrypted using mohan public key and can only be decrypt by mohan<\/p>\n

For more options you can see man pages of gpg using following command.<\/p>\n

man gpg<\/p>\n

For any question please comment.<\/p>\n

 <\/p>\n

Quick’n easy gpg cheatsheet<\/p>\n

If you found this page, hopefully it’s what you were looking for. It’s just a brief explanation of some of the command line functionality from gnu privacy guard (gpg). Please email me if you find any errors (scout3801@gmail.com<\/a>\u00a0).<\/p>\n

Filenames are italicized (loosely, some aren’t, sorry), so if you see something italicized, think “put my filename there.”<\/p>\n

I’ve used User Name as being the name associated with the key. Sorry that isn’t very imaginative. I *think* gpg is pretty wide in it’s user assignments, ie. the name for my private key is Charles Lockhart, but I can reference that by just putting in Lockhart. That doesn’t make any sense, sorry.<\/p>\n

to create a key:
gpg –gen-key
<\/strong>generally you can select the defaults.<\/p>\n

to export a public key into file public.key:
gpg –export -a “User Name” >\u00a0public.key<\/em><\/strong>
This will create a file called public.key with the ascii representation of the public key for User Name. This is a variation on:
gpg –export
which by itself is basically going to print out a bunch of crap to your screen. I recommend against doing this.
gpg –export -a “User Name”
prints out the public key for User Name to the command line, which is only semi-useful<\/p>\n

to export a private key:
gpg –export-secret-key -a “User Name” >\u00a0private.key<\/em><\/strong>
This will create a file called private.key with the ascii representation of the private key for User Name.
It’s pretty much like exporting a public key, but you have to override some default protections. There’s a note (*) at the bottom explaining why you may want to do this.<\/p>\n

to import a public key:
gpg –import\u00a0public.key<\/em><\/strong>
This adds the public key in the file “public.key” to your public key ring.<\/p>\n

to import a private key:
gpg –allow-secret-key-import –import\u00a0private.key<\/em><\/strong>
This adds the private key in the file “private.key” to your private key ring. There’s a note (*) at the bottom explaining why you may want to do this.<\/p>\n

to delete a public key (from your public key ring):
gpg –delete-key “User Name”
<\/strong>This removes the public key from your public key ring.
NOTE! If there is a private key on your private key ring associated with this public key, you will get an error! You must delete your private key for this key pair from your private key ring first.<\/p>\n

to delete an private key (a key on your private key ring):
gpg –delete-secret-key “User Name”
<\/strong>This deletes the secret key from your secret key ring.<\/p>\n

To list the keys in your public key ring:
gpg –list-keys
<\/strong><\/p>\n

To list the keys in your secret key ring:
gpg –list-secret-keys
<\/strong><\/p>\n

To generate a short list of numbers that you can use via an alternative method to verify a public key, use:
gpg –fingerprint >\u00a0fingerprint<\/em>
<\/strong>This creates the file fingerprint with your fingerprint info.<\/p>\n

To encrypt data, use:
gpg -e -u “Sender User Name” -r “Receiver User Name”\u00a0somefile<\/em><\/strong>
There are some useful options here, such as -u\u00a0to specify the secret key to be used, and -r\u00a0to specify the public key of the recipient.
As an example: gpg -e -u “Charles Lockhart” -r “A Friend” mydata.tar
This should create a file called “mydata.tar.gpg” that contains the encrypted data. I think you specify the senders username so that the recipient can verify that the contents are from that person (using the fingerprint?).
NOTE!: mydata.tar is not removed, you end up with two files, so if you want to have only the encrypted file in existance, you probably have to delete mydata.tar yourself.
An interesting side note, I encrypted the preemptive kernel patch, a file of 55,247 bytes, and ended up with an encrypted file of 15,276 bytes.<\/p>\n

To decrypt data, use:
gpg -d\u00a0mydata.tar.gpg<\/em>
<\/strong>If you have multiple secret keys, it’ll choose the correct one, or output an error if the correct one doesn’t exist. You’ll be prompted to enter your passphrase. Afterwards there will exist the file “mydata.tar”, and the encrypted “original,” mydata.tar.gpg.<\/p>\n

NOTE: when I originally wrote this cheat sheet, that’s how it worked on my system, however it looks now like “gpg -d mydata.tar.gpg” dumps the file contents to standard output. The working alternative (worked on my system, anyway) would be to use “gpg -o outputfile -d encryptedfile.gpg”, or using mydata.tar.gpg as an example, I’d run “gpg -o mydata.tar -d mydata.tar.gpg”. Alternatively you could run something like “gpg -d mydata.tar.gpg > mydata.tar” and just push the output into a file. Seemed to work either way.<\/p>\n

Ok, so what if you’re a paranoid bastard and want to encrypt some of your own files, so nobody can break into your computer and get them? Simply encrypt them using yourself as the recipient.<\/p>\n

I haven’t used the commands:
gpg –edit-key
gpg –gen-revoke<\/strong><\/p>\n