Do you need to email your wife your Social Security number? Send confidential business plans to your partner in Thailand? Send your hacker buddies the recovered hashes from last night's breach? Try using GPG, a valuable and easy to use open-source encryption program.
In my first article, I went over the installation and key-generation options with GPG. While that was enough to create a key-set, we need to put those to good use. Let's take a brief walk through encrypting and decrypting files to give you a feel for GPG's power. Then we'll go over how you can start using GPG to transfer files securely.
You have a few options, each with their own situational perks:
- You could encrypt it with your private key and allow someone to decrypt it with your public key, functioning as an electronic signature on the document.
- That can be reversed, as I elaborated on in the previous article, allowing remote clients to encrypt messages only you can decrypt.
- Lastly, if that was not enough, you can encrypt documents with a new passphrase, where one key both encrypts and decrypts.
Getting Started
Open up a terminal window and if you are not there already, navigate to your home directory. We want to create a file to play around with, so type:
$ touch test
Touch is a Linux command that creates a blank file to use. Normally, when someone shares their public key with you, you'd simply type:
$ gpg --import [keyblock]
Where [keyblock] is the file containing the public key you wish to add.
This would add their key to your keyring. Now in the future, when you want to send them a message, all you must remember is their Key ID.
If you're thinking right now that your private key is critical, you are absolutely right. By default, your keyring is stored in ~/.gnupg and should an attacker get in there, let's hope you followed my instructions on passphrase length, as that is all that stands between them and your private key. Let's get to it and protect some data!
Step 1 Let's Encrypt!
We now have our file test and are ready to go! I'm now going to explain some of the common commands you will want to know. This list is by no means everything there is, but it will get you up and running quickly. To start out lets encrypt our file using the -e flag (for encrypt!)
If you are reading this, I'm guessing you only have one key-set, and that's the one you just created. What we are going to do is encrypt a file with our public key and then decrypt it with our private key.
Go ahead and type:
$ gpg -e test
That should give you the following:
You did not specify a user ID. (you may use "-r")
Current recipients:
Enter the user ID. End with an empty line:
Remember when you gave GPG a name to associate with your key? This is where it comes into use. What is happening is GPG wants to know who is going to be decrypting this file, and it wants to use their public key to encrypt it.
In my example, I will type 'Allen', as I know that's the name of my public key. GPG will search for the string you give it and return with the key ID and another prompt to add additional people if you so please. We will just tap enter here and proceed.
Current recipients:4096R/E326A749 2012-02-17 "Allen Freeman <allen@fakeemail.com>"
Enter the user ID. End with an empty line:
Now, if we list the directory we should see both test and test.gpg. Test.gpg could be anything and you can now load it onto a USB drive, or email it away. Even if it was intercepted or found, they would be unable to get anything readable out of it. Go ahead and give it a try by typing:
$ cat test.gpg (cat is short for concatenate, and is used to display file contents quickly)
You should see a bunch of noise and symbols and such. That is what the encrypted looks like.
Step 2 Let's Decrypt!
So, remembering that we used our public key to encrypt, we will have to use our private key to decrypt. This is achieved with the -d flag ("d" for decrypt... easy huh?).
Type:
$ gpg -d test.gpg
You should see:
You need a passphrase to unlock the secret key for user:
"Allen Freeman <allen@freeman.com>"
4096-bit RSA key, ID E326A749, created 2012-02-17 (main key ID 4387802B)
gpg: gpg-agent is not available in this session
Enter passphrase:
And if you mistype it a few times, you are greeted with:
gpg: encrypted with 4096-bit RSA key, ID E326A749, created 2012-02-17
"Allen Freeman <allen@freeman.com>"
gpg: public key decryption failed: bad passphrase
gpg: decryption failed: secret key not available
And if you have it right, GPG exits cleanly and places you back at your command prompt, with the unencrypted file in your working directory.
Secure Transfer 101
All this encrypting and hiding is only so useful. The real reason to encrypt files is to be able to send and receive them. The problem with sending data in clear text (unencrypted) is, between your ISP, the police and your neighbors, there are a lot of places someone could take a peek. You can safely send files encrypted with the public key across the web, knowing that even if it's intercepted, it cannot be decrypted by anyone without their private key.
Step 3 One Last Thing - Symmetric Ciphers!
What if you want to just encrypt something without a public and private key? You can use what is called a symmetric cipher. Using the '-c' flag on the command tells GPG you want to create a new passphrase for just this file. Let's see an example by typing into the console:
$ gpg -c test
You should then see:
gpg: gpg-agent is not available in this session
Enter passphrase:
Just like the normal '-e' flag, GPG will exit cleanly back to the command prompt if successful. A simple 'gpg -d test' will give us the clear text file once again.
Afterthoughts
Now you have the ability to hide your files securely and transmit them to trusted friends with confidence. You can add to this as well. For example, you could send a *.gpg encrypted file over TLS/SSL or a low latency network like Tor or i2p.
tl;dr
If you are comfortable enough just knowing the commands instead of reading the full article above, here's the rundown.
Encrypt file using your public key:
$ gpg -e testfile
Verify file is encrypted:
$ cat testfile.gpg
Decrypt file using your private key:
$ gpg -d testfile.gpg
Encrypt using a symmetric cipher you create:
$ gpg -c testfile
Adding a public key to your keyring:
$ gpg --import [file_containing_keyblock]
Tip
- Be careful with what you encrypt. If you lose your private key or forget your passphrase, you might as well throw out your old encrypted files!
Just updated your iPhone? You'll find new emoji, enhanced security, podcast transcripts, Apple Cash virtual numbers, and other useful features. There are even new additions hidden within Safari. Find out what's new and changed on your iPhone with the iOS 17.4 update.
2 Comments
Thank you for this. I am going to try it out with my sensitive work files. By the way i would like to ask something. The low latency networks like Tor and i2p, do they encrypt further the data you send or do they just make you anonymous?
They also add layers of encryption on top. You can encrypt your work files using GPG and then use a network like Tor or I2P to transfer them. You gain from the added security as an attacker would have to compromise multiple layers before even getting to your original encrypted file.
Share Your Thoughts