Software

Encrypting and decrypting files with GnuPG


GnuPG, the open replacement for PGP, is an excellent tool to manage cryptographic signatures to files or e-mails for validity and integrity, as well as a tool to encrypt and decrypt sensitive files. Previously, we looked into creating an initial GPG public/private keypair and looked at embedding a signature into an ASCII document.

GPG can do much more than that. Many e-mail programs provide GPG support so you can use GPG seamlessly with your e-mail client. This allows you to digitally sign e-mails to assure recipients that you did indeed write the message. It also allows you to encrypt messages to a recipient with their public key, meaning that only the individual with the passphrase to the equivalent private key can decode and read the e-mail.

Likewise, GPG can do the same for files. If you wish to encrypt a file for someone else, you would use his or her public key to encrypt the file. However, if you wished to keep your own files private and safe from theft or prying eyes, you would encrypt the file with your own public key, ensuring that only you would be able to decrypt it.

It makes no difference to GPG what type of file you are encrypting; it can be binary just as well as text, or an OpenOffice.org spreadsheet. For instance, to encrypt a Word document for yourself, you would execute the following:

$ file private.doc

private.doc: Microsoft Office Document

$ gpg -ea -r user@domain.org private.doc

The original file is untouched, but the document is now stored in an ASCII file called private.doc.asc:

$ file private.doc.asc
private.doc.asc: PGP armored data message
$ gpg -d private.doc.asc >new.doc

You need a passphrase to unlock the secret key for
user: "Real Name (Comment) <user@domain.org>"
2048-bit ELG-E key, ID 7F72A50F, created 2007-12-01 (main key ID 9B1386E2)

Enter passphrase:

gpg: encrypted with 2048-bit ELG-E key, ID 7F72A50F, created 2007-12-01
      "Real Name (Comment) <user@domain.org>"
$ cmp new.doc private.doc
$ echo "" >>new.doc
$ cmp new.doc private.doc
cmp: EOF on private.doc

The cmp command at the end was a slight demonstration to indicate that that resulting decrypted file is exactly the same as the original, which is visible in the slight modification done to it prior to the second invocation of cmp.

The result of the above is an ASCII armored file, making it quite portable but at the expense of size. To create a binary file, omit the -a option:

$ gpg -e -r user@domain.org private.doc $ file private.doc.gpg

private.doc.gpg: GPG encrypted data

$ ls -l private.doc*

-rw------- 1 user user 30720 Nov 29 15:36 private.doc

-rw-r--r-- 1 user user 7340 Dec 2 17:27 private.doc.asc

-rw-r--r-- 1 user user 5352 Dec 2 17:33 private.doc.gpg

As you can see, some compression can take place as well; a 30-KB Word document turns into a 7-KB ASCII-armored file or a 5-KB GPG encrypted file.

If you are only interested in integrity checking and validity of a file, you can create digital signatures for those files to ensure that they haven't changed.

$ gpg -ba -u user@domain.org private.doc

You need a passphrase to unlock the secret key for
user: "Real Name (Comment) <user@domain.org>"
1024-bit DSA key, ID 9B1386E2, created 2004-09-09

Enter passphrase:
$ gpg --verify private.doc.asc
gpg: Signature made Sun Dec  2 17:37:02 2007 MST using DSA key ID 9B1386E2
gpg: Good signature from "Real Name (Comment) <user@domain.org>"
$ echo "" >>private.doc
$ gpg --verify private.doc.asc
gpg: Signature made Sun Dec  2 17:37:02 2007 MST using DSA key ID 9B1386E2
gpg: BAD signature from "Real Name (Comment) <user@domain.org>"

Again, the above creates an ASCII-armored version of the signature; to create a binary copy, change -ba to simply -b to drop the switch to enable ASCII output. The second command verifies the file, by checking the signature. Next, just for testing, we slightly modify the file and you can see that on the next run, the verification fails.

There are many places where GPG has practical application. This has touched only on a few of the very basic uses for GPG, but not only does it have more features to tap into, but the uses for it are many and varied.

Delivered each Tuesday, TechRepublic's free Linux and Open Source newsletter provides tips, articles, and other resources to help you hone your Linux skills. Automatically sign up today!

About

Vincent Danen works on the Red Hat Security Response Team and lives in Canada. He has been writing about and developing on Linux for over 10 years and is a veteran Mac user.

3 comments
jack6666
jack6666

... is not my favorite thing to work with, but I appreciated learning more about it for the times I do have to deal with it. Flush Mount Driveway Lights|Outdoor String Lighting|Malibu Outdoor Lighting

Editor's Picks