gpg -o newfilename.gpg --symmetric --cipher-algo AES256 filetocrypt.txt
# or
gpg -o newfilename.gpg -c --cipher-algo AES 256 filetocrypt.txt
gpg -o new_filename.gpg --symmetric --cipher-algo AES256 --no-symkey-cache filetocrypt.txt
gpg -o originalfilename.txt -d file.txt.gpg
Aromored option
If you need to copy and paste your encrypted data (e.g. into an email), then use the --armor
option. This will produce ascii armored text (base64 encoded) which is very portable. This option is mainly intended for sending binary data through email, not via transfer commands such as ftp
or shiftc
with the -secure
option. The file size tends to be about 33% bigger than without this option, and encrypting the data takes about 10-15% longer. Taking AES256 as an example, you would simply use it like this:
gpg --armor --symmetric --cipher-algo AES256 file.txt
By default, this will produce file.txt.asc as the encrypted ascii armored file. You would then decrypt normally using something like:
gpg -o file.txt -d file.txt.asc
If you have set up a public/private key pair, you can use your private key to sign the data before symmetrically encrypting it.
To sign and symmetrically encrypt file.txt using AES256
, use the --sign
option like this:
gpg --sign --symmetric --cipher-algo AES256 file.txt
Then to verify the signature and decrypt:
gpg -d file.txt.gpg
The -d option will automatically try to verify any signature and also decrypt
The level of compression used when encrypting/decrypting affects the time required to complete the operation. There are three options for the compression algorithm: none
, zip
, and zlib
.
--compress-algo none
or--compress-algo 0
--compress-algo zip
or--compress-algo 1
--compress-algo zlib
or--compress-algo 2
For example:
gpg --output test.gpg --compress-algo zlib --symmetric test.out
If your data is not compressible, --compress-algo 0
(none
) gives you a performance increase of about 50% compared to --compress-algo 1
or --compress-algo 2
.
If your data is highly compressible, choosing the zlib
or zip
option will not only increase the speed by 20-50%, it will also reduce the file size by up to 20x. For example, in one test on a NAS system, a 517 megabyte (MB) highly compressible file was compressed to 30 MB.
The zlib
option is not compatible with PGP 6.x, but neither is the cipher algorithm AES256. Using the zlib
option is about 10% faster than using the zip
option, and zlib
compresses about 10% better than zip.
gpg --gen-key
After following the process you will be prompted with a summary, and the important parts to remember are:
- Name used to generate the key:
uid
- The Key-id:
pub 2048R/...here is the key-id...
(in this example the first number is given by the key length we choose to generate) - The Key fingerprint:
pub SNIP ... Key Fingerprint = ...
--quick-generate-key
option requires you to specify the USER-ID field on the command line and optionally an algorithm, usage, and expire date. It implements defaults for all other options.--generate-key
option prompts for the real name and email fields before asking for a confirmation to proceed. In addition to creating the key, it also stores a revocation certificate.--full-generate-key
option, provides a dialog for all options.
You can change expiration dates and passwords, sign or revoke keys, and add and remove emails and photos.
gpg --edit-key user_name@example.com
On the subprompt, help
or a ?
lists the available edit commands.
To add an email address, you will actually add a USER-ID value:
gpg> adduid
You can use list
to show the identities, uid
to select an identity, and deluid
to delete an identity. The quit command exits the edit utility and prompts you to save your changes.
To encrypt a file you can use the -e
(or --encrypt
) option along with the -r
(or --recipient
) option, it's also possible to sign directly the encrypted file with --sign
option and as previous mentioned the consideration of using --armor
it depends on your needs. And remember that when making operation with key-pairs the use of key-id
or uid
and mail@address
are all valid ways of comunicating with the gpg commands and make operations on specific keys.
# recipient key (pub_key that has been given to us from other user to encrypt my text that only his private key can decrypt)
gpg -e -r key-id filename.txt
# or
gpg -e -r recipient_userid file.txt
# sign a plaintext file with your secret key:
gpg -s file.txt
# sign a plaintext file with your secret key and have the output readable to people without running GPG first:
gpg --clearsign file.txt
# sign a plaintext file with your secret key, and then encrypt it with the recipient's public key:
gpg -se -r recipient_userid file.txt
# sing encrypt armored ASCII (this is encrypted with our key)
gpg -sea file.txt
or by using the User Name (uid) choosen when generating the key-pair:
gpg -e -r user-name file.txt
This will produce an ecnrypted file called file.txt.gpg that only the recipient or obviously the owner of the conresponding pair public/private key can decrypt. If you need to change the name of the resulting encrypted file use the -o
(or --output
) option:
gpg -o file.gpg -e -r uid file.txt
Note that if you had not verified the public key yet, you'll get a warning message to that effect when you try to encrypt data using that public key.
To specify the secret key to be used and the recipient public key:
gpg -e -u sender-username -r receiver-usernaname file.txt
For the recipient to decrypt the encrypted data created in the steps above, they need to specify the output file using -o and also use the -d (or --decrypt) option. So to decrypt file.txt.gpg from above, the recipient (and owner of the private key) would execute this command:
gpg -o file.txt -d file.txt.gpg
The recipient will be prompted to enter the passphrase for their private key. If the correct passphrase is used, the decryption algorithm will proceed and the original data will be stored in file.txt. It's quite important to note that if no output file is specified, the decrypted ciphertext i.e. the plaintext (the original data) gets sent to standard out. So unless you pipe it to a file or another program, it will be displayed in your terminal and not stored to file.
As mentioned above compress a file is allways a better option for adding entropy to a detereminate object/file/system before encrypting it, and inn this situation is mandatory.
First turn the directory into a comopressed file:
tar czf new_compressed_file.tar.gz directory_name/
To revert the previous command run: tar xzf new_compressed_file.tar.gz
It depends on your needs but for only storing an encrypted folder i suggest to encrypt it with AES Symmetric
encryption. I will show both ways of doing it, with Symmetric and Asymettric encryption.
Symmetric
Compress the folder as shonw above and procede as a normal symmetric encryption:
gpg -o compressedfile.gpg --symmetric --cipher-algo AES256 --no-symkey-cache compressedfile.tar.gz
For the reverse process decrypt the file then decompress as shown above.
Asymmetryc
After generating the key-pair:
# Encrypt
gpg -e -r user_name ~user_name/file_to_crypt.txt`
# Decrypt
gpg -d -o ~user_name/decrypted_dir ~user_name/previously_crypted_file
Then if it's needed decompress the data.
gpg --list-keys
gpg --list-keys --fingerprint
#or
gpg --list-public-keys --fingerprint
View the keys on your private (secret) keyring
gpg --list-secret-keys
gpg --list-secret-keys --fingerprint
gpg --armor --export uid-of-choosen-key > public_key.asc
# or
gpg --export --armor --output filename.pub
Use the --armor
specification only if it's needed, in case of transfer the key through mail, otherwise is not so usefull.
To allow other people verifying the public key, also share the fingerprint of the public key in email signatures, or contact info in your website.
Note that the name of the file (
public_key.asc
) is arbitrary, but informational in this case.
# import
gpg --import public_key.asc
# export
gpg -ao keyfile --export userid
note that when a public key is imported you should sign it as shown next.
To save a raw data or ascii armored copy of the private key, you can use the --export-secret-keys
option, below is a raw data example (include --armor
for ascii version):
# export
gpg --export-secret-keys key-id > private_key
#or
gpg -ao keyfile --export-secret-key key-id
# import
gpg --import private_key
gpg --edit-key key-uid
Dsplay the fingerprint: fpr
Once verified with owner sign the key: sign
Doublecheck: check
Then exit with: quit
or Ctrl + d
- View the contents and check the certifying signatures of your public key ring:
gpg --check-sigs
Verify Identiy - Fingerprint
Get the fingerprint of a public key:
gpg --fingerprint key-id
# or
gpg --fingerprint email@address.com
You can compare the result fingerprint string with the one givent to you or prentended to be the the original.
Sign external Pub Key
By doing that you authorize the key that you have been provided with:
gpg --sign-key key-id
# or
gpg --sign-key email@address.com
To store your public key on a key server, use the --keyserver
option along with the --send-keys
option:
gpg --keyserver servername --send-keys key-id
If someone wants to import that public key from the keyserver, they can use the --recv-keys
option like so:
gpg --keyserver servername --recv-keys key-id
Search into the key server:
gpg --keyserver key_server_name --search-keys search-parameter
Use this command to search by name or email address.
Update Key information
gpg --refresh-keys
Fetch update informations from the key servers.
If you think that your public key is no longer valid, you can revoke it using a revocation certificate.
gpg --output revocation_cert.asc --gen-revoke key-id
Note that you cannot create this revocation certificate after you've lost your private key! So it is recommended to create one at the same time that you create the key pair, then keep it in a really safe place.
If you had to use this revocation certificate, you would do the following to update your keyring:
gpg --import revocation_cert.asc
Then run this command to update the keyserver:
gpg --keyserver keyservername --send-keys key-id
# remove a key from your public keyring:
gpg --delete-key uid
gpg --delete-key key_id
# secret
gpg --delete-secret-key uid
gpg --delete-secret-key key_id
# Batch Mode
# disable or re-enable a public key on your own public keyring:
gpg --batch --edit-key uid disable
# or
gpg --batch -edit-key uid enable
#
gpg --batch --yes --delete-key key_id
gpg --batch --yes --delete-secret-key uid
# create a signature certificate that is detached from the document:
gpg -sb textfile
# detach a signature certificate from a signed message:
gpg -b ciphertextfile