File Encryption (4 Part Series)
  1. How to Encrypt and Decrypt Files and Data With GPG - Part I
  2. How to Encrypt and Decrypt Files and Data With GPG - Part II
  3. How to Encrypt and Decrypt Files and Data With SSH - Part III
  4. How to Encrypt and Decrypt Files and Data With Age - Part IV

0. Entrée

Encryption helps to protect your files, messages, data and I/O of applications during inter-host transfers. Or you may just want to store them encrypted on your host securely.

I’ll show you how to use gpg to work with keys, encrypt files, and decrypt them. In this post I’ll only describe symmetric encryption/decryption, however later in this series I’ll also show asymmetric encryption/decryption as well.

gpg command, GnuPrivacy Guard (GPG) allows you to securely encrypt files or messages so that only the intended recipient can decrypt them. GPG complies with the OpenPGP standard. It is modeled on a program called Pretty Good Privacy (PGP). PGP was written in 1991 by Phil Zimmerman.

You can check whether gpg installed on your system or not by running:

$ gpg --version

gpg (GnuPG) 2.2.19
libgcrypt 1.8.5
Copyright (C) 2019 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <https://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Home: /home/user/.gnupg
Supported algorithms:
Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA
Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
        CAMELLIA128, CAMELLIA192, CAMELLIA256
Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2

You can list your gpg keys running:

$ gpg --list-keys

/home/user/.gnupg/pubring.kbx
-------------------------------
pub   rsa4096 2019-01-27 [SC] [expires: 2024-06-12]
      E4E826E75934CABA11ED9686F037931782D016E2
uid           [ultimate] User (alias) <[email protected]>
sub   rsa4096 2019-01-27 [E] [expires: 2024-06-22]

pub   rsa4096 2021-04-19 [SC] [expires: 2026-04-18]
      C874011F0AB405110D02105534365D9472D7468F
uid           [ unknown] HashiCorp Security (hashicorp.com/security) <[email protected]>
sub   rsa4096 2021-04-19 [E] [expires: 2026-04-18]
sub   rsa4096 2021-04-21 [S] [expires: 2026-04-20]

1. Encryption

1.0. File Encryption

Let’s start with creating a file, plain.txt:

$ echo "plain text" > plain.txt

$ cat plain.txt

plain text

In order to encrypt this file symmetrically run one of the below commands. All below commands are identical: They encrypt the plain.txt file and produce the encrypted version in the plain.txt.gpg file:

$ gpg --symmetric plain.txt
$ gpg --output plain.txt.gpg --symmetric plain.txt
$ gpg -o plain.txt.gpg -c plain.txt

It will ask you to select a passphrase. Your passphrase should have sufficient information entropy. I suggest that you include 8-25 letters in size, chosen at random, special characters, and numbers embedded into the words. Or you can choose passphrases like xkcd passphrase.

In order to decrypt the file you need to be able to recall this passphrase.

If you look into the file, you will see some gibberish characters.

$ cat plain.txt.gpg

Œ
	VÉSÄä¹ÑÿÒA¸
Î+^g3!2*'\Uߑ‘{»Ù+©v[ês vqe
àŽHz‘új—¶Œsk'ÆQTÌëÄ@¨Èhh

1.1. Message Encryption

To send your file in an email or encrypt your messages, you should use --armor flag. This will create an ASCII armored output from the file.

$ gpg --armor --symmetric plain.txt.asc
$ gpg -a -c plain.txt.asc

You’ll see the output like below:

$ cat plain.txt.asc

-----BEGIN PGP MESSAGE-----

jA0ECQMCyAmDEnBaFMP/0kYBPIZyaFVtLw8CkqhUiSwxCo/XFI75KwNSwBxm0G3p
CYMJtTpmyBTAvN02GQaEnteuIgGNwbdz0fnODlMBr8LO7R9gdCkH
=Eh3t
-----END PGP MESSAGE-----

Note

I don’t recommend using the --armour option for encrypting files that will be transferred to/from NAS systems.

This option is mainly intended for sending binary data through email, not via transfer commands such as ssh/scp or ftp.

1.2. Directory Encryption

There is no recursive option for gpg. Therefore you should turn your directory into a file via tar or zip:

$ tar -czf my-directory.tar.gz my-plain-directory/
$ zip -r my-directory.zip my-plain-directory/

After that you can use encrypt the directory with gpg:

$ gpg -o my-directory.tar.gz.gpg -c my-directory.tar.gz

2. Decryption

To decrypt a file you run:

$ gpg --decrypt plain.txt.gpg
$ gpg -d plain.txt.gpg

This will ask you the passphrase you entered while encrypting the file. After entering the passphrase you will get an output:

gpg: AES256 encrypted data
gpg: encrypted with 1 passphrase
plain text

To save the context of the encrypted file directly into a file you can run:

$ gpg --decrypt plain.txt.gpg > plain.txt

This all for this post of the series.

All done!