Like it!

Join me on Facebook!

Like it!

Encrypt a file with GnuPG and a keypair

GPG (aka GNU Privacy Guard), is a public key cryptography implementation. It allows for the secure transmission of information between parties and can be used to verify that the origin of a message is genuine.

In this post I want to use the GnuPG command-line tool to encrypt sensitive data. The procedure requires just the following three basic steps:

  1. generate a new keypair;
  2. encrypt the file;
  3. decrypt the file (for testing purposes).

Step 1: generate a new keypair

Open a terminal and invoke GPG as follows:

gpg --gen-key

You will be presented with a list of several options. First of all: what kind of key should we generate?

Please select what kind of key you want:
    (1) RSA and RSA (default)
    (2) DSA and Elgamal
    (3) DSA (sign only)
    (4) RSA (sign only)
Your selection?

Default one (1) is fine for most users (like me). Then, how long the RSA keys should be?

RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048)

I choose 2048, a default value. The longer the key the more secure it is, but also slower during encryption and decryption.

Now is time to set an expiration time:

Please specify how long the key should be valid. 
    0 = key does not expire 
    [n]= key expires in n days 
    [n]w = key expires in n weeks 
    [n]m = key expires in n months 
    [n]y = key expires in n years 
Key is valid for? (0)

0 is good enough for me.

Now comes the ID part. The user ID is used to associate the key being created with a real person.

You need a user ID to identify your key; 
the software constructs the user ID from the Real Name, Comment and Email Address in this form: 
"Heinrich Heine (Der Dichter)"

Finally you have to enter a passphrase, used to unlock the private key. Once done, gpg will generate the keypair based on your computer's entropy. To enhance the level of that entropy, you are advised to perform some work like pressing keys and use the disks. If the process seems to be stuck, you could do:

find / > /dev/null

to reach the desired level of chaos in your machine.

Once done, type

gpg --list-keys

to see the available keypairs in your system. You should see the one we previously generated. In my Linux box the keypairs are stored inside /.gnupg/pubring.gpg.

Step 2: encrypt the file

Say I have a private file to encrypt. In order to do that, you have to invoke gpg with the --encrypt flag:

gpg --output [encrypted-file] --encrypt --recipient [your-ID] [original-file]

where [your-ID] is the ID we previously generated during the step 1. You can find your ID by invoking the command gpg --list-keys we have seen before. So for example you could do:

gpg --output test.txt.gpg --encrypt --recipient johnny test.txt

Step 3: decrypt the file

Decrypt file is dead simple. Just do:

gpg --output [original-file] --decrypt [encrypted-file]

You will be prompted for the passphrase you chose during the keypair generation. Type it in and you're done!


The GNU Privacy Handbook - Generating a new keypair (link)
The GNU Privacy Handbook - Encrypting and decrypting documents (link)
Stackoverflow - PGP Asymmetric - Not enough random bytes available (link)