How to: Encrypt your files in Linux with GPG

February 4, 2021

Maybe you need to send an email to someone with an attachment. That attachment may contain something very important or sensitive, and the risk of sending it over email may send chills down your spine. The last thing that you would want is somebody potentially peeking at your bank account information. Luckily, there is a solution to protecting critical files. Enter the GPG tool.

GPG

GPG(also known as GnuPG or GNU Privacy Guard) is a program which allows you to encrypt files and the content within them. This makes it very convenient to put a password or even a private/public key mechanism to secure your files when transferring them between locations or people.

The default encryption cipher used to encrypt a file is 64-bit CAST5. While this may prove to be more than sufficient, the risk of a brute force attack is always there. We can force GPG to use a better algorithm such as AES256.

By default, GPG should already be included with your Linux distribution as it is depended upon by package managers such as yum, dnf, apt, and many more.

Encrypting a file

Luckily encrypting a file in Linux is a very simple and straightforward process. In this guide, we are going to encrypt the file with a password. This can be done by simply executing the following command:

gpg -c -vv --cipher-algo AES256 file.txt

The –c argument specifies symmetric encryption.

-vv we want it to be verbose which means output will be displayed for us to see what has occurred. This argument is optional.

–cipher-aglo AES256 forces gpg to encrypt the file with the stronger AES256 cipher.

file.txt is the file that we are going to encrypt.

Depending on whether you are working through the bash shell only or desktop environment, you will then be asked to make a password. This can be anything you want, but preferably something more complex. Using the random password generator here should help you make one just a little more complex.

When you’re done, the file will be created ending in .gpg. At this point, the file is encrypted and can be safely transported to its destination.

Decrypting a file

Decrypting the file can be just as easy as running this command:

gpg file.gpg

The original file will then be placed in the same folder as the encrypted file. If you’re doing this on the same computer that the file was encrypted, then you won’t be prompted for the password. On another computer, you will need to put in the password that you’ve created earlier when encrypting it.

You now are able to encrypt files and move them safely without having to worry about them being compromised.

Key Pair

Alternatively, you can encrypt files by using a private and public key pair. This makes it even more difficult for the file to be compromised or opened in anyway during transport.

A user generates both a public and private key, gives the public key to the sender to encrypt the file. It then gets sent back to the user and decrypted using the original private key generated. We highly recommend that you store the private key in a safe, offline location if you plan on using the same one repeatedly.

For this, we are going to generate a simple key pair:

gpg --quick-generate-key user

Where is says user you can put any name you want.

You will be asked to confirm the key. Type Y for yes to continue.

A passphrase is required for this key pair. Enter your desired passphrase and hit enter to proceed. Type it again to confirm.

Hit random keys on the keyboard while it finishes generating the key. Your key will then be generated and ready for export.

To export the public key for other people to use, run this:

 gpg --export -a -o user-pkey.pub

You will also want the fingerprint of the public key so that your users can verify its legitimacy:

gpg --fingerprint

The file user-pkey.pub will be generated in your current directory. It is now ready to be used and sent to others for safe encryption and transporting!