Encrypting a file with gpg

It is always a best practice to not have key material laying around forgotten about or unprotected, so use wisdom in selecting an expiration for you key. Many times the pragmatic choice is to not have an expiration and to just revoke the key later if it will not be used any longer.

You will then be prompted to provide identity data including a name, email address, and any comments. Key generation will proceed using entropy requiring the use of the keyboard or mouse in order to gain enough entropy. In addition to the key being generated, a revocation certificate will be generated along with your public and private key. You may specify a keyserver with an email address to discover a key.

There are many different keyservers, and this example will use the commonly used MIT public key server located at pgp. Here is an example of searching the keyserver:. After discovering the keys, a list will be shown allowing you to select which key to import for later usage. Occasionally your local database of gpg keys may be out of date and need to be refreshed with a keyserver.

You can ask gpg to update your copy. To do so, run the following command:. In addition to importing a key from a keyserver, you can also export your newly generated public key to the keyserver for discovery by other users.

To export a gpg key, run the following command:. Feel free to test gpg encryption with this public key from the key block here or from importing from the keyserver.

If using the MIT keyserver, go to pgp. Note that —armor must be used for an ascii representation of your file. Else it will be binary and not usable for text upload. Alternatively, you may send your keys to the keyserver with the following command providing the fingerprint as the identifier at the end.

This is a difference between gpg encryption and other methods of encryption. GPG has a built in method for signing trusted keys. Once you know a public key being used for encryption belongs to the person you think it does, you may sign it with the following command:.

Before signing the key though, how do you know it can be trusted? If the intended recipient sent you the key directly, you can be sure, provided they are a trusted party. Else, you may ask the intended recipient to send you the fingerprint of the key. This can be retrieved by running the following command:.

If the key is not signed, you may still use it but will be prompted each time to ensure you do indeed want to encrypt data with that key. Signatures on a public key are generally a sign that the key is trusted and that you can also trust it, but beware that many SKS keyserver implementations have been abused with signatures that are essentially spam.

Always reach out to the person to verify the fingerprint of their key before trusting it. My aim is to get you acquainted with GPG commands and functioning. After that, you can use this knowledge in a real-world situation if need be. If you use Arch based distributions , install the gnupg package with the pacman command :.

Just run the following command, and your key will be generated you can use the defaults for most questions as shown in the underlined sections below :. You can then see that the private key and public key are both tied to each other by that ID shown under pub by using the —list-secret-keys and —list-public-keys commands respectively:.

First you specified the —encrypt option. Next, you specified —output file. Next, you type —recipient [email protected]. The way this works is that the email you specify here must be tied to a public key on your local system. Thus, the logic would be that I am encrypting the file with the public key of h [email protected] , which is then only going to be able to be decrypted with the private key of [email protected].

Likewise, if the email was [email protected] , the new GPG command would be as follows:. That is expected because the file is encrypted now:. You can do such using the following command:. The only other thing you may want to know is how to share your public keys with others so they can encrypt files before sending them to you. To import a key, simply give the output file from the previous command to the other user and then have them run the following command:.

Next, run the fpr command, which will show the fingerprint for the key. The output of this command should be validated against the output on your own machine, which can be found by running the same —edit-key command on your system:.

If everything matches up, just run the sign command and everything will be ready to go:. As I mentioned earlier, this is just for understanding how GPG encryption and decryption process works. The basic GPG knowledge you just acquired can be taken to the next level when applied in real-world scenarios. Need some help figuring out something still, or something just not working right? Feel free to leave any of it in the comments below.

Sole Linux user with Ubuntu running my desktops and servers. If you don't use any flags, it will decrypt to a file without the. For example, using the following command line would result in the decrypted data in a file named "test":.

Your passphrase should have sufficient information entropy. This option is mainly intended for sending binary data through email, not via transfer commands such as bbftp or ftp.

There are three options for the compression algorithm: none , zip , and zlib. The zlib option is not compatible with PGP 6. The MB file was a text file. These runs were performed on a CXFS filesystem when many other users' jobs were running. The performance reported here is for reference only, and not the best or worst performance you can expect. We welcome your input on features and topics that you would like to see included on this website. Please send us email with your wish list and other feedback.

Ask a Question.