How to Encrypt and Decrypt Files With GPG on Linux

#LINUX #GPG #WITH #FILES #DECRYPT #AND #ENCRYPT #HOW

How to Encrypt and Decrypt Files With GPG on Linux

Protect your privacy with the Linux gpg command. Use world-class encryption to keep your secrets safe. We’ll show you how to use gpg to work with keys, encrypt files, and decrypt them.

GnuPrivacy Guard (GPG) allows you to securely encrypt files so that only the intended recipient can decrypt them. Specifically, GPG complies with the OpenPGP standard. It is modeled on a program called Pretty Good Privacy (PGP). PGP was written in 1991 by Phil Zimmerman.

GPG relies on the idea of two encryption keys per person. Each person has a private key and a public key. The public key can decrypt something that was encrypted using the private key.

To send a file securely, you encrypt it with your private key and the recipient’s public key. To decrypt the file, they need their private key and your public key.

You’ll see from this that public keys must be shared. You need to have the public key of the recipient in order to encrypt the file, and the recipient needs your public key to decrypt it. There is no danger in making your public keys just that—public. In fact, there are Public Key Servers for that very purpose, as we shall see. Private keys must be kept private. If your public key is in the public domain, then your private key must be kept secret and secure.

There are more steps involved in setting up GPG than there are in using it. Thankfully, you usually need only set it up once.

The gpg command was installed on all of the Linux distributions that were checked, including Ubuntu, Fedora, and Manjaro.

You don’t have to use GPG with email. You can encrypt files and make them available for download, or pass them physically to the recipient. You do need to associate an email address with the keys you generate, however, so choose which email address you are going to use.

Here is the command to generate your keys. The --full-generate-key option generates your keys in an interactive session within your terminal window. You will also be prompted for a passphrase. Make sure you remember what the passphrase is. Three or four simple words joined together with punctuation is a good and robust model for passwords and passphrases.

You will be asked to pick an encryption type from a menu. Unless you have a good reason not to, type 1 and press Enter.

You need to specify how long the key should last. If you are testing the system, enter a short duration like 5 for five days. If you are going to keep this key, enter a longer duration like 1y for one year. The key will last 12 months and so will need renewing after one year. Confirm your choice with a Y.

You will be prompted for your passphrase. You will need the passphrase whenever you work with your keys, so make sure you know what it is.

Click the OK button when you have entered your passphrase. You’ll see this window as you work with gpg, so make sure you remember your passphrase.

If your private key becomes known to others, you will need to disassociate the old keys from your identity, so that you can generate new ones. To do this, you will require a revocation certificate. We’ll do this now and store it somewhere safe.

The --output option must be followed by the filename of the certificate you wish to create. The --gen-revoke option causes gpg to generate a revocation certificate. You must provide the email address that you used when the keys were generated.

You will be asked to confirm you wish to generate a certificate. Press Y and hit Enter. You will be asked for the reason you are generating the certificate. As we’re doing this ahead of time, we don’t know for sure. Press 1 as a plausible guess and hit Enter.

The certificate will be generated. You will see a message reinforcing the need to keep this certificate safe.

It mentions someone called Mallory. Cryptography discussions have long used Bob and Alice as the two people communicating. There are other supporting characters. Eve is an eavesdropper, Mallory is a malicious attacker. All we need to know is we must keep the certificate safe and secure.

The key is imported, and you are shown the name and email address associated with that key. Obviously, that should match the person you received it from.

There is also the possibility that the person you need a key from has uploaded their key to a public key server. These servers store people’s public keys from all over the world. The key servers synchronize with one another periodically so that keys are universally available.

The MIT public key server is a popular key server and one that is regularly synchronized, so searching there should be successful. If someone has only recently uploaded a key, it might take a few days to appear.

The --keyserver option must be followed…