How to use the gpg command to encrypt Linux files

Encryption commands such as gpg can be used to secure your most sensitive files on Linux systems.

Encypting your files with gpg
Amanda Slater (CC BY-SA 2.0)

There are many reasons to encrypt files — even on a system that is well maintained and comparatively secure. The files may highly sensitive, contain personal information that you don't want to share with anyone, or be backed up to some variety of online storage where you'd prefer it be extra secure.

Fortunately, commands for reliably encrypting files on Linux systems are easy to come by and quite versatile. One of the most popular is gpg.

gpg vs pgp and OpenPGP

Used both to encrypt files in place and prepare them to be sent securely over the Internet, gpg is related to, but not the same as, pgp and OpenPGP. While gpg is based on the OpenPGP standards established by the IETF, it is — unlike pgp — open source. Here's the rundown:

  • OpenPGP is the IETF-approved standard that defines encryption technology that uses processes that are interoperable with PGP.
  • pgp is Symantec's proprietary encryption solution.
  • gpg adheres to the OpenPGP standard and provides an interface that allows users to easily encrypt their files.

Using gpg for symmetric encryption

Symmetric encryption means that you use the same key to both encrypt and decrypt a file. To encrypt a file with minimal effort, you could use a command like this:

$ gpg2 --symmetric myfile

This command will leave you with two files — myfile and myfile.gpg. Once you verify that the encrypted version of your original file has been created, you can use the shred command to securely remove the original file in a way that prevents it from being scraped off the disk with some disk recovery tool. During the encryption process, this command will also open up a tool on your desktop to prompt you twice to enter your passphrase. So, you have to be working on the desktop.

To do this kind of thing when you're not working on the console, you can avoid having gpg trying to open up a GUI tool to prompt for your passphrase by supplying it on the command. In this case, you might use a command like this:

$ gpg --pinentry-mode loopback --passphrase 88bottlesOfBeer --symmetric myfile
$ ls -l myfile.*
-rw-r--r-- 1 shs shs 48721 Jul 30 19:52 myfile.gpg

NOTE: It's bad practice to store your passphrase in clear text -- even in your command history file, so be careful if you do this.

Using public and private keys

To use gpg for creating files that you want to share with other people, it's generally best to use private/public keys. To share a file with a particular person, you encrypt it using their public key. In that case, that person is (presumably) the only one who can decrypt it. If you encrypt a file with your own public key, you’re the only one who can decrypt it.

To generate your public and private key set with gpg, you would use a command like this:

$ gpg --gen-key

Note that this command also requires that you be working on the console (GUI), not through an ssh session. The command is going to require that you produce some activity while your keys are bring generated — such typing or as moving your mouse cursor around the screen — to provide random data to the encryption process. It will also ask you to supply some information, such as your full name and the email address to be used for the key.

To encrypt a file for a particular recipient, you need to use a command that includes the --recipient argument to specify the recipient's public key.

$ gpg --encrypt --recipient instructions
$ ls -l instructions.*
-rw-rw-r-- 1 shs shs 51665 Jul 30 19:34 instructions.gpg

It's interesting to note that while the private and public keys are linked (generated in a single operation), either key could play either role.

  • If you encrypt with the public key, you could decrypt with the private key
  • If you encrypt with the private key, you could decrypt with a public key

Convention dictates, however, that private keys are kept private.

We also haven't looked at how public keys are used for authenticating senders.

Other command options

The gpg command offers many other options, as well. For example, if you prefer to use other than the default AES-128 encryption algorithm, you can specify the one you want to use with a command like this:

$ gpg --cipher-algo AES256 --symmetric myfile

You can list your keys with this command:

$ gpg --list-keys


While gpg commands can become quite complicated, the things you're likely to do routinely can be accomplished without a lot of effort.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.
Now read: Getting grounded in IoT