# pkgin install gnupg2 # NetBSD
# pacman -S gnupg # Arch
$ echo 'cipher-algo AES256' >> ~/.gnupg/gpg.conf
(AES256 is stronger than default CAST5, newer, and does integrity-checking for symmetrical encryption)
(If the config-file doesn't exist yet, have it created by running e.g. gpg2 --gen-key
and breaking it immediately.)
$ gpg2 -c $my_input_file
(will ask for a passphrase)
(will generate output-file $my_input_file.gpg, using default symmetric cipher -
AES256 in case config has been altered as suggested above - or choose e.g.
--cipher-algo AES256, or gpg2 --version for a list)
$ gpg2 -o $my_output_file $my_input_file.gpg
(will ask for a passphrase)
(use -o - to cat to stdout)
$ gpg2 --gen-key # NetBSD
$ gpg2 --full-gen-key # Arch
(choose defaults; fill in real name, email-addr, and give a
description of use for this key, e.g. remote_encrypted_backup)
$ gpg2 -e -r $key_identifier $my_input_file
($key_identifier is a substring of the key-description, as given by gpg2 -k,
e.g. remote_enc to use the key generated above. We're basically encrypting
a file meant for ourselves to decrypt, using our own secret key.)
(will generate output-file $my_input_file.gpg like with symmetric encryption)
$ gpg2 -o $my_output_file -d $my_input_file.gpg
(will ask for a passphrase)
$ gpg2 -e -r $key_identifier -s $my_input_file
(will ask for a passphrase)
(sign-verification happens automatically at decryption)
$ tar cf tmp.tar $my_source_path; gpg2 -o $my_archive.tar.gpg -c tmp.tar; rm tmp.tar
OR...
$ tar cf - | gpg2 -c > $my_archive.tar.gpg
...assuming export GPG_TTY=$( tty ) occurs in ~/.bashrc or similar
(I think gpg1 could still read passhprase using a pipe, or using --passphrase-fd 0 or so)
$ gpg2 -d $my_archive.tar.gpg | tar xf -
(or analogous to above, using temp file)