[ home ]

How to do basic encryption / decryption with GnuPG

install GnuPG

    # pkgin install gnupg2    # NetBSD
    # pacman -S gnupg         # Arch
    $ echo 'cipher-algo AES256' >> ~/.gnupg/gpg.conf

(AES256 is stronger than default CAST5, newer, and does integrity-checking for symmetrical encryption)

(If the config-file doesn't exist yet, have it created by running e.g. gpg2 --gen-key and breaking it immediately.)

encrypt symmetrically (cipher)

    $ gpg2 -c $my_input_file

(will ask for a passphrase)

(will generate output-file $my_input_file.gpg, using default symmetric cipher - AES256 in case config has been altered as suggested above - or choose e.g. --cipher-algo AES256, or gpg2 --version for a list)

decrypt symmetrically (decipher)

    $ gpg2 -o $my_output_file $my_input_file.gpg

(will ask for a passphrase)

(use -o - to cat to stdout)

generate a key

    $ gpg2 --gen-key        # NetBSD
    $ gpg2 --full-gen-key   # Arch

(choose defaults; fill in real name, email-addr, and give a description of use for this key, e.g. remote_encrypted_backup)

encrypt asymmetrically/hybrid

    $ gpg2 -e -r $key_identifier $my_input_file

($key_identifier is a substring of the key-description, as given by gpg2 -k, e.g. remote_enc to use the key generated above. We're basically encrypting a file meant for ourselves to decrypt, using our own secret key.)

(will generate output-file $my_input_file.gpg like with symmetric encryption)

decrypt asymmetrically/hybrid

    $ gpg2 -o $my_output_file -d $my_input_file.gpg

(will ask for a passphrase)

signing and encrypting asymmetrically

    $ gpg2 -e -r $key_identifier -s $my_input_file

(will ask for a passphrase)

(sign-verification happens automatically at decryption)

create signed symmetrically encrypted tar-archive

    $ tar cf tmp.tar $my_source_path; gpg2 -o $my_archive.tar.gpg -c tmp.tar; rm tmp.tar


    $ tar cf - | gpg2 -c > $my_archive.tar.gpg

...assuming export GPG_TTY=$( tty ) occurs in ~/.bashrc or similar

(I think gpg1 could still read passhprase using a pipe, or using --passphrase-fd 0 or so)

extract (signed) symmetrically encrypted tar-archive

    $ gpg2 -d $my_archive.tar.gpg | tar xf -

(or analogous to above, using temp file)