Linux File Encryption Using GPG

GPG? Isn’t That For Email?

GPG is an encryption toolset that is best known for encrypting email, and while it is magnificent in this regard (usability aside), it’s also equally capable at encrypting files. Moreover, GPG is also usually associated with asymmetric encryption, that is encryption using separate public and private keys, but it also has the capability to encrypt files symmetrically using a password. Today we’ll learn how to encrypt files using the symmetric side of GPG, though there are definitely legitimate use cases for each.

But why would we use GPG for file encryption?

There are several pros and cons to using GPG for file encryption. The benefits are that it is usually installed by default on just about any Linux distribution, and it’s rock-solid reliable. The cons are that it doesn’t hide file size, and can be (in some regard) hard to use at first for beginners. It also doesn’t work on directories on its own, requiring another utility called tar, though this is also installed by default on just about every distribution.

Step 1: Preparing The Data

(If you are only encrypting one file, skip this step)

Typically when we want to encrypt data it involves more than one file, and because of this we need to first aggregate all the different files we want to encrypt into one clump. For this we use a classic tool called Tar. Tar (Tape ARchive) essentially takes multiple files and welds them together, and also provides the ability to apply compression in the process, such as GZIP and XZ, to reduce the file-size. We always want to compress our files before encrypting them, otherwise the data will be too random (as compression relies on patterns).

Here is an example that will create an archive called archive.tar.xz using three text files, with XZ compression being applied in the process.

tar -cJf archive.tar.xz file-1.txt file-2.txt file-3.txt

-c flag is what signals tar to create an archive,
-J flag signals the use of XZ compression on the data,
-f flag signals the file you want to create and must always be the last flag used.

XZ compression will result in very small file-sizes, but can be slow. If you wish to use gzip compression instead, which will be much faster but will result in larger file-sizes, then use the -z flag instead of -J, and label your file archive.tar.gz instead of archive.tar.xz.

Step 2: GPG Encryption

Now that the data has been aggregated to only one file, we can use GPG to encrypt it. First, however, we may want to change the default encryption algorithm that GPG uses. To do this, we must edit the gpg.conf file and add a line at the end.

nano ~/.gnupg/gpg.conf

Now simply type the following in at the very end of the file, then save and exit (CTRL+X, Y, then Enter)

cipher-algo AES256

What this does is set the default algorithm to be AES-256, which is a gold-standard for symmetric encryption.

With this finally set, and with the data aggregated into a single file, we can start encrypting our files!

gpg -c archive.tar.xz

Here, the -c flag tells GPG to use symmetric encryption, which means you’ll have to input a password. Make sure that the password is strong. I strongly recommend using Diceware, as it allows you to use incredibly strong passwords that are easy to remember. The file that GPG will output will be named archive.tar.xz.gpg, in other words it will be the original filename with ‘.gpg’ tagged onto the end.

Step 3: Cleaning Up

The file ending in ‘.gpg’ will be the encrypted file that you can send or upload online without worrying (assuming you used a strong password). If, however, you don’t want any trace of the original files on your computer, you’ll need to do a bit of cleanup. I’ve already written a quick guide on secure file deletion, so give that a read for a more in depth explanation. Nevertheless, the command you’ll want to use to securely erase the unenecrypted data from your disk is the shred command.

shred -u archive.tar.xz file-1.txt file-2.txt file-3.txt

What this does is overwrites the data on the disk for all of our original, unenecrypted files. The -u flag will signal shred to then remove the files after overwriting them. If everything goes well, you now have a GPG encrypted archive of your encrypted files.

Step 4: Decryption

Decrypting the files takes about as long as encrypting them. First, you’ll want to use GPG to decrypt the archive, then tar to uncompress and unpack it.

gpg -d archive.tar.xz.gpg
tar -xf archive.tar.xz

Here, the -d flag tells GPG to decrypt the data. This will leave you with the compressed archive, archive.tar.xz, which the second command will decompress and unpack, leaving you with your original data.
And You’re Done.

Was this article helpful?

Related Articles

Leave A Comment?