Saturday, August 7, 2010

Encrypting and decrypting files with GnuPG


GPG can do much more than that. Many e-mail programs provide GPG support so you can use GPG seamlessly with your e-mail client. This allows you to digitally sign e-mails to assure recipients that you did indeed write the message. It also allows you to encrypt messages to a recipient with their public key, meaning that only the individual with the passphrase to the equivalent private key can decode and read the e-mail.
Likewise, GPG can do the same for files. If you wish to encrypt a file for someone else, you would use his or her public key to encrypt the file. However, if you wished to keep your own files private and safe from theft or prying eyes, you would encrypt the file with your own public key, ensuring that only you would be able to decrypt it.
It makes no difference to GPG what type of file you are encrypting; it can be binary just as well as text, or an OpenOffice.org spreadsheet. For instance, to encrypt a Word document for yourself, you would execute the following:
$ file private.doc
private.doc: Microsoft Office Document
$ gpg -ea -r user@domain.org private.doc
The original file is untouched, but the document is now stored in an ASCII file calledprivate.doc.asc:
$ file private.doc.asc
private.doc.asc: PGP armored data message
$ gpg -d private.doc.asc >new.doc
You need a passphrase to unlock the secret key for
user: "Real Name (Comment) "
2048-bit ELG-E key, ID 7F72A50F, created 2007-12-01 (main key ID 9B1386E2)
Enter passphrase:
gpg: encrypted with 2048-bit ELG-E key, ID 7F72A50F, created 2007-12-01
"Real Name (Comment) "
$ cmp new.doc private.doc
$ echo "" >>new.doc
$ cmp new.doc private.doc
cmp: EOF on private.doc
The cmp command at the end was a slight demonstration to indicate that that resulting decrypted file is exactly the same as the original, which is visible in the slight modification done to it prior to the second invocation of cmp.
The result of the above is an ASCII armored file, making it quite portable but at the expense of size. To create a binary file, omit the -a option:

$ gpg -e -r user@domain.org private.doc $ file private.doc.gpg
private.doc.gpg: GPG encrypted data
$ ls -l private.doc*
-rw------- 1 user user 30720 Nov 29 15:36 private.doc
-rw-r--r-- 1 user user 7340 Dec 2 17:27 private.doc.asc
-rw-r--r-- 1 user user 5352 Dec 2 17:33 private.doc.gpg
As you can see, some compression can take place as well; a 30-KB Word document turns into a 7-KB ASCII-armored file or a 5-KB GPG encrypted file.
If you are only interested in integrity checking and validity of a file, you can create digital signatures for those files to ensure that they haven’t changed.
$ gpg -ba -u user@domain.org private.doc
You need a passphrase to unlock the secret key for
user: "Real Name (Comment) "
1024-bit DSA key, ID 9B1386E2, created 2004-09-09
Enter passphrase:
$ gpg --verify private.doc.asc
gpg: Signature made Sun Dec  2 17:37:02 2007 MST using DSA key ID 9B1386E2
gpg: Good signature from "Real Name (Comment) "
$ echo "" >>private.doc
$ gpg --verify private.doc.asc
gpg: Signature made Sun Dec  2 17:37:02 2007 MST using DSA key ID 9B1386E2
gpg: BAD signature from "Real Name (Comment) "
Again, the above creates an ASCII-armored version of the signature; to create a binary copy, change -ba to simply -b to drop the switch to enable ASCII output. The second command verifies the file, by checking the signature. Next, just for testing, we slightly modify the file and you can see that on the next run, the verification fails.
There are many places where GPG has practical application. This has touched only on a few of the very basic uses for GPG, but not only does it have more features to tap into, but the uses for it are many and varied.