Sunday, June 21, 2009

A GPG primer - Part II - Encrypting files

In part I I showed you how to configure your Solaris box to run GPG. Now, it's time to use it!

GPG lets you encrypt a file so that only the owner of the key the file was encrypted with can decrypt the message. I warn you once more: as you see, storing your key in a secure place is extremely important. If you think your key might have been compromised, revoke it and create another one.

Encrypting a file

Let's suppose you don't want anybody but you to be able to read a file. As you know, you could store your file in a safe place but safe is never good enough. There could be some use cases for which you'd better have your file encrypted. Imagine you're copying important files on a FAT32 USB drive: FAT32 filesystems has not been built with security in mind! If you encrypt the file(s) with your own key, only you will be able to decrypt them. To encrypt such files, the only command you need is (the two syntaxes are equivalent):

$ gpg --encrypt --recipient 'your-id' filename
$ gpg -er 'your-id' filename

In both cases the encrypted file would be named filename.gpg. If you prefer specifying the output file name, --output is your friend:
$ gpg --er 'your-id' --output outfile filename
The same applies if you're encrypting a file for a friend of yours: just use their key id or their recipient address.

Searching a key in a keyserver

Well, there might have times you don't have your friend's key and maybe is out there, stored in a key server. You can have GPG search the keyserver with just one command:
$ gpg --search-keys 'recipient-id' --keyserver keyserver-address
The keyserver option is optional, otherwise gpg will use its default keyserver.

Decrypting a file
Now you've stored or received a file encrypted with your key. To decrypt it is just as easy:
$ gpg --dr 'your-id' encrypted-file
You'll be asked for your password and then the file will be piped to standard output. As in the case of file encryption, you can specify an output file with the --output option.

No comments: