In this Linux quick tip we will discuss password protecting a file in Linux using the OpenPGP encryption and signing tool (GnuPG / gpg). This tool provides digital encryption and signing services using the OpenPGP standard.
PSA: It is imperative that you use a strong user account password and passphrase to protect your key. It is also recommended that you protect your ~/.gnupg directory.
Encrypting a File with a Passphrase
Let's jump right in and explain how to simply password protect a file. We will be using the gpg command with the -c (encrypt with symmetric cipher using a passphrase) option.
$ gpg -c personal.txt
Once you enter the above command, you will be prompt for a passphrase. Make this passphrase as secure as possible, but easy to remember. If you lose the passphrase, you will not be able to recover your data.
As a result of the above command a new file was created named personal.txt.gpg. The old un-encrypted file still exists in the directory.
$ ls -l
-rw-r--r-- 1 savona savona 96 Feb 12 21:28 personal.txt
-rw-r--r-- 1 savona savona 166 Feb 12 21:28 personal.txt.gpg
You can now delete the original file using the rm command.
$ rm personal.txt
The default output file name is the name of the input file with .gpg added to the end. You can specify the output filename and name it whatever you like.
gpg -o personaltexts.gpg -c personal.txt
There is no native way to delete the original file, but append another command to shred it.
(Be careful here)
gpg -o personaltexts.gpg -c personal.txt && shred -u personal.txt
Take it one step further and obscure the output file by making it hidden (dot file).
gpg -o .personaltexts.gpg -c personal.txt && shred -u personal.txt
Confirming Encryption & Cipher
We can now confirm that the data has been encypted and the cipher used. Using the file command will give you the necessary information.
$ file personal.txt.gpg
personal.txt.gpg: GPG symmetrically encrypted data (AES256 cipher)
We can see that the file is symmetrically encrypted using the AES256 cipher.
Alternatively, you can get a lot more information using the --list-packets option verbosely.
$ gpg --list-packets -vvv personal.txt.gpg
gpg: using character set 'utf-8'
off=0 ctb=8c tag=3 hlen=2 plen=13
:symkey enc packet: version 4, cipher 9, s2k 3, hash 2
salt DEB8B0DB0636F056, count 65011712 (255)
gpg: AES256 encrypted data
off=15 ctb=d2 tag=18 hlen=2 plen=148 new-ctb
:encrypted data packet:
gpg: encrypted with 1 passphrase
off=36 ctb=a3 tag=8 hlen=1 plen=0 indeterminate
:compressed packet: algo=1
off=38 ctb=ac tag=11 hlen=2 plen=114
:literal data packet:
mode b (62), created 1550025754, name="personal.txt",
raw data: 96 bytes
gpg: decryption okay
Decrypting a File with Passphrase
When you are ready to decrypt the file, you can use the -d option and specify the gpg encrypted filename.
$ gpg -d personal.txt.gpg
The above will print the file to stdout (standard output).
If you want to send it to a file you can simple redirect the output.
$ gpg -d personal.txt.gpg > outout_file.txt
Or you can specify the output file within the gpg command.
$ gpg -o output.txt -d personal.txt.gpg
NOTE: Remember to clean up (delete) these unencrypted versions of the file.
Specifying Cipher to Use
Ubuntu used AES256 by default, which would be my choice (Good Ubuntu). Fedora uses an unspecified AES cipher. I would recommend specifying AES256 as the cipher to use.
gpg --cipher-algo AES256 -c personal.txt
You can specify any cipher from the support ciphers list. More on that in the next section.
Get List of Support Ciphers
Using the --version argument will give you a list of supported ciphers, hashes, etc.
Specify Default Cipher in Config File
You can specify which cipher you would like used by creating or editing the ~/.gnupg/gpg.conf file. Add the following line to set AES256 as your default cipher.
With the Linux gpg command you can easily password protect and encrypt files on the command line. This command is powerful and we only scratched the surface of it's options.
If you found this interesting or helpful consider sharing it. If you have anything you would like to add or if I need to be corrected please leave a comment.
This site uses Akismet to reduce spam. Learn how your comment data is processed.