GPG is mostly used for securing email. However it can be used to encrypt arbitrary files and data using public-key encryption algorithms. (It can also encrypt files using symmetric ciphers and passwords, but that is not discussed here.)
GPG 1.X series is designed more for servers. GPG 2.X series is designed more for desktops and provides S/MIME support. They are just different and 2.X is not better than 1.X. This example uses gpg 1.4.
Make the Directory
mkdir ./test chmod 0700 ./test
Generate Keys
gpg --homedir ./test --gen-key
- Algorithm: RSA and RSA
- Keysize: for RSA, 2048 bits is fine. The NIST says this is good until 2030.
- Expiration: Does not expire. I haven't played around with expired keys to see how they work.
- Real Name: use something descriptive or your name depending on how you are going to use this "Encryptor Robot" (ok bad example)
- Email Address: put something that looks sorta an email "robot@encryptor.town"
- Comment: go nuts!
Finally, it's your choice on if you need a password or not. If this is for bulk encryption, you probably don't want a password.
Then wait......... If you are using a VM, perhaps login with a different window and/or copy some files in or out of it.
At the end of this you should be able to list and export the keys
$ gpg --home ./test --list-keys ./test/pubring.gpg ------------------ pub 2048R/02A9B20A 2012-04-07 uid Encryptor Robot <robot@encryptor.town> sub 2048R/14C5AD94 2012-04-07
Figuring out your parameters
gpg --verbose --version
Supported algorithms:
Pubkey: RSA, RSA-E, RSA-S, ELG-E, DSA
Cipher: 3DES (S2), CAST5 (S3), BLOWFISH (S4),
AES (S7), AES192 (S8),
AES256 (S9), TWOFISH (S10),
CAMELLIA128 (S11), CAMELLIA192 (S12),
CAMELLIA256 (S13)
Hash: MD5 (H1), SHA1 (H2), RIPEMD160 (H3), SHA256 (H8), SHA384 (H9),
SHA512 (H10), SHA224 (H11)
Compression: Uncompressed (Z0), ZIP (Z1), ZLIB (Z2), BZIP2 (Z3)
You can decide what's best for in terms of compression, but as of April 2012, the recommended setup is to use AES and SHA256. There may be specific requirements for your industry that might over-rule this for everything else this is just fine.
Now we have two ways to set the preferred algorithms. The easiest and clearest is doing this explicitly on the command line. That is shown in the examples below using --cipher-algo AES --digest-algo SHA256. The other way is by modifying the key's preferences. Type in gpg --homedir ./test --list-secret-keys. You get something like this:
./test/secring.gpg ------------------ sec 2048R/02A9B20A 2012-04-07 uid Encryptor Robotssb 2048R/14C5AD94 2012-04-07
Using that ID in bold, type in
gpg --homedir ./test --edit-key 02A9B20A. Now you'll get an interactive prompt. # see verbose defaults showpref # set short defaults pref # set to AES/SHA256/NoCompress # change NoCompress to whatever you like (Z1,Z2,Z3) setpref S7 H8 Z0 # see your work # notice how 3DES and SHA1 and just hardwired in showpref # byebye quit
Encrypt and Decrypt
stdin and stdout. You can specify an output file using --output. For input files, just add the filename as the last command line argument.# encrypt # --homedir ./test == what key database to use # -q --no-tty --batch --yes == make gpg be a silent as possible # -encrypt --armor == encrypt and make nice ascii format # --trust-model always means to disable the "web of trust" stuff which # may or may not make sense in an automated environment # --recipient == what key to use. echo "client9.com" | gpg -q --no-tty --batch --yes \ --homedir ./test \ --encrypt --armor \ --trust-model always \ --cipher-algo AES \ --digest-algo SHA256 \ --compress-algo uncompressed \ --recipient robot@encryptor.town > /tmp/file.gpg # decrypt # This is simpler. It figures everything out from the message # and key database gpg --homedir ./test -q --no-tty --batch --yes --decrypt < /tmp/file.gpg
Export and Import
# export public
gpg --home ./test --armor --export robot@encryptor.town \
> /tmp/robot-public.gpg
# export private
gpg --home ./test --armor --export-secret-key --armor \
> /tmp/robot-private.gpg
# in new directory with gpg databases:
gpg --import public-or-private-key.gpg