GPG is mostly used for securing email. However it can be used to encrypt arbitrary files and data using public-key encryption algorithms. (It can also encrypt files using symmetric ciphers and passwords, but that is not discussed here.)
GPG 1.X series is designed more for servers. GPG 2.X series is designed more for desktops and provides S/MIME support. They are just different and 2.X is not better than 1.X. This example uses gpg 1.4.
Make the Directory
chmod 0700 ./test
gpg --homedir ./test --gen-key
- Algorithm: RSA and RSA
- Keysize: for RSA, 2048 bits is fine. The NIST says this is good until 2030.
- Expiration: Does not expire. I haven't played around with expired keys to see how they work.
- Real Name: use something descriptive or your name depending on how you are going to use this "Encryptor Robot" (ok bad example)
- Email Address: put something that looks sorta an email "email@example.com"
- Comment: go nuts!
Finally, it's your choice on if you need a password or not. If this is for bulk encryption, you probably don't want a password.
Then wait......... If you are using a VM, perhaps login with a different window and/or copy some files in or out of it.
At the end of this you should be able to list and export the keys
$ gpg --home ./test --list-keys
pub 2048R/02A9B20A 2012-04-07
uid Encryptor Robot <firstname.lastname@example.org>
sub 2048R/14C5AD94 2012-04-07
Figuring out your parameters
gpg --verbose --version
Pubkey: RSA, RSA-E, RSA-S, ELG-E, DSA
Cipher: 3DES (S2), CAST5 (S3), BLOWFISH (S4),
AES (S7), AES192 (S8),
AES256 (S9), TWOFISH (S10),
CAMELLIA128 (S11), CAMELLIA192 (S12),
Hash: MD5 (H1), SHA1 (H2), RIPEMD160 (H3), SHA256 (H8), SHA384 (H9),
SHA512 (H10), SHA224 (H11)
Compression: Uncompressed (Z0), ZIP (Z1), ZLIB (Z2), BZIP2 (Z3)
You can decide what's best for in terms of compression, but as of April 2012, the recommended setup is to use
SHA256. There may be specific requirements for your industry that might over-rule this for everything else this is just fine.
Now we have two ways to set the preferred algorithms. The easiest and clearest is doing this explicitly on the command line. That is shown in the examples below using
--cipher-algo AES --digest-algo SHA256. The other way is by modifying the key's preferences. Type in
gpg --homedir ./test --list-secret-keys. You get something like this:
sec 2048R/02A9B20A 2012-04-07
uid Encryptor Robot email@example.com
ssb 2048R/14C5AD94 2012-04-07
Using that ID in bold, type in
gpg --homedir ./test --edit-key 02A9B20A. Now you'll get an interactive prompt.
# see verbose defaults
set short defaults
set to AES/SHA256/NoCompress
change NoCompress to whatever you like (Z1,Z2,Z3)
setpref S7 H8 Z0
see your work
notice how 3DES and SHA1 and just hardwired in
Encrypt and Decrypt
stdout. You can specify an output file using
--output. For input files, just add the filename as the last command line argument.
--homedir ./test == what key database to use
-q --no-tty --batch --yes == make gpg be a silent as possible
-encrypt --armor == encrypt and make nice ascii format
--trust-model always means to disable the "web of trust" stuff which
may or may not make sense in an automated environment
--recipient == what key to use.
echo "client9.com" | gpg -q --no-tty --batch --yes \
--homedir ./test \
--encrypt --armor \
--trust-model always \
--cipher-algo AES \
--digest-algo SHA256 \
--compress-algo uncompressed \
--recipient firstname.lastname@example.org > /tmp/file.gpg
This is simpler. It figures everything out from the message
and key database
gpg --homedir ./test -q --no-tty --batch --yes --decrypt < /tmp/file.gpg
Export and Import
# export public
gpg --home ./test --armor --export email@example.com \
gpg --home ./test --armor --export-secret-key --armor \
in new directory with gpg databases:
gpg --import public-or-private-key.gpg