Today, we are going to see how to encrypt and decrypt files from command line in Linux using a free utility named GNU Privacy Guard (shortly GPG or GnuPG).
There are, of course, plethora of methods, and applications are available to encrypt and decrypt files in Linux. But, encrypting and decrypting files with GnuPG is the easiest method.
What is GnuPG?
GnuPG is an Open Source OpenPGP compatible encryption system. It is a commandline, sophisticated public key cryptosystem that provides digital encryption and signing services using the OpenPGP standard.
Using GnuPG, we can easily encrypt the important and confidential files and documents. It is packaged for several operating systems and also available as pre-compiled binaries.
GnuPG is available as two versions. They are GnuPG 1.x and GnuPG 2.x. GnuPG 2.x uses the modern algorithms and is recommended by security experts. You should use GnuPG 1.x only if your distribution does not support GnuPG 2.x.
Install GnuPG
GnuPG comes pre-installed by default in most Linux distributions. If it is not by any chance, you can install GnuPG using your distribution's default package manager as shown below.
To install GnuPG in Alpine Linux, run:
$ sudo apk add gnupg
On Arch Linux and its derivatives such as EndeavourOS and Manjaro Linux:
$ sudo pacman -S gnupg
On Debian, Ubuntu, Linux Mint and Pop OS:
$ sudo apt-get install gnupg
On Fedora, RHEL, CentOS, AlmaLinux and Rocky Linux:
$ sudo dnf install gnupg
On older RHEL and its clones, use yum instead of dnf.
$ sudo yum install gnupg
On SUSE/openSUSE:
$ sudo zypper in gnupg
You can check the installed GPG version at any time using command:
$ gpg --version
Sample output:
gpg (GnuPG) 2.2.27
libgcrypt 1.8.8
Copyright (C) 2021 Free Software Foundation, Inc.
License GNU GPL-3.0-or-later <https://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Home: /home/ostechnix/.gnupg
Supported algorithms:
Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA
Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
CAMELLIA128, CAMELLIA192, CAMELLIA256
Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2Encrypt And Decrypt Files Using GnuPG
First, we will look at how to encrypt files.
Encrypt Files using GnuPG
To encrypt a file using GnuPG, run:
$ gpg -c mysecret.txt
Here, -c stands for conventional encryption, also known as symmetric encryption. Replace mysecret.txt file with your own filename in the above command.
You will be prompted to enter a passphrase to secure the file. Enter the strong passphrase twice and click OK to encrypt the file.
Heads Up: A good passphrase must be at least 8 characters long with number(s) and special character(s).
Let us verify it using ls command:
$ ls
Sample output:
mysecret.txt mysecret.txt.gpg
As you see in the above output, the new encrypted file has the same name, but with the extension .gpg added. The original file is left intact.
As stated earlier, when we use -c flag, we encrypt the file with a symmetric cipher using a passphrase. The default symmetric cipher used is AES-128. However, we can use different encryption method with the --cipher-algo option.
Once a file encrypted, You can't view the contents of the encrypted file without the passphrase.
Even if you try to open it, you will only see some random numbers and symbols as shown below.
� 0k~
f����R���)�2Y�Vm:x��h�'|u7bd�m�lA��E'�=R����,��1������(tz�-�d��9����,��*�By default, encrypted files are binary. Binary encrypted files are created with the suffix .gpg.
If you want to produce an ASCII text file instead, add the -a (armor) option:
$ gpg -c mysecret.txt
The ASCII encrypted files have the suffix .asc (i.e filename.asc).
Decrypt Files with GnuPG
To decrypt a file using GnuPG, just run:
$ gpg mysecret.txt.gpg
GnuPG automatically detects that the file is encrypted with a passphrase and asks for that passphrase. Just enter the correct passphrase, select Ok and hit Enter.
If the passphrase is correct, then it writes the decrypted data to a file with the same name but without the .gpg extension. Also, the encrypted file is left intact.
Let us verify it:
$ ls mysecret.txt mysecret.txt.gpg
That's it, Now you can view the decrypted file's content using any editor of your choice.
If you want the output file to be written to a different filename, use -o flag as shown below.
$ gpg -o secret.txt -d mysecret.txt.gpg
Here, -d stands for decryption and -o stands for output.
Please note that ASCII encrypted files (with the suffix .asc) can be decrypted in the same way as binary encrypted files (with the suffix .gpg).
To know more details about GnuPG, view its help section by running this command:
$ gpg -h
Or, refer gpg man pages:
$ man gpg
Conclusion
As you can see, encrypting and decrypting files using GnuPG is quite easy! You don't need to be an expert or an experienced Linux admin to encrypt/decrypt files.
Resource:
3 comments
Thanks. I want to become a ninja someday.
The command lines can be used to setup Thunar custom actions. Then, if you use the Thunar file manager, encrypting and decrypting can be as simple as right clicking in a GUI.
Yes. Thunar is my current file manager. It is fast and feature-rich file manager ever I have used.