«
»

PGP File Encryption Using GnuPG

July 19th, 2006 Da Vinci

I frequently get asked how to encrypt files using Pretty Good Privacy (PGP). PGP using GnuPGThere is very good documentation available on the Web, but here is my condensed version.

Public key cryptography uses a pair of keys for encryption: a public key, which encrypts data, and a corresponding private, or secret key for decryption. Your public key can be distributed to anyone and does not pose a risk. Your private key needs to be kept safe and not given to anyone. Anyone with a copy of your public key can encrypt information that only you can decrypt using your private key.

I use free software called GnuPG (http://gnupg.org/). Once you have the software installed you need to create a public/private key pair and then you need to exchange public keys with the party you wish to exchange encrypted files.

Here’s what you need to do:

1. Download and follow the instructions to install the software:
http://www.gnupg.org/(en)/download/index.html (look for the Binaries section to make your life easier)

2. Generate a public/private key pair: Go to your GnuPG install directory and type in gpg --gen-key. The default settings are usually good (DSA (1024 bit) and Elgamal (2048 bit)/never expires).

C:\Program Files\GNU\GnuPG>gpg –gen-key
gpg (GnuPG) 1.4.4; Copyright (C) 2006 Free Software Foundation, Inc.
This program comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it
under certain conditions. See the file COPYING for details.

gpg: keyring `C:/Documents and Settings/Leonard/Application Data/gnupg\secring.gpg’ created
gpg: keyring `C:/Documents and Settings/Leonard/Application Data/gnupg\pubring.gpg’ created
Please select what kind of key you want:
(1) DSA and Elgamal (default)
(2) DSA (sign only)
(5) RSA (sign only)
Your selection?
DSA keypair will have 1024 bits.
ELG-E keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048)
Requested keysize is 2048 bits
Please specify how long the key should be valid.
0 = key does not expire
= key expires in n days
w = key expires in n weeks
m = key expires in n months
y = key expires in n years
Key is valid for? (0)
Key does not expire at all
Is this correct? (y/N) y

You need a user ID to identify your key; the software constructs the user ID from the Real Name, Comment and Email Address in this form:
“Heinrich Heine (Der Dichter) < heinrichh@duesseldorf.de>”

Real name: Leonard Labuschagne
Email address: leonard@davinciplanet.com
Comment: Da Vinci Planet
You selected this USER-ID:
“Leonard Labuschagne (Da Vinci Planet) < leonard@davinciplanet.com>”

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O
You need a Passphrase to protect your secret key.

We need to generate a lot of random bytes. …. [lots of text and characters while generating keys]
gpg: C:/Documents and Settings/Leonard/Application Data/gnupg\trustdb.gpg: trust db created
gpg: key 51756B80 marked as ultimately trusted
public and secret key created and signed.

gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u
pub 1024D/51756B80 2006-07-18
Key fingerprint = 2492 ACA4 EA74 BF33 C45E 31D5 F719 9D78 5175 6B80
uid Leonard Labuschagne (Da Vinci Planet)
sub 2048g/C3BFDE51 2006-07-18

3. Export your public key so that you can give it to others. Run a command similar to this one (replace key name with the key name that you chose when you generated the key pair):
gpg --armor --output YourCompany.asc --export "YourCompany "

C:\Program Files\GNU\GnuPG>gpg –armor –output DaVinciPlanet.asc –export “Leonard Labuschagne (Da Vinci Planet) “

4. To encrypt a file for someone else to decrypt you have to import their public key. Copy their public key file to your GnuPG install directory and run the command gpg --import other_persons_pub_key_file.asc

5. Sign their public key. You need to know their User ID (the name that they gave their key). Run the command gpg --sign-key "their User ID"

To encrypt files, use the following format:
gpg --yes -eq -r "their User ID" -o encrypted_file.pgp file_to_encrypt

For instance if someone wanted to send me an encrypted file, they would use the following:

gpg –yes -eq -r “Leonard Labuschagne (Da Vinci Planet) < leonard@davinciplanet.com>” -o encrypted_file.pgp file_to_encrypt

To decrypt files, use the following format:
gpg -o decrypted_file_name file_to_decrypt.pgp

The GNU Privacy Guard – gnupg.org

Other Resources:
A Practical Introduction to GNU Privacy Guard in Windows – glump.net
GnuPG on WikiPedia


Filed under Free Apps & Tools, Security Hacks
Tags:

3 Responses to “PGP File Encryption Using GnuPG”

  1. Sana Says:
    July 12th, 2010 at 4:17 am

    Hi there…

    Really informative article….but i need one help…basically i want to use GPG in a shell script to encrypt flat files…..any idea about the commands or if i can get any script for reference, it will of great help..

    Thanks…
    Sana.

  2. Hans Says:
    July 17th, 2010 at 2:05 am

    If you didn’t already setup PowerShell, first do the following:

    - To allow execution of selfmade scripts, open command prompt as administrator and type in “Set-ExecutionPolicy RemoteSigned” (without quotes).
    - To get a PowerShell context-menu entry, make end execute a .reg file with this content:

    Windows Registry Editor Version 5.00

    [HKEY_CLASSES_ROOT\Directory\shell\powershell]
    @=”PowerShell”

    [HKEY_CLASSES_ROOT\Directory\shell\powershell\command]
    @=”C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\powershell.exe -NoExit -Command Set-Location -LiteralPath ‘%L’”

    Here’s a small PowerShell Script which symetrically encrypts all files in a folder and decrypts all .gpg files:

    Param($modus)
    if ($modus -eq “e”)
    {
    $a = Read-Host “Password (spaces and special characters are ok)”
    Get-ChildItem | Where-Object {!$_.PsIsContainer} | ForEach-Object {gpg –symmetric –passphrase $a $_.Name}
    }
    elseif ($modus -eq “d”)
    {
    $a = Read-Host “Password (spaces and special characters are ok)”
    Get-ChildItem * -include *.gpg | ForEach-Object {gpg –decrypt –passphrase $a –output $_.BaseName $_.Name}
    }
    else
    {
    $errorMessage = “Not a valid parameter. Valid parameters are e (encrypt) and d (decrypt).”
    Write-Error $errorMessage
    return
    }

    Save that script to a gnupg.txt (or whatever name you like, but not gpg) and rename it .ps1. Copy it to System32. Open a PowerShell through the context-menu in the folder where you want to encrypt files. Type in gnupg (or the name you chose) and e (to encrypt) or d (to decrypt).

    PowerShell comes with Vista/7. On XP you need the .NET Framework. Of course you have to add the gpg program folder to your Windows environment variables. If you’d rather collect your scripts in a special folder than System32, add that folder to the environment variables as well.

    To set encryption options like algos etc, make a gpg.conf or edit the gpg options in the script. Better make a gpg.conf.

  3. Hans Says:
    July 17th, 2010 at 2:08 am

    P.S.: After changing environment variables a reboot/logon may be required.

Leave a Reply

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>