How to Encrypt Your Files

Sun, 09 Apr 2023 15:23:41 -0500

Public key encryption has been around for along time, but it is something that few people do. Your data is always at risk of being leaked, intercepted, sold by malicious actors, and used for other nefarious purposes. Public key encryption is one of the few safe guards we have against malicious actors and snooping corporations. We will go over how to create a Gnu Privacy Guard (GPG) key pair and how to use this to encrypt files on your computer.

Generate a GPG key pair

If you run some version of GNU/Linux, setting up a GPG key pair is a fairly straight forward process. The gpg program should be installed on your system by default, but if it's not, it is in most repos either as gpg or gpg2.

After installing, begin by opening up a terminal, and enter the following command. 

$ gpg --full-gen-key

This will open up a text based menu. We will go over it below step by step.

Please select what kind of key you want:
	(1) RSA and RSA (default)
	(2) DSA and Elgamal
	(3) DSA (sign only)
	(4) RSA (sign only)
Your selection? 1

Unless you know what you want, it is best to go with the default option(1). Next, you will be prompted to choose the length of your key. It will give you the options between 1024 and 4096. As of writing, the default is 3072, it is always best to make your key as long as possible, so we will choose 4096. This will make our encrypted messages harder to crack. 

RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (3072) 4096

Next, it will ask when you want your key to expire. This is generally a good idea. In the event that your computer is compromised it is nice to know that your GPG keys will expire at some point in the future. If you don't want your keys to expire, choose 0. For our example, we will set our key to expire in 6 months.

Please specifiy how long the key should be valid.
	0 = key does not expire
	<n> = key expires in n days
	<n>w = key expires in n weeks
	<n>m = key epxires in n months
	<n>y = key epxires in n years 
Key is valid for? (0) 6m

Next, you it will ask for an ID. This can be your name, nick name, or some other identification that you want to assign to your key (just make sure it is longer than 5 characters otherwise it won't accept it)! This will be followed by a request for an email address, and finally, a comment to help you remember the purpose for the key.

GnuPG needs to construct a user ID to identify your key.

Real name: John Doe
Email address: john@email.tld
Comment: My GPG Key

After hitting enter, the menu will show you what you entered, and ask if everything is okay. If not, you can go back and edit. When you hit enter, you will be prompted to add a password to your GPG key. It is a good idea to add a strong password with your GPG key in case someone ever gets a hold of your secret key. It's an additional layer of security that can go a long way. It is generally a good idea to choose a good passphrase that you can remember. Don't try and get fancy and use a massive 32 character string of random symbols you won't remember.

Finally, after all this set up, the gpg program will generate your keys. While this is happening, it is a good idea to mash the keyboard, open programs, and move your mouse around. This will introduce a good bit of randomness into the system (this is called entropy in cryptography) which will improve security of your key. After this is done, you now you have a GPG key pair! Your key pair will be located in the ~/.gnupg directory. You can view them there.

Encrypting and decrypting text files

Let's see how we can use it to encrypt files! Suppose that I have some file called secrets.txt that contains some important information that I want to encrypt. I can run the following command using my GPG key pair to hid the file's information.

$ gpg -r john@email.tdl -e secrets.txt

Note that the -r flag indicates who the recipient of the file is, and the -e flag tells gpg what file to encrypt. After the command has executed, it will produce a file called secrets.txt.gpg. If you open this file in a text editor, you should see a mess of random characters--that means it worked! You will notice that this command does not get rid of the original file, secrets.txt. If you don't want the plain text version of the file on your system anymore, you will need to delete it. Be careful though! In most file systems, a simple delete such as rm will not destroy the data in the file. Instead, it will simply remove the pointer to the file. This means that all of the data in secrets.txt is still somewhere on your hard drive in plain text. If someone had access to your drive, they could still access that information.

Instead, you can use the shred command to overwrite the file before deleting it. In fact, if you run shred with the -u flag, it will overwrite a file and delete it all in one go.

$ shred -u secerts.txt

In order to decrypt your files, all we have to do is run gpg with the -d flag for decrypt. When you run the command, you will be prompted with your password. Then gpg will decrypt your file. Note that this will put the decrypted output into the standard output, so if you want to save that information, it's a good idea to redirect the output into a new file. Then you can open it up in a text editor to read.

$ gpg -d secrets.txt.gpg > secrets.txt

That's all there is to it. Now you can encrypt and decrypt your files with ease!