There is no absolute security on the internet or through a network. Because our equipment is regularly connected to the internet and there is some communication, we need to protect the critical information we exchange. Encryption will be a welcome safeguard for whenever you, your family, or business partners need to communicate sensitive information from one side of the globe to the other. Encryption provides confidentiality although signing binds the identity of the message source to this message. It ensures data integrity, message authentication, and non-repudiation altogether.
The principles of encrypting and signing messages
Message encryption makes the whole message unreadable to anyone but the owner of the corresponding private key. When you sign a message, then it creates a fingerprint for the message just to make sure that the content hasn't been altered, but it has no effect on the message itself and the message will never be encrypted. The fingerprint can be verified against a public key. This does not make a message unreadable to anyone but can verify that the message really originated from the sender and was not altered since. Of course, this requires you to trust the public key.
The security is assured by private and public keys. Any private key has one public key and any public key has one private key it is always one to one mapping. Establishing a secure communication means that you have already exchanged public keys with people or organization you trust in. So each party has their own private key and the other user's public key.
In our scenario, there are two persons who want to communicate and they put their public keys on keyserver:
- firstname.lastname@example.org: ID_KEY BAC361F1
- email@example.com: ID_KEY B6D7943C
It means that my_name@linoxide must import the public key of reader and vice versa. So to write to firstname.lastname@example.org, email@example.com will use reader's public key and vice versa.
$ gpg --keyserver pgp.mit.edu --search-keys firstname.lastname@example.org gpg: searching for "email@example.com" from hkp server pgp.mit.edu (1) reader <firstname.lastname@example.org> 4096 bit RSA key B6D7943C, created: 2017-04-01 $ gpg --keyserver pgp.mit.edu --recv-keys B6D7943C
The sender of a message (email@example.com) can "sign" the message with his private key. The receiver (firstname.lastname@example.org) uses the public key of the sender to verify that the signature is actually being sent by the indicated user. This can prevent a third-party from "spoofing" the identity of someone. It also helps to ensure that the message was transmitted in full, without damage or file corruption.
GPG Command to Encrypt and Decrypt Files
Encryption process always creates a file with
.asc extension. So take a look by listing the content folder when terminating an encryption command. It will not delete the original file so be careful. When decrypting, if we use
--output parameter, the command will redirect the result in file specified which follows the option. Without the parameter, it will create the decrypted file with the same of the encrypted file but without .gpg extension
Encrypt with a symmetric key
This method will ask you to enter a passphrase which you will give to your receiver in order to decrypt the file
$ gpg -c file_sym
Decrypt a symmetric encryption
$ gpg --output file-content file_sym.gpg $ gpg file_sym.gpg $ gpg -d file_sym.gpg
- The first command creates a decrypted file named file-content
- the second command creates decrypted file file_sym with the result.
gpg -dprints the result on the console.
Symmetric Decryption will ask for the passphrase used to encrypt the file and will put the result of the decrypted file
Encrypt with public key for a particular user
The encryption with public key means that you already have public keys of those with whom you want to communicate. So, you will first choose the recipient by listing public keys on your keyring so that you will use a value of his
uid to encrypt file.
--armor parameter is used for ASCI armored message, useless to send file by mail
$ gpg --encrypt --armor --recipient email@example.com file_pub
Encrypt and signing with public key
When you want to sign a file to send, it means that your receiver and you have generated public keys that you have already exchanged. The sender have to know his own passphrase which gives him access to his private key that he will use to sign encrypted messages
$ gpg --sign --encrypt --armor --recipient firstname.lastname@example.org file_pub_sign You need a passphrase to unlock the secret key for user: "reader <email@example.com>"
See that reader@linoxide need his own passphrase to sign the encrypted file that he will send to firstname.lastname@example.org
Encrypt multiples files with public key
To encrypt multiples files, there two parameters that we use:
--multifile (obligatory followed by --encrypt). You can see that we don't use
--sign parameter. During my test, it seems doesn't work together.
$ gpg --encrypt-files --armor --recipient email@example.com course car
gpg --multifile --encrypt --armor --recipient firstname.lastname@example.org course car
Decrypt with private key
When you encrypt a file with the public key of your recipient, you send it to him by a communication way. To decrypt the received file, he will use the private key (referenced by his own passphrase) corresponding to his own public key that you have used to encrypt the file. To decrypt an encrypted file into digital content or not, the command is the same as you see below
$ gpg file_pub.asc You need a passphrase to unlock the secret key for user: "my_name (my-key-pair) <email@example.com>" $ gpg file_pub_sign.asc You need a passphrase to unlock the secret key for user: "my_name (my-key-pair) <firstname.lastname@example.org>" $ gpg --decrypt-files course.asc car.asc
The last command decrypts mutiple files
To encrypt and sign your email, you can write the message to a file, use gpg to encrypt and sign it with the methods that we have seen and you could send it by the normal way. Your receiver must have your public key in order to decrypt your message.
You can also install enigmail which can be used to encrypt email from thunderbird using the public key of the recipient that you have
# apt-get install enigmail
Launch thunderbird, it will launch the setup wizard for enigmail:
- How will you like to configure enigmail: extended configuration
- create or import opengpg keys: import existing public and secret keys
- import opengpg keys: choose your public and private key file located in /home/username/.gnupg/. Choose pubring and secring files.
- key selection: select recipients who will receive the encrypted e-mail : email@example.com
Now that the setup is completed, you can write a new message to your recipient with thunderbird.
You will see that encryption will be automatically activated when you will choose the same recipient for email.
Now you know how to encrypt files and sign a document using gpg in linux. For good security, you must verify that the public key you receive exactly come from a person you know before adding it to your public keyring.