Encryption commands such as gpg can be used to secure your most sensitive files on Linux systems. Credit: Amanda Slater There are many reasons to encrypt files — even on a system that is well maintained and comparatively secure. The files may highly sensitive, contain personal information that you don’t want to share with anyone, or be backed up to some variety of online storage where you’d prefer it be extra secure. Fortunately, commands for reliably encrypting files on Linux systems are easy to come by and quite versatile. One of the most popular is gpg. gpg vs pgp and OpenPGP Used both to encrypt files in place and prepare them to be sent securely over the Internet, gpg is related to, but not the same as, pgp and OpenPGP. While gpg is based on the OpenPGP standards established by the IETF, it is — unlike pgp — open source. Here’s the rundown: OpenPGP is the IETF-approved standard that defines encryption technology that uses processes that are interoperable with PGP. pgp is Symantec’s proprietary encryption solution. gpg adheres to the OpenPGP standard and provides an interface that allows users to easily encrypt their files. Using gpg for symmetric encryption Symmetric encryption means that you use the same key to both encrypt and decrypt a file. To encrypt a file with minimal effort, you could use a command like this: $ gpg2 --symmetric myfile This command will leave you with two files — myfile and myfile.gpg. Once you verify that the encrypted version of your original file has been created, you can use the shred command to securely remove the original file in a way that prevents it from being scraped off the disk with some disk recovery tool. During the encryption process, this command will also open up a tool on your desktop to prompt you twice to enter your passphrase. So, you have to be working on the desktop. To do this kind of thing when you’re not working on the console, you can avoid having gpg trying to open up a GUI tool to prompt for your passphrase by supplying it on the command. In this case, you might use a command like this: $ gpg --pinentry-mode loopback --passphrase 88bottlesOfBeer --symmetric myfile $ ls -l myfile.* -rw-r--r-- 1 shs shs 48721 Jul 30 19:52 myfile.gpg NOTE: It’s bad practice to store your passphrase in clear text — even in your command history file, so be careful if you do this. Using public and private keys To use gpg for creating files that you want to share with other people, it’s generally best to use private/public keys. To share a file with a particular person, you encrypt it using their public key. In that case, that person is (presumably) the only one who can decrypt it. If you encrypt a file with your own public key, you’re the only one who can decrypt it. To generate your public and private key set with gpg, you would use a command like this: $ gpg --gen-key Note that this command also requires that you be working on the console (GUI), not through an ssh session. The command is going to require that you produce some activity while your keys are bring generated — such typing or as moving your mouse cursor around the screen — to provide random data to the encryption process. It will also ask you to supply some information, such as your full name and the email address to be used for the key. To encrypt a file for a particular recipient, you need to use a command that includes the –recipient argument to specify the recipient’s public key. $ gpg --encrypt --recipient myfriend@gmail.com instructions $ ls -l instructions.* -rw-rw-r-- 1 shs shs 51665 Jul 30 19:34 instructions.gpg It’s interesting to note that while the private and public keys are linked (generated in a single operation), either key could play either role. If you encrypt with the public key, you could decrypt with the private key If you encrypt with the private key, you could decrypt with a public key Convention dictates, however, that private keys are kept private. We also haven’t looked at how public keys are used for authenticating senders. Other command options The gpg command offers many other options, as well. For example, if you prefer to use other than the default AES-128 encryption algorithm, you can specify the one you want to use with a command like this: $ gpg --cipher-algo AES256 --symmetric myfile You can list your keys with this command: $ gpg --list-keys Wrap-up While gpg commands can become quite complicated, the things you’re likely to do routinely can be accomplished without a lot of effort. Related content how-to How to find files on Linux There are many options you can use to find files on Linux, including searching by file name (or partial name), age, owner, group, size, type and inode number. By Sandra Henry Stocker Jun 24, 2024 8 mins Linux opinion Linux in your car: Red Hat’s milestone collaboration with exida With contributions from Red Hat and critical collaborators, the safety and security of automotive vehicles has reached a new level of reliability. By Sandra Henry Stocker Jun 17, 2024 5 mins Linux how-to How to print from the Linux command line: double-sided, landscape and more There's a lot more to printing from the Linux command line than the lp command. Check out some of the many available options. By Sandra Henry Stocker Jun 11, 2024 6 mins Linux how-to Converting between uppercase and lowercase on the Linux command line Converting text between uppercase and lowercase can be very tedious, especially when you want to avoid inadvertent misspellings. Fortunately, Linux provides a handful of commands that can make the job very easy. By Sandra Henry Stocker Jun 07, 2024 5 mins Linux PODCASTS VIDEOS RESOURCES EVENTS NEWSLETTERS Newsletter Promo Module Test Description for newsletter promo module. Please enter a valid email address Subscribe