Encrypt Files

OpenSSL

A single file

  Encrypt and decrypt:
# openssl aes-128-cbc -salt -in file -out file.aes
# openssl aes-128-cbc -d -salt -in file.aes -out file

  Note that the file can of course be a tar archive.

tar and encrypt a whole directory

# tar -cf - directory | openssl aes-128-cbc -salt -out directory.tar.aes      # Encrypt
# openssl aes-128-cbc -d -salt -in directory.tar.aes | tar -x -f -            # Decrypt

tar zip and encrypt a whole directory

# tar -zcf - directory | openssl aes-128-cbc -salt -out directory.tar.gz.aes  # Encrypt
# openssl aes-128-cbc -d -salt -in directory.tar.gz.aes | tar -xz -f -        # Decrypt

    * Use -k mysecretpassword after aes-128-cbc to avoid the interactive password request.
      However note that this is highly insecure.
    * Use aes-256-cbc instead of aes-128-cbc to get even stronger encryption. This uses also
      more CPU.

GPG

  GnuPG is well known to encrypt and sign emails or any data. Furthermore gpg and also
  provides an advanced key management system. This section only covers files encryption, not
  email usage, signing or the Web-Of-Trust.
  The simplest encryption is with a symmetric cipher. In this case the file is encrypted with
  a password and anyone who knows the password can decrypt it, thus the keys are not needed.
  Gpg adds an extention ".gpg" to the encrypted file names.
# gpg -c file                        # Encrypt file with password
# gpg file.gpg                       # Decrypt file (optionally -o otherfile)

Using keys

  For more details see GPG Quick Starthttp://www.madboa.com/geek/gpg-quickstart and GPG/PGP
  Basicshttp://aplawrence.com/Basics/gpg.html and the gnupg
  documentationhttp://gnupg.org/documentation among others.
  The private and public keys are the heart of asymmetric cryptography. What is important to
  remember:
    * Your public key is used by others to encrypt files that only you as the receiver can
      decrypt (not even the one who encrypted the file can decrypt it). The public key is
      thus meant to be distributed.
    * Your private key is encrypted with your passphrase and is used to decrypt files which
      were encrypted with your public key. The private key must be kept secure. Also if the
      key or passphrase is lost, so are all the files encrypted with your public key.
    * The key files are called keyrings as they can contain more than one key.

  First generate a key pair. The defaults are fine, however you will have to enter at least
  your full name and email and optionally a comment. The comment is useful to create more
  than one key with the same name and email. Also you should use a "passphrase", not a simple
  password.
# gpg --gen-key                      # This can take a long time

  The keys are stored in ~/.gnupg/ on Unix, on Windows they are typically stored in
  C:/Documents and Settings/%USERNAME%/Application Data/gnupg/.
~/.gnupg/pubring.gpg                 # Contains your public keys and all others imported
~/.gnupg/secring.gpg                 # Can contain more than one private key

  Short reminder on most used options:
    * -e encrypt data
    * -d decrypt data
    * -r NAME encrypt for recipient NAME (or 'Full Name' or 'email@domain')
    * -a create ascii armored output of a key
    * -o use as output file

  The examples use 'Your Name' and 'Alice' as the keys are referred to by the email or full
  name or partial name. For example I can use 'Colin' or '[email protected]' for my key [Colin Barschel
  (cb.vu) <[email protected]>].

Encrypt for personal use only

  No need to export/import any key for this. You have both already.
# gpg -e -r 'Your Name' file                  # Encrypt with your public key
# gpg -o file -d file.gpg                     # Decrypt. Use -o or it goes to stdout

Encrypt - Decrypt with keys

  First you need to export your public key for someone else to use it. And you need to import
  the public say from Alice to encrypt a file for her. You can either handle the keys in
  simple ascii files or use a public key server.
  For example Alice export her public key and you import it, you can then encrypt a file for
  her. That is only Alice will be able to decrypt it.
# gpg -a -o alicekey.asc --export 'Alice'     # Alice exported her key in ascii file.
# gpg --send-keys --keyserver subkeys.pgp.net KEYID   # Alice put her key on a server.
# gpg --import alicekey.asc                   # You import her key into your pubring.
# gpg --search-keys --keyserver subkeys.pgp.net 'Alice' # or get her key from a server.

  Once the keys are imported it is very easy to encrypt or decrypt a file:
# gpg -e -r 'Alice' file                      # Encrypt the file for Alice.
# gpg -d file.gpg -o file                     # Decrypt a file encrypted by Alice for you.

Key administration

# gpg --list-keys                             # list public keys and see the KEYIDS
   The KEYID follows the '/' e.g. for: pub   1024D/D12B77CE the KEYID is D12B77CE
# gpg --gen-revoke 'Your Name'                # generate revocation certificate
# gpg --list-secret-keys                      # list private keys
# gpg --delete-keys NAME                      # delete a public key from local key ring
# gpg --delete-secret-key NAME                # delete a secret key from local key ring
# gpg --fingerprint KEYID                     # Show the fingerprint of the key
# gpg --edit-key KEYID                        # Edit key (e.g sign or add/del email)