Gpg: Difference between revisions
From charlesreid1
(Created page with "GPG (Gnu Privacy Gard) is a security program that can be used to do many different things; sign files, hash files, encrypt and decrypt files, etc. =Installation= ==Configuring=...") |
No edit summary |
||
| Line 104: | Line 104: | ||
GPG Documentation: CAST5 (used in symmetric encryption): | GPG Documentation: CAST5 (used in symmetric encryption): | ||
* http://www.gnu.org/software/gnu-crypto/manual/api/gnu/crypto/cipher/Cast5.html | * http://www.gnu.org/software/gnu-crypto/manual/api/gnu/crypto/cipher/Cast5.html | ||
GPG at the "Security Viewpoints" blog: | |||
* http://advosys.ca/viewpoints/tag/gpg/ | |||
Revision as of 10:08, 16 March 2011
GPG (Gnu Privacy Gard) is a security program that can be used to do many different things; sign files, hash files, encrypt and decrypt files, etc.
Installation
Configuring
To configure GPG:
# configure
# make
# make install
./configure \
--prefix=$HOME/pkg/gpg/x.x.x
Some Security Theory
Public/Private Keys
Public and private keys are used to encrypt and decrypt information in a protected way, so that only the intended recipient can decrypt the file.
Let's consider the scenario where Alice is sending a file to Bob, with a middleman eavesdropper Eve.
Alice must combine her private key with Bob's public key to obtain a special combo-key. She then uses this combo-key to encrypt the file, and then she sends it to Bob.
Bob can then decrypt the file by combining his private key with Alice's public key, which creates a complimentary combo-key, and allows Bob to decrypt the file. In this way, Alice never knows Bob's private key, and Bob never knows Alice's private key, but they can still create complimentary combo-keys to encrypt/decrypt the file.
Eve can also download the file sent from Alice to Bob, but because she does not have either Alice's private key, or Bob's private key, she cannot reconstruct the same combo-key to decrypt the file.
Performing Tasks
Encrypting/Decrypting Files
This is a method for encrypting and decrypting files using GPG. This is a handy trick if you want to store all of your usernames and passwords in a file, and want to protect it via encryption.
Encrypting With Keys
If you are paranoid, or want very strong security, you can encrypt a file so that only someone else can open it. To do this, you must create a GPG private key and a GPG public key (see #References, and GPG Quick Start).
Encrypting Without Keys
Sometimes dealing with public and private keys to encrypt a file is just a big hassle. Perhaps the other person has not created a public key; or perhaps they shared it with you, but you can't entirely trust their public key because a man in the middle could have changed it to their own key (thus allowing them to decrypt files that you think can only be decrypted by the intended recipient).
It may be advantageous, in these cases, to have a method of encrypting files that does not use public keys. This is where a handy feature called "symmetric encryption" can be used.
Symmetric encryption uses a strong cipher, called CAST5 (see #References), to encrypt a file using a passphrase, rather than a public/private key pair. As with any passphrase-protected encryption, the passphrase is the weakest link in the process, and only a very strong passphrase can give you the confidence of a strongly-encrypted file.
Keep in mind that this is not as ideal as encryption using keys, but is more convenient (security and convenience are on opposite sides of the same scale).
This can be done in gpg using the -c or --symmetric command line options:
$ gpg -c filename
Enter passphrase:<YOUR-PASSWORD>
Repeat passphrase:<YOUR-PASSWORD>
The result of this command is a binary file, filename.gpg.
To make an armored ascii output file, use the --armor option:
$ gpg --symmetric --armor filename
Enter passphrase:<YOUR-PASSWORD>
Repeat passphrase:<YOUR-PASSWORD>
The result of this command is an ascii file filename.asc.
To decrypt the gpg file:
$ gpg filename.gpg
gpg: CAST5 encrypted data
Enter passphrase:<YOUR-PASSWORD>
WARNING: This will print the contents of your file to standard output. You definitely don't want that to happen. Instead, use the -o or --output flags to dump the decrypted contents to a file:
$ gpg filename.gpg --output decrypted_filename.txt
gpg: CAST5 encrypted data
Enter passphrase:<YOUR-PASSWORD>
Similarly, for the armored ascii file, use the -d or --decrypt command-line option:
$ gpg -d filename.asc --output decrypted_filename.txt
gpg: CAST5 encrypted data
Enter passphrase:<YOUR-PASSWORD>
References
GPG Quick Start:
GPG Documentation: CAST5 (used in symmetric encryption):
GPG at the "Security Viewpoints" blog: