Ubuntu - Encrypting Files With GPG

But I already Encrypt My Drives...

The latest Ubuntu 14 release makes it very easy to encrypt your hard drives at installation. However, encrypting a drive only protects your data if your computer is turned off. It will not protect your data whilst your computer is running, which for me is 90% of the time. We need a solution whereby our files remain encrypted, and we only decrypt them as and when we need them. This also protects your data, should you decide to transfer it to a friend or host it "in the cloud". For this, we are going to use the GPG (GNU Privacy Guard) tool to encrypt and decrypt our files.

Encryption Method 1 - Passphrase File

In this first method, we are going to write our passphrase to a file, and use that to encrypt/decrypt our files. The great thing about this is that it should not show your passphrase in the process list, which would be an issue if it is a multi-user system.

Make sure other users cannot read this file!

    Create a passphrase for which you are going to encrypt your files with:

    echo "my awesomely amazing passphrase goes here" > $HOME/passphrase.txt
    If you used a command like above to write your passhprase to a file, rather than using a file editor like vim or nano, then you will need to remove your history history so nobody ever sees your passphrase there! 
    history -c
rm ~/.bash_history

    Now encrypt your files using the passphrase. 

    gpg \
--cipher-algo AES256 \
--no-use-agent \
--passphrase-file "$HOME/passphrase.txt" \
--symmetric \
[filename here]
    The encrypted file will appear with the same name, except the
    .gpg
    extension will be added to the end, letting you know that it is an encrypted file.

Encryption Method 2 - Enter Passphrase Interactively

In my opinion, this is the simplest/recommended solution, and it removes the possibility of forgetting to delete the passphrase file which somebody else might find at a later date. It also does not require you to clear your history.

    Encrypt your file and enter the passphrase when prompted: 

    gpg \
--cipher-algo AES256 \
--no-use-agent \
--symmetric \
[filename here]
    The encrypted file will appear with the same name, except the
    .gpg
    extension will be added to the end, letting you know that it is an encrypted file.

Encryption Method 3 - Specify Passphrase In Command

This method is useful for scripts whereby you cannot interactively enter the encryption password. However, this is unsafe to use on machines with multi-user access as the passphrase will appear in the currently executing process list.

Do not use this method on a multi-user server!

    Encrypt your file and enter the passphrase when prompted: 

    gpg \
--cipher-algo AES256 \
--no-use-agent \
--symmetric \
--passphrase "my passphrase here" \
[filename here]
    The encrypted file will appear with the same name, except the
    .gpg
    extension will be added to the end, letting you know that it is an encrypted file.

Decryption Method 1 - Passphrase File

Here is how to decrypt files using a passphrase file.

gpg -d \
--no-use-agent \
--passphrase-file $HOME/passphrase.txt \
secret-file.txt.gpg > secret-file.txt
You may want to remove the passphrase file afterwards!

Decryption Method 2 - Enter Passphrase

Decrypt without 

gpg -d \
--no-use-agent \
secret-file.txt.gpg > secret-file.txt

Decryption Method 3 - Specify Passphrase In Command

    gpg -d \
--no-use-agent \
--passphrase "my passphrase here" \
secret-file.txt.gpg > secret-file.txt
    Clear your history history so nobody ever sees your passphrase there! 
    history -c
rm ~/.bash_history

References

updated:
Labels: ,

No comments:

Post a Comment

Subscribe to: Post Comments ( Atom )