This is the next post in our series of GPG guides. Here, we cover asymmetric encryption and decryption of data using the gpg command.
If you don't know what asymmetric encryption or gpg are, or have not yet generated a gpg key pair, or don't you know how to obtain someone else's public key, then please take a look at part 1 of our GPG Guide.
As a quick refresher, asymmetric encryption involves using a public/private key pair. The public key is distributed to people who want to send you encrypted data.
You then use your private key (which nobody else has access to) to decrypt that data.
Firstly, ensure that you have the public key for the person you want to encrypt data for.
You can double check this by using the command:
If you have the public key, then you can proceed with the encryption commands, otherwise you'll need to obtain the public key first.
To encrypt a file you can use the -e (or --encrypt) option along with the -r (or --recipient) option, as shown below:
gpg -e -r key-id|name filename
So if someone wanted to encrypt a file called file.txt for us here at Tutonics, they could use the user name "Tutonics":
gpg -e -r Tutonics file.txt
or use the key-id "EE74D48D",
gpg -e -r EE74D48D file.txt
This will produce an ecnrypted file called file.txt.gpg that only the recipient Tutonics can decrypt. If you need to change the name of the resulting encrypted file use the -o (or --output) option, e.g. to call it file.gpg, you could use:
gpg -o file.gpg -e -r Tutonics file.txt
Note that if you had not verified the Tutonics public key yet (see GPG Guide Part 1 to find out how), you'll get a warning message to that effect when you try to encrypt data using that public key (this warning is shown in the screenshot below and won't happen if the key is properly verified by you).
For the recipient to decrypt the encrypted data created in the steps above, they need to specify the output file using -o and also use the -d (or --decrypt) option. So to decrypt file.txt.gpg from above, the recipient (and owner of the private key) would execute this command:
gpg -o file.txt -d file.txt.gpg
The recipient will be prompted to enter the passphrase for their private key. If the correct passphrase is used, the decryption algorithm will proceed and the original data will be stored in file.txt. It's quite important to note that if no output file is specified, the decrypted ciphertext i.e. the plaintext (the original data) gets sent to standard out. So unless you pipe it to a file or another program, it will be displayed in your terminal and not stored to file.
In the next part of the GPG Guide, we'll show you how the encrypting party can use the gpg command to digitally sign data and how the recipient can verify this signature.
Thanks to everyone who worked on GNU Privacy Guard (the GNU Projects implementation of the OpenPGP standard)