Skip to: Installation | Key Management | Data Encryption | Automation
Introduction
GnuPG, the GNU Privacy Guard, is a suite of data encryption utilities based on the OpenPGP standard. This document discusses installation and basic usage of GnuPG in a Linux/UNIX command line environment, as well as provides simple scripts to automate routine encryption and decryption tasks.
Installation
Since GnuPG is distributed as source code, it must be compiled before installation. The following steps will guide you through the installation:
$ tar zxf gnupg-1.0.7.tar.gz
$ cd gnupg-1.0.7
$ ./configure && make && make install
Key Management
Key Generation
Execute gpg --gen-key, then follow the prompts. The default options should be fine, but be sure to properly identify yourself. gpg --list-keys will display the keypair, if you'd like to verify it.
Exporting Public Keys
Execute gpg --armor --export --output filename.asc <userID> to export your public key. This will allow you to exchange keys with others, which is necessary for them to send you encrypted documents. Note that <userID> must be a unique key identifier string, is case sensitive, and must be enclosed in quotes. Note also that the --armor parameter is optional - it is used to generate ASCII-armored output that can be inserted into e-mail, a web page, etc., for easier distribution. Otherwise, an encrypted binary file is generated, which can only be read directly by GnuPG.
Importing and Signing Public Keys
Execute gpg --import <filename> to add someone else's public key to your keyring. This is necessary to send encrypted documents to that person. Before you're able to encrypt data using another person's public key, you'll need to sign it. You can do this by executing gpg --sign-key <userID>.
Key Information
As mentioned above, gpg --list-keys will display a list of all keys on your keyring. If you'd like more information about a particular key, use gpg --list-sigs <userID>.
Editing Keys
Execute gpg --edit <userID> to perform edit on a key. This command will invoke a Command> where you can enter the command to perform specific operations. Entering <? >will display all options. There are several useful options here, including verifying signatures, deleting keys, signatures, and userIDs, and setting the trust level of a key.
Data Encryption
Encrypting Files
Execute gpg --encrypt --recipient <userID> <filename>. This will create a new, encrypted copy of the file with the .gpg extension appended to the filename. If you'd like to change the filename or extension, you can do so by adding --output <filename> after --encrypt. Remember that only the recipient specified will be able to decrypt the file.
Encrypting and Signing
If you'd like to sign and encrypt a document, to additionally ensure that your file is delivered without tampering, you can execute gpg --encrypt --sign --recipient <userID> <filename>.
Decrypting Files
Execute gpg --decrypt <filename> to decrypt a document. In order to decrypt a file, it must have been encrypted to you, and you'll have to enter your secret passphrase to verify that you are the intended recipient.
Automation
Many routine tasks for GnuPG can be automated through scripting. Presented here are a sample scripts for a couple common tasks. Note, these scripts require including your private key passphrase in the script itself, so be sure appropriate security precautions are taken to protect them.
This first script will decrypt all files in a directory, assuming all are encrypted with the same public key. It will also ask you after decryption whether or not you would like to delete the encrypted archives.
#!/bin/sh
echo <passphrase> | gpg --decrypt-file --passphrase <passphrase> *.gpg
echo "Would you like to delete the encrypted files (y/n)? "
read temp
case "$temp" in
[yY]) rm *.gpg
echo ""
echo "Encrypted files deleted."
echo ""
;;
*) echo ""
echo "Encrypted files not deleted."
echo ""
;;
esac
The next script will encrypt all files in a directory (except for those that are already encrypted), assuming all are intended for the same recipient, and securely wipe the original documents. As before, it will ask for confirmation before deleting any files.
#!/bin/sh
echo "Would you like to delete the unencrypted files after encryption"
echo "(y/n)?"
read temp
case "$temp" in
[yY]) gpg --encrypt-files --batch -q \
--recipient <UserID> `ls | grep -v gpg$`
rm -f `ls | grep -v gpg$`
echo ""
echo "Unencrypted files deleted."
echo ""
;;
*) gpg --encrypt-files --batch -q \
--recipient <UserID> `ls | grep -v gpg$`
echo ""
echo "Unencrypted files not deleted."
echo ""
;;
esac