Sign, Encrypt and Decrypt a File

gpg can sign and encrypt a file, outputting a text file with the original file compressed, encrypted and the output armoured. This is useful for sending encrypted files.

To sign and encrypt a file called archive.zip, issue:

gpg --output archive.zip.sig --sign archive.zip

To decrypt and verify, issue:

gpg --output archive.zip --decrypt archive.zip.sig

Detach-Sign and Verify a File

A detached signature, just creates a text-signature file that can be used to check the validity of the original file.

To use gpg to detach-sign a file, issue:

gpg --output MD5SUM.sig --detach-sig MD5SUM

to verify the signature, issue:

gpg --verify MD5SUM.sig MD5SUM

Clear-Sign a Document

Clear-signing a document will modify that document to include the message along with the signature for that message.

gpg --clearsign list.txt

Getting a List of Available Ciphers

Issue on the command-line:

gpg --version

which should state all the available cyphers, for example:

Cipher: 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH, CAMELLIA128, CAMELLIA192, CAMELLIA256

Encrypting and Decrypting a File using Symmetric Encryption

To encrypt a file using symmetric encryption, issue:

gpg --symmetric --cipher-algo CIPHER SOURCE -o DESTINATION

where:

  • SOURCE is a file to encyrpt in the current path and
  • CIPHER is a cipher.
  • DESTINATION is the destination file.

To decrypt the resulting file DESTINATION, reverse the process:

gpg -o DESTINATION -d SOURCE

In order to get printable output, use the armor option when encrypting a file:

gpg --armor --symmetric --cipher-algo CIPHER SOURCE -o DESTINATION

Changing the Default Cipher

The default algorithm used by GPG is CAST5 with a blocksize of 64 bits. In order to change the default algorithm, edit ~/.gnupg/gpg.conf and add the line:

cipher-algo CIPHER

where CIPHER can be obtained by previously issuing:

gpg --version

Preventing Message Modification Attacks

You will notice this problem when GPG issues a warning:

gpg: WARNING: message was not integrity protected

For 64 bit block-size ciphers such as the default CAST5 and 3DES, the –force-mdc option should be used while encrypting. This is the default for other ciphers with larger block sizes. force-mdc can also be added to ~/.gnupg/gpg.conf as a default.

Conceal Message Destination

In order to encrypt a message that cannot be checked to see who it is encrypted to, add the –throw-keyid parameter when encrypting:

gpg -v -e -a --throw-keyid -r 887245BA message.txt

where:

  • -v means verbose output.
  • -e to encrypt.
  • -a to created ASCII armoured output.
  • –throw-keyid means to not pu the recipient's key IDs into the encrypted messages.
  • -r 887245BA means to encrypt to the the recipient 887245BA

and message.txt is a file that contains the message to encrypt.

Fixing Issues Related to Broken Terminals

In the event that:

gpg: signing failed: Inappropriate ioctl for device

appears when attempting an operation with gpg, the most likely cause is that gpg is trying to prompt for the password to unlock the keychain but the terminal is not properly set.

To resolve the issue, run:

export GPG_TTY=$(tty)

fuss/gpg.txt · Last modified: 2017/10/04 15:27 by office

Access website using Tor Access website using i2p


For the copyright, license, warranty and privacy terms for the usage of this website please see the license, privacy and plagiarism pages.