Encrypting and Decrypting Files

Owned by Dmitry Donosiyan (Unlicensed)
Last updated: Oct 23, 2024 by Kinga Huszno
2 min read

Basic encryption and decryption procedure in GPG looks like this: the sender determines the recipient of a file, acquires that recipient’s public key (if he hasn’t already done so), and then runs the plaintext through GPG along with this key to obtain the ciphertext. When the recipient wants to decrypt the file, he applies his private key to the ciphertext to obtain the plaintext.

In other words:

plaintext + recipient’s public key → ciphertext
and
ciphertext + recipient's private key → plaintext

In fact, the sender and recipient are not necessarily different people. One important use of GPG is to encrypt your own data, storing the ciphertext and decrypting it into plaintext, when you need it. This is an excellent defense against physical attacks on your computer or your local file server.

Using the GPG Encrypt Command

Choose a file you want to encrypt. For example, let’s assume you have diary, where each month is a new file, and you’re done with February 2003, which is called diary 2003-02.txt. Suppose you want to encrypt this file and then put it away in an archive folder or a CD-R disc. At the command prompt, type (all on one line)

gpg --recipient "YOUR-NAME" --output "diary 2003-02.txt.gpg"    --encrypt "diary 2003-02.txt"

Don’t forget to fill in YOUR-NAME with the actual name you attached to your key. Always remember the “--output” option when you use an encryption command in GPG; if you omit this option, the output will be dumped to the command prompt window instead of to a file. Finally, notice that the command (usually an action verb) always goes in the last position on the GPG command line, after any options. Now diary 2003-02.txt.gpg will contain a seemingly random string of bytes. You can have a look at it with Notepad if you like.

There is a similar command, “--encrypt-files,” which will automatically choose and name an output file for you. But the filename it chooses will be missing the extension of the plaintext filename (.txt, .jpg, .zip, etc.)

Using the GPG Decrypt-Files Command

Now, suppose a year from now you’re feeling nostalgic and you want to read February 2003’s diary. You would copy the ciphertext back to your workspace on your computer, and type the following at the command prompt:

gpg --decrypt-files "diary 2003-02.txt.gpg"

GPG will look up your private key and prompt you for the passphrase. Provided your private key is still installed on your computer, and you still remember your passphrase (you didn’t write it on a Post-It and stick it on your monitor, did you?) you will get back the original plaintext exactly as it was before you encrypted it. If you want to decrypt a short file and display it immediately in the console, you can use the “--decrypt” command instead of the “--decrypt-files” command.