By Bri Hatch.
Summary: Encrypting and decrypting is as easy as pie, assuming you still remember your passphrase.
Last time we'd created our PGP key. Let's jump in with some encryption and decryption examples.
We'll continue by using GnuPG, the Gnu Privacy Guard, from the command line. There are certainly GUI front ends for GPG, both as standalone applications and as parts of larger suites such as those integrated into email clients like Evolution. Hopefully by walking you through things on the command line you'll get a better appreciation of how it all actually works, which will make things a cinch should you turn to the dark side^W^W^W a GUI in the future.
In most cases, we'd want send files or messages to other parties. However for now we'll just be encrypting and decrypting to our own keys. Next time we'll cover how to get other people's keys and properly verify them.
So, say we have a file in which we keep all of our passwords. Not an uncommon situation - you certainly do use separate passwords for the various machines you access, and all the websites you frequent. Remembering them is a pain, but keeping them in your email inbox unencrypted is a bad idea. So let's fire up our editor and put them all in one place.
$ umask 077 $ mkdir passwords $ cd passwords $ $EDITOR mypasswordfile (create the file, exit when done.) $ ls -l -rw------- 1 xahria gpg 209 Jan 21 11:52 mypasswordfile
So, having created the file, we're ready to encrypt it.
$ gpg --sign --encrypt --text --armor mypasswordfile You need a passphrase to unlock the secret key for user: "John Doe (My First PGP Key) <firstname.lastname@example.org>" 1024-bit DSA key, ID 26F8D783, created 2003-12-14 Enter passphrase: (Enter passphrase here) You did not specify a user ID. (you may use "-r") Enter the user ID. End with an empty line: John Doe Added 1024g/26F8D783 2003-12-14 "John Doe (My First PGP Key) <email@example.com>" Enter the user ID. End with an empty line: (enter) $ ls -la -rw------- 1 xahria gpg 209 Jan 21 11:52 mypasswordfile -rw------- 1 xahria gpg 3094 Jan 21 11:54 mypasswordfile.asc
GPG asked for the list of recipients - it needed that to know to which public keys it should encrypt the file. Since we didn't specify any on the command line, it asked. If you wanted to automate this better, you could put it on the command line any of the following ways:
$ gpg -seat --recipient 26F8D783 mypasswordfile $ gpg -seat --recipient "John Doe" mypasswordfile $ gpg -seat --recipient firstname.lastname@example.org mypasswordfile
In the first example, we explicitly listed the KeyID (
Also, note that I used the shorthand versions of sign/encrypt/armor/text by bundling
their one-letter command-line counterparts into
The shorthand version of
So, having encrypted our password file, how can we view it?
# Decrypt mypasswordfile.asc, save the unencrypted version # in 'mypasswordfile' $ gpg mypasswordfile.asc # Decrypt mypasswordfile.asc, save the unencrypted version # in 'unencrypted' $ gpg -o unencrypted mypasswordfile.asc # Decrypt mypasswordfile.asc, send the unencrypted version # to standard output, pipe it to the pager 'less' $ gpg -o - mypasswordfile.asc | less # Same as above # Decrypt mypasswordfile.asc, send the unencrypted version # to standard output, pipe it to the pager 'less' $ gpg --decrypt mypasswordfile.asc | less
# Decrypt to stdout $ gpg --decrypt mypasswordfile.asc | grep my_isp.net You need a passphrase to unlock the secret key for user: "John Doe (My First PGP Key) <email@example.com>" 1024-bit ELG-E key, ID D5D3BDA6, created 2003-12-14 (main key ID D5D3BDA6) Enter passphrase: (passphrase) my_isp.net user="lainee" password="i8aX_1rR" access="ssh" gpg: Signature made Mon Feb 9 10:22:09 2004 PST using DSA key ID D5D3BDA6 gpg: Good signature from "John Doe (My First PGP Key) <firstname.lastname@example.org>"
Note how it first asked you for the passphrase to decrypt the file,
then showed you the actual file contents (which we ran through grep)
and then indicated that the file was signed by John Doe, and the
signature was good, in other words no one had modified the file
at all since he signed it.
If you want less output when decrypting, you can supply the
Next time we'll show you how key management works for PGP so you can know to whom you are talking, or encrypt to other parties.
 And I think I've achieved a new personal record for time between articles...
Bri Hatch is Chief Hacker at Onsight, Inc and author of Hacking Linux Exposed and Building Linux VPNs. His twins have been born! Xahria Rhealyn and Lainee Alandra were born on Jan 21, 2004, at 36 weeks. Both are doing well, and we're slowly adjusting to being awake 24 hours a day feeding hungry mounths and cleaning up ... well ... you probably don't want to know all the messy details. Condolances and lasagna can be sent to our address, which can be easily found via whois. Bri can be reached at email@example.com.
Copyright Bri Hatch, 2004
This is the February 19, 2004 issue of the Linux Security: Tips, Tricks, and Hackery newsletter. If you wish to subscribe, visit http://lists.onsight.com/ or send email to Linux_Securityfirstname.lastname@example.org.