Encrypting using a passphrase (symmetric encryption)
Encrypting data using a passphrase, and using this same passphrase later to decrypt the encrypted information is called symmetric encryption because the same shared secret (the passphrase) is used the same way both for the encryption and decryption processes.
With GnuPG, a file can be encrypted using a symmetric cipher with the help of
--symmetric (or the short option
-c) of the command
This command will by default display a graphical dialog window to request the input of the passphrase. You will have to blindly type the chosen passphrase twice, and the program will warn you if it is not strong enough (a passphrase is strong if guessing it by repeated tries would require a time and technical means too important with currently available computer devices).
If everything goes well, the command will not display anything on the terminal and
the encrypted file will be written to a file using the same name as the input
file completed with the suffix
.gpg (in the example above, the encrypted file
will therefore be
If no input file is provided, the data to encrypt will be read from the
standard input of the command. The output would then be redirected to the
standard output, unless a filename is provided using the option
-o in its short version). Thus, to encrypt the output of a command, you would
run something like this:
Which is equivalent to:
Should you want not to use a graphical dialog to input the chosen passphrase,
you would need to install the
pinentry-tty command (provided on Debian
systems by the package of the same name) and request
gpg-agent (which is the
program responsible for secure entry of passphrases on behalf of
gpg) to use
it by adding the following line to the file
(create it if it didn't exist):
Then use the following command to stop any running
gpg-agent. The program
will automatically be started again on demand by
gpg and use the updated
Other pinentry programs exist to use slightly different ways to input the passphrase: pinentry-gnome3, pinentry-gtk, pinentry-qt, pinentry-curses, etc.
Encrypting using a public key (asymmetric encryption)
Encrypting data using a public key and decrypting the encrypted information using a secret key is called symmetric encryption by opposition to symmetric encryption described above, because we don't use the same secret nor the same method to encrypt and then decrypt the information.
To use asymmetric encryption with GnuPG, we first need to import into our keyring the public key of the recipient of the data we want to encrypt.
This key can be imported from a file using the
--import option or downloaded
from a keyserver using either the option
--receive-keys to download a key
designated using its identifier or
--search-keys to search and optionally
download the key based either on its identifier or the associated user ID. Read
the article “How to import or download a key with
GnuPG” for more details on
how to import this key.
Once the public key is present in our primary public keyring, a file can be
encrypted using asymmetric encryption with the help of the option
(or the short option
-e) of the
~$ gpg -e test.txt
You did not specify a user ID. (you may use "-r")
Enter the user ID. End with an empty line: email@example.com
rsa3072/65A4BB8A032EC005 2023-11-17 "Herschel Krustofski <firstname.lastname@example.org>"
Enter the user ID. End with an empty line:
As you can see, the program asks for the user id of the recipient to determine which public key it will use for the encryption. Only the secret key of the specified recipient (that corresponds to the public key in your keyring) will be able to decrypt the file.
Multiple recipient can be provided. As shown by the output of the use of
below, the user id of the recipient can also be directly specified as an
argument to the command
gpg using the option
--recipient (or the short
-r). The command won't display anything when used with this option:
~$ gpg -e -r "Herschel Krustofski" test.txt
If you are new to asymmetric encryption, you could be surprised that no passphrase is requested in this encryption process.
Remember that the recipient of the encrypted file is the only one to possess the secret key that is required to decrypt the file you have just encrypted using the corresponding public key. Thus, nobody else can read the encrypted information and there is no need to choose a secret passphrase (this kind of shared secret is only required in symmetric encryption).