A compilation of documentation   { en , fr }

How to encrypt a file with GnuPG

Created on:
Xavier Béguin

Encrypting using a passphrase (symmetric encryption)

Encrypting data using a passphrase, and using this same passphrase later to decrypt the encrypted information is called symmetric encryption because the same shared secret (the passphrase) is used the same way both for the encryption and decryption processes.

With GnuPG, a file can be encrypted using a symmetric cipher with the help of the option --symmetric (or the short option -c) of the command gpg:

gpg --symmetric importantfile.txt

This command will by default display a graphical dialog window to request the input of the passphrase. You will have to blindly type the chosen passphrase twice, and the program will warn you if it is not strong enough (a passphrase is strong if guessing it by repeated tries would require a time and technical means too important with currently available computer devices).

If everything goes well, the command will not display anything on the terminal and the encrypted file will be written to a file using the same name as the input file completed with the suffix .gpg (in the example above, the encrypted file will therefore be importantfile.txt.gpg).

If no input file is provided, the data to encrypt will be read from the standard input of the command. The output would then be redirected to the standard output, unless a filename is provided using the option --output (or -o in its short version). Thus, to encrypt the output of a command, you would run something like this:

echo "The answer is 42" | gpg --symmetric > important.gpg

Which is equivalent to:

echo "The answer is 42" | gpg --symmetric --output important.gpg

Should you want not to use a graphical dialog to input the chosen passphrase, you would need to install the pinentry-tty command (provided on Debian systems by the package of the same name) and request gpg-agent (which is the program responsible for secure entry of passphrases on behalf of gpg) to use it by adding the following line to the file $HOME/.gnupg/gpg-agent.conf (create it if it didn't exist):

pinentry-program /usr/bin/pinentry-tty

Then use the following command to stop any running gpg-agent. The program will automatically be started again on demand by gpg and use the updated configuration:

gpgconf --kill gpg-agent

Other pinentry programs exist to use slightly different ways to input the passphrase: pinentry-gnome3, pinentry-gtk, pinentry-qt, pinentry-curses, etc.

Encrypting using a public key (asymmetric encryption)

Encrypting data using a public key and decrypting the encrypted information using a secret key is called symmetric encryption by opposition to symmetric encryption described above, because we don't use the same secret nor the same method to encrypt and then decrypt the information.

To use asymmetric encryption with GnuPG, we first need to import into our keyring the public key of the recipient of the data we want to encrypt.

This key can be imported from a file using the --import option or downloaded from a keyserver using either the option --receive-keys to download a key designated using its identifier or --search-keys to search and optionally download the key based either on its identifier or the associated user ID. Read the article “How to import or download a key with GnuPG” for more details on how to import this key.

Once the public key is present in our primary public keyring, a file can be encrypted using asymmetric encryption with the help of the option --encrypt (or the short option -e) of the gpg command:

~$ gpg -e test.txt
You did not specify a user ID. (you may use "-r")

Current recipients:

Enter the user ID.  End with an empty line: krusty@example.org

Current recipients:
rsa3072/65A4BB8A032EC005 2023-11-17 "Herschel Krustofski <krusty@example.org>"

Enter the user ID.  End with an empty line:

As you can see, the program asks for the user id of the recipient to determine which public key it will use for the encryption. Only the secret key of the specified recipient (that corresponds to the public key in your keyring) will be able to decrypt the file.

Multiple recipient can be provided. As shown by the output of the use of gpg below, the user id of the recipient can also be directly specified as an argument to the command gpg using the option --recipient (or the short option -r). The command won't display anything when used with this option:

~$ gpg -e -r "Herschel Krustofski" test.txt

If you are new to asymmetric encryption, you could be surprised that no passphrase is requested in this encryption process.

Remember that the recipient of the encrypted file is the only one to possess the secret key that is required to decrypt the file you have just encrypted using the corresponding public key. Thus, nobody else can read the encrypted information and there is no need to choose a secret passphrase (this kind of shared secret is only required in symmetric encryption).