Although GPG and GPG Tools are well known for Email encryption, the same tool-chain can be used to encrypt files. We deep dive into the command line, but everything should work with any other UI client as well.
Password encryption with AES
# encrypt file gpg --cipher-algo AES256 -c test.txt # decrypt file gpg -d test.txt.gpg
Enforce message integrity check
Although default with AES, it makes sense to force the message integrity check and can be useful if you switch to other ciphers. Especially if you receive a message like
gpg: WARNING: message was not integrity protected
you should enable the integrity check. The full encryption and decryption works as before:
gpg --cipher-algo AES256 --force-mdc -c test.txt gpg -d test.txt.gpg
Since you are using the same keychain for signing and encrypting as for your emails, its very easy to sign a message. Be aware that signed messages are not encrypted.
# encrypt and sign message, you will be prompted for your password if required $ gpg --sign test.txt # if you have multiple accounts, you may select it with the -u parameter $ gpg -u ABBFDCA9 --sign test.txt You need a passphrase to unlock the secret key for user: "Christoph Hartmann <email@example.com>" 4096-bit RSA key, ID ABBFDCA9, created 2014-04-29 # you can verify which person encrypted the $ gpg --verify test.txt.gpg gpg: Signature made So 14 Sep 22:28:04 2014 CEST using RSA key ID ABBFDCA9 gpg: Good signature from "Christoph Hartmann <firstname.lastname@example.org>"
Encrypt files for specific persons
Now we are going to encrypt files for
email@example.com by using his public key.
$ gpg --cipher-algo AES256 -e --sign --recipient firstname.lastname@example.org test.txt
With this approach we are able to store files in any cloud storage. Only the recipient is able to decrypt the content. In this specific case only John is able to decrypt the content with his private key. We do not have to ship any shared password to John and everything works out of the box. By reusing the GPG infrastructure, sharing encrypted content is much simpler.
If you are not using GPG/PGP already for your email, please do.