Some files need to be protected, and we can use encryption to do this in a few ways. In this video, explore encrypting and decrypting individual files.
- [Instructor] Some files need to be protected, and to protect files from being read, we can use encryption. When we encrypt a file, we run it through an encryption algorithm that makes the contents unreadable without a particular piece of information, a key or password. On a Linux system, we can do this with the GPG tool. First, let's take a look at encrypting a file with a passphrase. This is symmetric encryption. The same piece of information used to encrypt the file is used to decrypt it. Using a passphrase is convenient because you can remember a passphrase or share it with other people you want to be able to decrypt the file.
To start out, let's create a file. I'll echo this is secret text to a file called secretfile. Now, I can use gpg -c and the name of the file to encrypt that file. I'm asked to enter a passphrase. So I'll do that, and I'll confirm it.
If you're using a remote console, you'll see this prompt in the console. Now, I have a file called secretfile.gpg. Let's take a look at that. That's all scrambled up, and I can't read the text that it represents. I could store this file, or send it to someone else, without worrying that it could be read by others. And then to decrypt it, I or someone else could use gpg -d and the name of the GPG file.
My system stored this passphrase, but if yours hasn't stored the passphrase, or if you're on a different computer, you'll be prompted for the passphrase that was set earlier. I'd need to redirect this to a file if I wanted to get a decrypted copy of the file, so I'll do that. I'll redirect this to newfile.txt. And there's the secret text. By default, this uses the AES-256 cipher, and you can choose to use a different one with various options. Take a look at the manpages to learn more about that.
We can also use a key to encrypt the file, either symmetrically with a private key or asymmetrically if we have a public key, and then the file would only be able to be decrypted with the corresponding private key. In order to use a key, first we need to have a key, and to generate a key, we need entropy, or randomness, for the system to use to create the key. On a desktop system, this isn't too much of a problem. We can give the system entropy by moving the mouse around. But on a remote server where there's no mouse, we need to generate entropy in some other way.
We can see what entropy the system has with cat /proc/sys/kernel/random/entropy available. Right now, I have 3,543 bytes. Depending on how strong of a key we want to generate, we might need more. To do that here, I'll install the RNG Tools package, which includes random number generation software.
And then I'll run rngd -fr /dev/urandom, and I'll let that run for a few seconds. I'll end that with Control + C. I'll recall my command to check the entropy, and now I have more entropy available. To generate a key, I'll run gpg --gen-key, and I'll follow the prompts here. I'll give it a name and an email address.
Then I'll verify this. And I'm prompted for a passphrase for my key. Again, if you're using a remote terminal, you'll see this prompt in the text dialog. And there we go. This sets up a private and public key in my key ring, which is stored in the .canoepg folder in my home folder. I can take a look at the keys that I have with gpg --list-keys. Now I have a key pair that I can use to encrypt a file.
I'll encrypt my text file using this key, with gpg -e secretfile. Now I'm asked for whom to encrypt the file. I'm asked which key to use from my key ring. I'll pick my key here, with the email address associated with it. That's the only person I want to be able to decrypt this file, so I'll end with an empty line. And we'll create the file.
That's created a GPG file encrypted with my public key, which I'll be able to decrypt with my public key, also from my key ring. I'll write gpg -d secretfile.gpg. Then I'm prompted for the password for my private key. I'll provide that, and I'm able to read the text. Using this public and private key combination means that I can send my public key to someone who wants to encrypt a file for my eyes only, and I can also import other people's public keys in order to encrypt files intended for them.
To export my key, I'll write gpg --export --armor and provide my email address, and redirect that to a file. I'll call mine s_pubkey. And this creates a text file that I can send or copy and paste to someone else. The armor option makes the key into text, and without it, I get a binary copy of the key, which is fine for using, but to email or otherwise send to someone, text is a lot easier.
I just so happen to have another exported key here from someone else that I can import and then use to encrypt files for them. It's called msmithkey, and I'll import it into my key ring with gpg --import msmithkey, and I'll clear the screen. Now if I look at my key ring, I can see that I have two keys. Now, when I encrypt a file, I can use this public key.
I won't be able to decrypt this file, and the other user will be able to decrypt it with their private key once I send it to them. That's the basics of encrypting a file from the command line. Take a look at the manpage for GPG for some more information. There's information there about managing the key rings, and about signing as well. But for now, have fun sending encrypted files to your friends, and keep your private keys safe.
Note: Because this is an ongoing series, viewers will not receive a certificate of completion.