GPG allows you to use public-private key encryption to encrypt and decrypt files on Windows and Linux. The benefit of public-private key encryption is that you can keep your public key out in the open, and use it from anywhere to encrypt files. Once encrypted with the public key, those files can only be decrypted with the private key. The idea is to keep the private key someplace safe, like on a CDROM in a bank vault, and then you can keep the encrypted backup files and public key just about anywhere. Better yet, you can send the encrypted backup files over easy-to-use, unencrypted network protocols, like FTP and HTTP. In a simple, scheduled Perl script, I can create a backup of my websites, encrypt them, and then transfer them by anonymous FTP to my home computer. Similarly, I can encrypt important files on my home computer and store them safely on third-party servers. The notes below outline the commands that are needed to perform the necessary operations. GPG requires a home directory to store its keys. In Linux, it uses HOME/.gnupg In Windows, it uses what you specify in the registry keys, which by default is c:\GnuPG Keys are stored in files called "key rings". The secring.gpg file is the key ring that stores secret keys. The pubring.gpg file is the key ring that stores public keys. Keys in the key rings are referred to by the name, or partial name. e.g. to refer to the key of "Shailesh N. Humbad", you can use "Shailesh" as the name. To create a new public/private key pair, run: gpg --gen-key and follow the prompts. To list public keys, run: gpg --list-keys To list private or secret keys, run: gpg --list-secret-keys To export a public key to an ascii text file, run: gpg -a --export NAME > yourpublickey.gpg To export a private (or secret) key to an ascii text file, run: gpg -a --export-secret-keys NAME > yourprivatekey.gpg To delete a public key from the local key ring: gpg --delete-keys NAME To delete a secret key from the local key ring: gpg --delete-secret-key NAME To encrypt a file, use: gpg -r NAME --output OUTFILE.gpg --encrypt INFILE To decrypt a file, use: gpg -r NAME --output OUTFILE --decrypt INFILE.gpg If you leave out the "-r" option, it will prompt you for the name of the user whose key should be used. Decrypting a file requires that you have the secret key in the local key ring, and it will prompt you for the passphrase to access the secret key. To make a backup of a key, copy the key to an ASCII file as shown above. These can be imported into another key ring on another computer, but they can't be directly used during a gpg command. You may want to keep your secret key ONLY on external media (recommended), but be able to decrypt files using that key with a single command. In this case, you need to create a key ring file containing your secret key. To do this, first make sure the desired key exists in the local key ring file by using the list commands. Then copy the ring.gpg file to the external media. To use the external key ring store, use the --secret-keyring option in the command line. (You can make sure only selected keys exist in the key ring file by making a backup copy of the original, importing the selected keys, copying the new key ring, and then restoring the original.) To decrypt a file with an external key ring, run: gpg --secret-keyring KEYRING -o OUTFILE --decrypt INFILE To import a key, run: gpg --import KEYFILE When importing a public key onto another machine, you may have configure gpg to trust the key. Otherwise, when you use the key to do encryption, you may see a prompt like this: It is NOT certain that the key belongs to the person named in the user ID. If you *really* know what you are doing, you may answer the next question with yes. Use this key anyway? (y/N) To trust the key, run: gpg --edit-key NAME GPG will output some information, and show a line like: trust: undefined validity: unknown You will be at a console, and you have to type "trust": Command> trust Please decide how far you trust this user to correctly verify other users' keys (by looking at passports, checking fingerprints from different sources, etc.) 1 = I don't know or won't say 2 = I do NOT trust 3 = I trust marginally 4 = I trust fully 5 = I trust ultimately m = back to the main menu Your decision? 5 Do you really want to set this key to ultimate trust? (y/N) y Type "quit" to quit. If you run gpg --edit-key NAME again, you will see a line as below, which means the key is now trusted. trust: ultimate validity: ultimate To bypass the passphrase prompt in background or server-side automated processes, you must disable the agent program and pass the passphrase via STDIN. In the examples below, the password is saved in the p.txt file. Here is the Windows GPG4Win decrypt command using no special configuration options: type p.txt | gpg --passphrase-fd 0 --batch --agent-program NUL -r NAME --output OUTFILE --decrypt INFILE On Linux, the command would be something like: cat p.txt | gpg --passphrase-fd 0 --batch --agent-program /dev/null -r NAME --output OUTFILE --decrypt INFILE If the key can not be found, remember that the gnupg home directory may be different for each user running the gpg command. Therefore, in IIS, you may need to set the GNUPGHOME environment variable to the gnupg home directory that contains the secring.gpg, pubring.gpg, and trustdb.gpg. VB.Net/IIS example of setting home directory environment variable for a background process, assuming the .gpg files are copied to the AppPoolIdentity user's home directory: Dim psi As ProcessStartInfo = New ProcessStartInfo() psi.EnvironmentVariables.Add("GNUPGHOME", "C:\Users\AppPoolIdentity\AppData\Roaming\gnupg")
For more information, see the GnuPG Site. Look for the FAQ and the GPG Manual.