Articles on websites & etc.

§ Home > Index > General Interest

Notes for using GPG to encrypt and decrypt backup files

GPG allows you to use public-private key encryption to encrypt
and decrypt files on Windows and Linux.  The benefit of public-private
key encryption is that you can keep your public key out in
the open, and use it from anywhere to encrypt files.  Once
encrypted with the public key, those files can only be decrypted
with the private key.  The idea is to keep the private key 
someplace safe, like on a CDROM in a bank vault, and then you can
keep the encrypted backup files and public key just about anywhere.
Better yet, you can send the encrypted backup files over easy-to-use,
unencrypted network protocols, like FTP and HTTP.

In a simple, scheduled Perl script, I can create a backup of my websites, 
encrypt them, and then transfer them by anonymous FTP to my home computer.
Similarly, I can encrypt important files on my home computer and store
them safely on third-party servers.  The notes below outline the commands
that are needed to perform the necessary operations.

GPG requires a home directory to store its keys.
In Linux, it uses HOME/.gnupg
In Windows, it uses what you specify in the registry keys,
	which by default is c:\GnuPG

Keys are stored in files called "key rings".
	The secring.gpg file is the key ring that stores secret keys.
	The pubring.gpg file is the key ring that stores public keys.

Keys in the key rings are referred to by the name, or partial name.
	e.g. to refer to the key of "Shailesh N. Humbad", 
		you can use "Shailesh" as the name.

To create a new public/private key pair, run:
	gpg --gen-key
and follow the prompts.

To list public keys, run:
	gpg --list-keys

To list private or secret keys, run:
	gpg --list-secret-keys

To export a public key to an ascii text file, run:
	gpg -a --export NAME > yourpublickey.gpg

To export a private (or secret) key to an ascii text file, run:
	gpg -a --export-secret-keys NAME > yourprivatekey.gpg

To delete a public key from the local key ring:
	gpg --delete-keys NAME

To delete a secret key from the local key ring:
	gpg --delete-secret-key NAME

To encrypt a file, use:
	gpg -r NAME --output OUTFILE.gpg --encrypt INFILE

To decrypt a file, use:
	gpg -r NAME --output OUTFILE --decrypt INFILE.gpg

If you leave out the "-r" option, it will prompt you for the
	 name of the user whose key should be used.
Decrypting a file requires that you have the secret key in the local
 key ring, and it will prompt you for the passphrase to access the secret key.

To make a backup of a key, copy the key to an ASCII file as shown above.
These can be imported into another key ring on another computer, but
they can't be directly used during a gpg command.

You may want to keep your secret key ONLY on external media (recommended), 
but be able to decrypt files using that key with a single command.

In this case, you need to create a key ring file containing your secret
key.  To do this, first make sure the desired key exists in the local key
ring file by using the list commands.  Then copy the ring.gpg file
to the external media.  To use the external key ring store, use the
--secret-keyring option in the command line.

(You can make sure only selected keys exist in the key ring file by 
making a backup copy of the original, importing the selected keys, 
copying the new key ring, and then restoring the original.)

To decrypt a file with an external key ring, run:
	gpg --secret-keyring KEYRING -o OUTFILE --decrypt INFILE

To import a key, run:
	gpg --import KEYFILE

When importing a public key onto another machine, you may have configure gpg to
trust the key.  Otherwise, when you use the key to do encryption, you may
see a prompt like this:

	It is NOT certain that the key belongs to the person named
	in the user ID.  If you *really* know what you are doing,
	you may answer the next question with yes.

	Use this key anyway? (y/N) 

To trust the key, run:
	gpg --edit-key NAME

GPG will output some information, and show a line like:
	trust: undefined     validity: unknown

You will be at a console, and you have to type "trust":
	Command> trust 
	Please decide how far you trust this user to correctly verify other users' keys
	(by looking at passports, checking fingerprints from different sources, etc.)

	  1 = I don't know or won't say
	  2 = I do NOT trust
	  3 = I trust marginally
	  4 = I trust fully
	  5 = I trust ultimately
	  m = back to the main menu

	Your decision? 5
	Do you really want to set this key to ultimate trust? (y/N) y
Type "quit" to quit.  If you run gpg --edit-key NAME again, you will 
see a line as below, which means the key is now trusted.
	trust: ultimate      validity: ultimate

To bypass the passphrase prompt in background or server-side automated processes,
you must disable the agent program and pass the passphrase via STDIN. In the
examples below, the password is saved in the p.txt file.

Here is the Windows GPG4Win decrypt command using no special configuration options:

type p.txt | gpg --passphrase-fd 0 --batch --agent-program NUL -r NAME --output OUTFILE --decrypt INFILE

On Linux, the command would be something like:

cat p.txt | gpg --passphrase-fd 0 --batch --agent-program /dev/null -r NAME --output OUTFILE --decrypt INFILE

If the key can not be found, remember that the gnupg home directory
may be different for each user running the gpg command.
Therefore, in IIS, you may need to set the GNUPGHOME environment variable to the gnupg
home directory that contains the secring.gpg, pubring.gpg, and trustdb.gpg.

VB.Net/IIS example of setting home directory environment variable for a background process,
assuming the .gpg files are copied to the AppPoolIdentity user's home directory:

Dim psi As ProcessStartInfo = New ProcessStartInfo()
psi.EnvironmentVariables.Add("GNUPGHOME", "C:\Users\AppPoolIdentity\AppData\Roaming\gnupg")

For more information, see the GnuPG Site. Look for the FAQ and the GPG Manual.

Have you heard of the new, free Automated Feeds offered by Google Merchant Center? Learn more in Aten Software's latest blog post comparing them to traditional data feed files.
Created 2004-10-11, Last Modified 2015-01-16, © Shailesh N. Humbad
Disclaimer: This content is provided as-is. The information may be incorrect.