Encrypt a File Using GPG

Hands-On Lab

 

Photo of Kenny Armstrong

Kenny Armstrong

Linux Training Architect II in Content

Length

01:00:00

Difficulty

Beginner

With the prevalence of cloud servers in use today, security should be at the forefront of their deployments. Just as important is the security of important local files and documents. We can employ the GNU Privacy Guard, or GPG, toolset to encrypt files; and through the use of sharing public keys with other users, we can decrypt files from other people. In this hands-on lab, we will walk through creating a new public GPG key, encrypt a file and sign it, and send that file to another user to decrypt with our public key.

What are Hands-On Labs?

Hands-On Labs are scenario-based learning environments where learners can practice without consequences. Don't compromise a system or waste money on expensive downloads. Practice real-world skills without the real-world risk, no assembly required.

Encrypt a File Using GPG

Introduction

With the prevalence of cloud servers in use today, security should be at the forefront of their deployments. Just as important is the security of important local files and documents. We can employ the GNU Privacy Guard, or GPG, toolset to encrypt files; and through the use of sharing public keys with other users, we can decrypt files from other people. In this hands-on lab, we will walk through creating a new public GPG key, encrypt a file and sign it, and send that file to another user to decrypt with our public key.

Log In to the Lab Environment

Use the credentials and server IP in the hands-on lab overview page to log into the lab server.

Create a GPG Key for cloud_user

Generate a new GPG key:

[cloud_user@host]$ gpg --gen-key

Accept the defaults for each prompt. For the user ID, enter cloud_user, and use cloud_user@localhost for the email address. We can leave the comment field blank by just pressing Enter, and press o at the end for OK.

We'll use password321 when we're prompted for a passphrase, and when we're prompted to confirm it.

Now that the key has been created, we need to export it so that Gordon Freeman can decrypt files he gets from us. We'll do that like this:

[cloud_user@host]$ gpg -a -o gfreeman.key --export <KEY_ID>

In that command, use the public key reference ID from the output of the key generation. It will be a random string, and the line it's sitting on (in the key generation output) looks like this:

gpg: key XXXXXXXX marked as ultimately trusted

Now, we'll use the mail command to send an email to Gordon Freeman containing the cloud_user public key as an attachment:

[cloud_user@host]$ mail -s "here is your key" -a gfreeman.key gfreeman@localhost
Don't lose this!  I'll call you with the passphrase.
.

Include that final period (on the line by itself) and then press Enter to send the message.

Configure GPG for Gordon

Now we've got to set up the GPG environment for Gordon Freeman. Rather than just su -, we'll actually log in to our host as gfreeman with SSH. The password for gfreemen is the same as it is for the cloud_user account:

[cloud_user@host]$ ssh gfreeman@localhost

Just as we did with the cloud_user account, we'll generate a GPG key for Mr. Freeman, accepting the defaults for each prompt. The only difference will be having a user ID of gfreeman and an email address of gfreeman@localhost:

[gfreeman@host]$ gpg --gen-key

Once we've created the key for Mr. Freeman, we can open up the mutt email client, and save the public key sent over by the cloud_user account:

[gfreeman@host]$ mutt

Arrow up and down to highlight the cloud_user message, then press Enter. Press v to view the attachment, and press s to save it to Mr. Freeman's home directory. Finally, press q to quit Mutt.

Now, to import the public key from cloud_user into Mr. Freeman's keyring, run the following command:

[gfreeman@host]$ gpg --import gfreeman.key

We can run this to view the contents of Mr. Freeman's keyring:

[gfreeman@host]$ gpg --list-keys

Let's log out of gfreeman's account:

[gfreeman@host]$ exit

Generate a Signed Document and Send It to Gordon

When we digitally sign a file, we are using our private GPG key to guarantee that this file came from us. The user that receives the file will use their copy of the public key from us to verify that we signed the file. Let's generate a test document:

[cloud_user@host]$ echo "Just need you to verify this file." > note.txt

Now we'll use cloud_user's private key to sign the file:

[cloud_user@host]$ gpg --clearsign note.txt

Remember that we need to use the passphrase we created earlier (password321).

Now there should now be a note.txt.asc file in cloud_user's home directory. We can run a quick ls to make sure.

Now that we've made the file, let's email it to gfreeman@localhost:

[cloud_user@host]$ mail -s "check this out" -a note.txt.asc gfreeman@localhost
Could you verify this file for me?
.

Verify the Signature of the Emailed Document

Log in to localhost again, as gfreeman:

[cloud_user@host]$ ssh gfreeman@localhost

Use the mutt email client, and just as before, view and save the new email message's attachment.

Now, verify the note.txt.asc file that was emailed:

[gfreeman@host]$ gpg --verify note.txt.asc

We'll get a warning about the signature not being verified by a third party, and that's ok. What is important is the following line from the output:

gpg: Good signature from "cloud_user <cloud_user@localhost>"

This is what a verified file displays.

Next, encrypt a copy of the /etc/fstab file like this:

[gfreeman@host]$ cp /etc/fstab ~
[gfreeman@host]$ gpg -a -r cloud_user -e ~/fstab

You will see a general warning displayed about the key possibly not belonging to the named person. We already know that this key is from cloud_user, so just press y at the prompt.

Verify that there is a file called fstab.asc in the gfreeman home directory (by running ls). Create a new email to cloud_user and attach this file:

[gfreeman@host]$ mail -s "looks good" -a fstab.asc cloud_user@localhost
Can you decrypt this?
.

Log out of Mr. Freeman's account:

[gfreeman@host]$ exit

Decrypt the Attached File

Now, as cloud_user, open up the mutt email client and save the fstab.asc attachment from the new email.

Decrypt the saved fstab.asc file with the gpg command, and enter the passphrase for cloud_user's key when prompted:

[cloud_user@host]$ gpg fstab.asc

Now let's verify that we can read the contents of the decrypted file:

[cloud_user@host]$ cat fstab

Conclusion

Being able to encrypt and decrypt files that you share with others will come in handy. We've got the process down now, and this will help down the road. Congratulations!