File Encryption with GPG on Mac

GNU Privacy Guard is Open Source encryption software. It is an implementation of the OpenPGP standard. GnuPG enables you to encrypt and sign your data and communication, features a versatile key managment system as well as access modules for all kind of public key directories.

GnuPG HOWTOs

To begin, GnuPG must first be installed onto your machine.

• Download the latest version of MacGPG2 and install it onto your machine. NOTE that this requires Mac OSX 10.4.x or higher.
• Once the program is installed, logout, then back in again to ensure all components are ready for use.

The simplest encryption is with a symmetric cipher. A file can be encrypted with a passphrase and anyone who knows the passphrase can decrypt it, thus keys are not needed. You will note, after encrypting sensitivefile the original file remains untouched. A new, encrypted file is created with a '.gpg' suffix.

> gpg -c sensitivefile               # Encrypt a sensitivefile with password
> gpg sensitivefile.gpg              # Decrypt sensitivefile 

Public and private keys are the heart of asymmetric cryptography. Key points to remember:

• Your public key is used by others to encrypt files that only you as the receiver can decrypt. The sender cannot even decrypt the file unless they are also a receiver. The public key is thus meant to be distributed.

• Your private key is encrypted with your passphrase and is used to decrypt files which were encrypted with your public key. The private key must be kept secure. If the key or passphrase is lost, so are all the files encrypted with your public key.

The first step is to generate a key pair. You will be asked a series of questions. The defaults are reasonable, however you will have to enter at least your full name and email and optionally a comment. Depending on your need, you may also want to select a more appropriate key lifetime than non expiring. The comment is useful to create more than one key with the same name and email. Also you should use a “passphrase”, not a simple password.

$ gpg --gen-key
gpg (GnuPG/MacGPG2) 2.0.14; Copyright (C) 2009 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Please select what kind of key you want:
   (1) RSA and RSA (default)
   (2) DSA and Elgamal
   (3) DSA (sign only)
   (4) RSA (sign only)
Your selection? 2
DSA keys may be between 1024 and 3072 bits long.
What keysize do you want? (2048) 
Requested keysize is 2048 bits   
Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0) 1
Key expires at Sat Feb  6 10:47:57 2010 EST
Is this correct? (y/N) y
                        
GnuPG needs to construct a user ID to identify your key.

Real name: Physics Computer Network
Email address: staff@physics.purdue.edu
Comment: Example Key, 1 day life       
You selected this USER-ID:      
    "Physics Computer Network (Example Key, 1 day life) <staff@physics.purdue.edu>"

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o
You need a Passphrase to protect your secret key.    

You don't want a passphrase - this is probably a *bad* idea!
I will do it anyway.  You can change your passphrase at any time,
using this program with the option "--edit-key".

We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
gpg: WARNING: some OpenPGP programs can't handle a DSA key with this digest size
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
gpg: key 2275F891 marked as ultimately trusted
public and secret key created and signed.

gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0  valid:   2  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 2u
gpg: next trustdb check due at 2010-02-06
pub   2048D/2275F891 2010-02-05 [expires: 2010-02-06]
      Key fingerprint = 8C3E 5263 E6A4 6B0C 9B32  CFEC F52B D641 2275 F891
uid                  Physics Computer Network (Example Key, 1 day life) <staff@physics.purdue.edu>
sub   2048g/32295B57 2010-02-05 [expires: 2010-02-06]

Summary of commonly used options:

• -s sign data
• -e encrypt data
• -d decrypt data
• -r NAME encrypt for recipient NAME (or 'Full Name' or 'email@domain')
• -a create ascii armored output of a key
• -o use as output file

The examples use 'Your Name' and 'Alice' as the keys are referred to by the email or full name or partial name.

No need to import or export any key for this. You have the necessary keys already if you have run gpg –gen-key.

> gpg -s -e -r 'Your Name' file               # Sign and encrypt with your public key
> gpg -o file -d file.gpg                     # Decrypt. Use -o or it goes to stdout

First you need to export your public key for someone else to use it. And you need to import the public key from Alice to encrypt a file for her. You can either handle the keys in simple ascii files or use a public key server.

For example, Alice exports her public key and you import it, you can then encrypt a file for her. Only Alice will be able to decrypt it.

> gpg -a -o alicekey.asc --export 'Alice'     # Alice exports her key in ascii format
> gpg --send-keys --keyserver cryptonomicon.mit.edu KEYID   # She then puts her key on a  key server.
> gpg --import alicekey.asc                   # You import her key into your key ring, from the alicekey.asc file.
> gpg --search-keys --keyserver cryptonomicon.mit.edu 'Alice' # or get her key from a server.

Once the keys are imported it is trivial to encrypt or decrypt a file:

> gpg -s -e -r 'Alice' file                      # Sign and encrypt a file for Alice.
> gpg -d file.gpg -o file                     # Decrypt a file encrypted by Alice for you.

> gpg --list-keys                             # list public keys and see the KEYIDS
    The KEYID follows the '/' e.g. for: pub   1024D/F520101A  the KEYID is F520101A
> gpg --fingerprint KEYID                     # Show the fingerprint of a key
> gpg --gen-revoke 'Your Name'                # generate revocation certificate
> gpg --list-secret-keys                      # list private keys
> gpg --delete-keys NAME                      # delete a public key from local key ring
> gpg --edit-key KEYID                        # Edit key (e.g sign, trust, etc.)