In this Linux quick tip we will discuss password protecting a file in Linux using the OpenPGP encryption and signing tool (GnuPG / gpg). This tool provides digital encryption and signing services using the OpenPGP standard.

PSA: It is imperative that you use a strong user account password and passphrase to protect your key. It is also recommended that you protect your ~/.gnupg directory.

Encrypting a File with a Passphrase

Let's jump right in and explain how to simply password protect a file. We will be using the gpg command with the -c (encrypt with symmetric cipher using a passphrase) option.

$ gpg -c personal.txt

Once you enter the above command, you will be prompt for a passphrase. Make this passphrase as secure as possible, but easy to remember. If you lose the passphrase, you will not be able to recover your data.

As a result of the above command a new file was created named personal.txt.gpg. The old un-encrypted file still exists in the directory.

$ ls -l
total 8
-rw-r--r-- 1 savona savona 96 Feb 12 21:28 personal.txt
-rw-r--r-- 1 savona savona 166 Feb 12 21:28 personal.txt.gpg

You can now delete the original file using the rm command.

$ rm personal.txt

The default output file name is the name of the input file with .gpg added to the end. You can specify the output filename and name it whatever you like.

gpg -o personaltexts.gpg -c personal.txt 

There is no native way to delete the original file, but append another command to shred it.
(Be careful here)

gpg -o personaltexts.gpg -c personal.txt && shred -u personal.txt

Take it one step further and obscure the output file by making it hidden (dot file).

gpg -o .personaltexts.gpg -c personal.txt && shred -u personal.txt

Confirming Encryption & Cipher

We can now confirm that the data has been encypted and the cipher used. Using the file command will give you the necessary information.

$ file personal.txt.gpg 
personal.txt.gpg: GPG symmetrically encrypted data (AES256 cipher)

We can see that the file is symmetrically encrypted using the AES256 cipher.

Alternatively, you can get a lot more information using the --list-packets option verbosely.

$ gpg --list-packets -vvv personal.txt.gpg
gpg: using character set 'utf-8'
off=0 ctb=8c tag=3 hlen=2 plen=13
:symkey enc packet: version 4, cipher 9, s2k 3, hash 2
salt DEB8B0DB0636F056, count 65011712 (255)
gpg: AES256 encrypted data
off=15 ctb=d2 tag=18 hlen=2 plen=148 new-ctb
:encrypted data packet:
length: 148
mdc_method: 2
gpg: encrypted with 1 passphrase
off=36 ctb=a3 tag=8 hlen=1 plen=0 indeterminate
:compressed packet: algo=1
off=38 ctb=ac tag=11 hlen=2 plen=114
:literal data packet:
mode b (62), created 1550025754, name="personal.txt",
raw data: 96 bytes
gpg: decryption okay

Decrypting a File with Passphrase

When you are ready to decrypt the file, you can use the -d option and specify the gpg encrypted filename.

$ gpg -d personal.txt.gpg

The above will print the file to stdout (standard output).

If you want to send it to a file you can simple redirect the output.

$ gpg -d personal.txt.gpg > outout_file.txt

Or you can specify the output file within the gpg command.

$ gpg -o output.txt -d personal.txt.gpg

NOTE: Remember to clean up (delete) these unencrypted versions of the file.

Specifying Cipher to Use

Ubuntu used AES256 by default, which would be my choice (Good Ubuntu). Fedora uses an unspecified AES cipher. I would recommend specifying AES256 as the cipher to use.

gpg --cipher-algo AES256 -c personal.txt

You can specify any cipher from the support ciphers list. More on that in the next section.

Get List of Support Ciphers

Using the --version argument will give you a list of supported ciphers, hashes, etc.

Screenshot showing output of gpg version command and list of supported ciphers.
gpg --version screenshot

Specify Default Cipher in Config File

You can specify which cipher you would like used by creating or editing the ~/.gnupg/gpg.conf file. Add the following line to set AES256 as your default cipher.

personal-cipher-preferences AES256

Conclusion

With the Linux gpg command you can easily password protect and encrypt files on the command line. This command is powerful and we only scratched the surface of it's options.

If you found this interesting or helpful consider sharing it. If you have anything you would like to add or if I need to be corrected please leave a comment.

Resources

GNU Privacy Guard (GnuPG) Home Page
Man pages for gpg command on linux.die.net