A GPG primer - Part II - Encrypting files

In part I I showed you how to configure your Solaris box to run GPG. Now, it's time to use it!

GPG lets you encrypt a file so that only the owner of the key the file was encrypted with can decrypt the message. I warn you once more: as you see, storing your key in a secure place is extremely important. If you think your key might have been compromised, revoke it and create another one.

Encrypting a file

Let's suppose you don't want anybody but you to be able to read a file. As you know, you could store your file in a safe place but safe is never good enough. There could be some use cases for which you'd better have your file encrypted. Imagine you're copying important files on a FAT32 USB drive: FAT32 filesystems has not been built with security in mind! If you encrypt the file(s) with your own key, only you will be able to decrypt them. To encrypt such files, the only command you need is (the two syntaxes are equivalent):

$ gpg --encrypt --recipient 'your-id' filename
$ gpg -er 'your-id' filename

In both cases the encrypted file would be named filename.gpg. If you prefer specifying the output file name, --output is your friend:

$ gpg --er 'your-id' --output outfile filename

The same applies if you're encrypting a file for a friend of yours: just use their key id or their recipient address.

Searching a key in a keyserver

Well, there might have times you don't have your friend's key and maybe is out there, stored in a key server. You can have GPG search the keyserver with just one command:

$ gpg --search-keys 'recipient-id' --keyserver keyserver-address

The keyserver option is optional, otherwise gpg will use its default keyserver.

Decrypting a file
Now you've stored or received a file encrypted with your key. To decrypt it is just as easy:

$ gpg --dr 'your-id' encrypted-file

You'll be asked for your password and then the file will be piped to standard output. As in the case of file encryption, you can specify an output file with the --output option.

A GPG primer - Part I - Setting up Solaris, creating and distributing a key

I think this is due. I'm a GPG user since a long time and today, still, there are people asking me what are those strange characters out there or why am I doing this.

An encryption key such as GPG's may be used to sign and encrypt communication from and to a sender, the key owner. The key owner, the only one who's got the secret key and its passphrase, can sign and decrypt a message encrypted with such key. Another person who wanted to send me encrypted information could use my public key to encrypt a message and I, and only I, could be able to decrypt the message. That's just the basics and, if you're interested, you could read the GPG User Guide to dig into this subject.

There also exist software which can ease you life with these keys:

• Some desktop systems come with an integrated key manager that lets you create, sign, encrypt and decrypt files and mail with a bunch of clicks.
• Some mail client come with similar functionality built-in or via some plugins, such as Evolution or the Enigmail plugin for Thunderbird.

They're so many I'm not even trying to enumerate them. I just focus on man's best friend: good ole command line.

Setting up Solaris

Depending on the Solaris version you're running, maybe you'll need some extra step to set up GPG:

• Solaris up to version 10: GPG isn't bundled with the OS nor is available in the Companion Software. To install GPG, follow Blastwave's instructions to set up your system and, optionally, follow my instructions to set up a special Blastwave zone. During the recommended Blastwave configuration you'll install GPG (CSWgnupg), too.
• Solaris Express Community Edition and OpenSolaris-based distros: GPG is (should be) bundled with the OS.

Creating your key

As we said, the first thing you need is a key. You can make one with gpg:

$ gpg --gen-key

and after answering a bunch of questions you'll get your shiny little key

Distribute your key

Unless you're going to encrypt files for yourself, the next thing you've got to do to use your key at full power is distributing it (only the public part of it) to whoever may be interested in:

• Reading something you signed.
• Sending you encrypted information.

There are plenty of ways to distribute it but the most effective will be publishing it into a public keyserver:

$ gpg --send-keys key-id --keyserver hkp://subkeys.pgp.net/

Please note the following:

• Instead of your key-id you could use your name, which was provided to GPG during the key creation phase. If you prefer to know and learn your key-id, you can ask gpg with the --list-keys option.
• There are many keyserver out there, use the one you like most!

Now, you're ready to tell the world and begin to use your key.