Public-key cryptography provides a quick and easy way to safeguard e-mail messages and sensitive files. Public-key cryptography involves two big numbers: a public key and a private key. When you create a key pair, you keep the private key to yourself and share the public key with anyone you wish.

The numbers in a key pair are related in a really clever way: Data that you encrypt with the public key can be decrypted only with the private key, and data encrypted with the private key can be decrypted only with the public key (private decrypts public, public decrypts private).

If you encrypt a message with your friend’s public key, only your friend can decrypt it (because your friend has never shared his private key with anyone, even with you). Encrypt a message with your private key and send it to your friend: If he uses your public key to decrypt the message (and the result looks meaningful), he’ll know the message came from you. (Nobody else could have sent the message because it’s encrypted with your private key, and no one else knows your private key.)

You can combine these techniques to encrypt and sign a message. In this article, we'll show you how to use gpg (the GNU Privacy Guard) at the command line for those cases where you need security but don’t have access to a desktop environment. You can use gpg to encrypt, decrypt, and sign e-mail messages. gpg can also encrypt documents that you don’t intend to share with others, so snoops won’t be able to read anything you need to keep private. Encrypt the original document, delete the unencrypted version, and only you can decrypt it again to read it.

Encrypting Documents with gpg at the Command Line

Encrypting documents with gpg is an easy and quick way to keep information out of the hands of people who shouldn’t have it. If you’re using SSH or working on a system without a desktop environment, you can use gpg encryption from the command line to keep your private files private.

Sharing a secret file

To encrypt a private document for your friend’s eyes only, you need his public key. When you’ve received his public key (by e-mail or on disk), save it to a directory. To import a public key into your key ring, open your terminal window, move to the directory contain- ing the public key, and use the following command: $ gpg --import keyname.gpg Now you can encrypt your file with your friend’s key by using the following command:

gpg --encrypt --armor -r keyname filename

Share the file as you normally would — you can send it by e-mail or hand your friend a CD. Unless some- one has your friend’s private key, that person won’t be able to read the document. To open the file, your friend uses his private key with the following command:

gpg --decrypt filename

Creating a key pair and receiving encrypted documents

To receive encrypted documents, your friend needs your public key. Follow these steps to generate a public/private key pair with gpg at the command line:

  1. Open a terminal window and enter the following command:

gpg --gen-key

A slightly awkward, but functional menu opens, prompting you to select the kind of key you want.

  1. Type 1 and press Enter. You’re prompted to enter the key size.

  2. Type 1024 and press Enter. gpg asks for an expiration date.

  3. Type 0 to create a nonexpiring key and press Enter. gpg notifies you that the key does not expire and asks you to verify that you want to generate a permanent key.

  4. Type y and press Enter.

  5. gpg asks for your real name. Type it in and press Enter. This is used to identify your key in your friend’s key ring.

  6. When gpg prompts you for a comment, type one in if you wish. The comment is optional. Remember, if you enter one, the public will see it.

  7. gpg prompts you for your e-mail address. Type your e-mail address and press Enter. gpg displays your name, comment, and e-mail address.

  8. Verify that the information is correct (or select the appropriate item to change). When the information is correct, enter O (the letter, not the number) to verify that the information is okay and then press Enter.

You’re prompted for a passphrase.

  1. Type a passphrase and press Enter. You’re asked to repeat the passphrase.

  2. Type the passphrase again and press Enter. That’s all there is to it — you’ve created a key.

To exchange your key with others so that you can send and receive encrypted files, you need to do a little more upfront work:

  1. Write your public key to a file by using the following command:

gpg --armor --export e-mailaddress > filename

The --armor option tells gpg to write your public key in an e-mail–friendly form by using only printable characters.

  1. Send the key file to your friends or post it on your Web site.

  2. Your friends need to import your public key with the key file (using the gpg --import command as described at the beginning of this section) before they can decrypt your messages.

Now people can send you encrypted files that only you can read with your private key.

To open a message encrypted with your public key, use the following command:

gpg --decrypt filename

Encrypting documents on your home system

You can use the same key pair that you created to exchange with others (see the preceding section) to encrypt documents for your own use. Encrypt the document and delete the unencrypted version, and only those users that know your passphrase can decrypt and read the document.

Follow these steps to encrypt a document:

  1. Open your terminal window and move into the directory containing the file to be encrypted.

  2. Enter the following command:

gpg --encrypt --armor -r keyname filename

Substitute the real name you used to create the key pair for keyname and the name of the file you want to encrypt into filename. You’re prompted for the passphrase you entered when you created your key pair.

  1. Enter the passphrase and press Enter. The new, encrypted file appears in your direc- tory as filename.asc.

You can now delete the unencrypted document with this command:

rm filename

When you need to use your document again, follow these steps:

  1. Open your terminal window and move to the directory containing the encrypted file.

  2. Enter the following command:

gpg --decrypt filename.asc > newfile

You’re prompted to enter your passphrase.

  1. Enter your passphrase and press Enter. The file is decrypted and written to the filename specified in the command as newfile.

That’s all there is to it. Encryption is a quick, easy way to keep personal documents private — only people with your passphrase can read encrypted files. If you do a good job keeping that passphrase private, no one other than you can access the files you want to keep to yourself.