Notes for using GPG to encrypt and decrypt backup files
GPG allows you to use public-private key encryption to encrypt
and decrypt files on Windows and Linux. The benefit of public-private
key encryption is that you can keep your public key out in
the open, and use it from anywhere to encrypt files. Once
encrypted with the public key, those files can only be decrypted
with the private key. The idea is to keep the private key
someplace safe, like on a CDROM in a bank vault, and then you can
keep the encrypted backup files and public key just about anywhere.
Better yet, you can send the encrypted backup files over easy-to-use,
unencrypted network protocols, like FTP and HTTP.
In a simple, scheduled Perl script, I can create a backup of my websites,
encrypt them, and then transfer them by anonymous FTP to my home computer.
Similarly, I can encrypt important files on my home computer and store
them safely on third-party servers. The notes below outline the commands
that are needed to perform the necessary operations.
GPG requires a home directory to store its keys.
In Linux, it uses HOME/.gnupg
In Windows, it uses what you specify in the registry keys,
which by default is c:\GnuPG
Keys are stored in files called "key rings".
The secring.gpg file is the key ring that stores secret keys.
The pubring.gpg file is the key ring that stores public keys.
Keys in the key rings are referred to by the name, or partial name.
e.g. to refer to the key of "Shailesh N. Humbad",
you can use "Shailesh" as the name.
To create a new public/private key pair, run:
and follow the prompts.
To list public keys, run:
To list private or secret keys, run:
To export a public key to an ascii text file, run:
gpg -a --export NAME > yourpublickey.gpg
To export a private (or secret) key to an ascii text file, run:
gpg -a --export-secret-keys NAME > yourprivatekey.gpg
To delete a public key from the local key ring:
gpg --delete-keys NAME
To delete a secret key from the local key ring:
gpg --delete-secret-key NAME
To encrypt a file, use:
gpg -r NAME --output OUTFILE.gpg --encrypt INFILE
To decrypt a file, use:
gpg -r NAME --output OUTFILE --decrypt INFILE.gpg
If you leave out the "-r" option, it will prompt you for the
name of the user whose key should be used.
Decrypting a file requires that you have the secret key in the local
key ring, and it will prompt you for the passphrase to access the secret key.
To make a backup of a key, copy the key to an ASCII file as shown above.
These can be imported into another key ring on another computer, but
they can't be directly used during a gpg command.
You may want to keep your secret key ONLY on external media (recommended),
but be able to decrypt files using that key with a single command.
In this case, you need to create a key ring file containing your secret
key. To do this, first make sure the desired key exists in the local key
ring file by using the list commands. Then copy the ring.gpg file
to the external media. To use the external key ring store, use the
--secret-keyring option in the command line.
(You can make sure only selected keys exist in the key ring file by
making a backup copy of the original, importing the selected keys,
copying the new key ring, and then restoring the original.)
To decrypt a file with an external key ring, run:
gpg --secret-keyring KEYRING -o OUTFILE --decrypt INFILE
To import a key, run:
gpg --import KEYFILE
When importing a public key onto another machine, you may have configure gpg to
trust the key. Otherwise, when you use the key to do encryption, you may
see a prompt like this:
It is NOT certain that the key belongs to the person named
in the user ID. If you *really* know what you are doing,
you may answer the next question with yes.
Use this key anyway? (y/N)
To trust the key, run:
gpg --edit-key NAME
GPG will output some information, and show a line like:
trust: undefined validity: unknown
You will be at a console, and you have to type "trust":
Please decide how far you trust this user to correctly verify other users' keys
(by looking at passports, checking fingerprints from different sources, etc.)
1 = I don't know or won't say
2 = I do NOT trust
3 = I trust marginally
4 = I trust fully
5 = I trust ultimately
m = back to the main menu
Your decision? 5
Do you really want to set this key to ultimate trust? (y/N) y
Type "quit" to quit. If you run gpg --edit-key NAME again, you will
see a line as below, which means the key is now trusted.
trust: ultimate validity: ultimate
For more information, see the GPG FAQ and the GPG Manual.
Link to this page: Notes for using GPG to encrypt and decrypt backup files