On this page
Getting started with commandline encryption tools on Linux
Encryption is the process of encoding messages or information in such a way that only authorized parties can read them. With almost no privacy in this digital generation of our's, encryption of our data is one of the most required tools. Most of the applications like gmail encrypt our data, but the data on your system is still unsecured and there are hackers or unauthorised users waiting to access them. One way to minimize the risk of data theft is to encrypt the data that is present even on our local system.
This tutorial demonstrates several methods of encrypting the data on Linux systems using commandline tools.
2 Encryption using GPG
2.1 GPG Introduction
GPG stands for GNU Private Guard which is a commandline utility that is used to encrypt and decrypt data files or folders using either symmetric or public key encryption. GPG is a GPL Licensed alternative to the PGP cryptographic software suite. GPG is used by OpenPGP-compilant systems as well.
2.2 Encryption using Symmetric Key
Here I have a file named "test.txt" that I will encrypt and then decrypt with a symmetric key and print the decrypted text into another file called "output.txt".
Run the following command to encrypt the file test.txt using a symmetric key. The option "-c" indicated the GPG to use symmetric keys.
gpg -c test.txt
The result of this will look like the image below. The first time when GPG is run, a .gnupg folder is created. It contains the files that are necessary for the encryption process. It then asks you to enter a passphrase twice. Please make sure that you enter a strong passphrase and that you remember it as you need this in future to decrypt your files.
So, once the passphrase is entered correctly, a file called "test.txt.gpg" is created. This is the encrypted file. The following image shows the file before and after encryption.You can see that the encrypted text is in an unreadable format.
Use the following command to decrypt the encrypted file
gpg -o output.txt test.txt.gpg
You will be prompted to enter the passphrase used to encrypt. Once you enter that correctly, "output.txt" file will be created with the same contents as that of "test.txt". The output of decryption might look similar to the image below:
2.3 Public Key Encryption
Here we will encrypt a set of files using the public / private key encryption mechanism of GPG. It involves creation of a private key which should never be shared with anyone and a public key that has to be shared with the people who want to send you encrypted data.
First, we will have to pack the files into a compressed folder. Here I have a directory called "enctest"with three files test1.txt to test3.txt .We will compress this directory tar.gz file. I wll use the following command to create the compressed tar.gz archive:
tar czf files.tar.gz ~/enctest
This creates a file "files.tar.gz" . We now have to generate the public/private key pair. Run the following command to generate the key:
Remember, this has to be done only once and any number of files and folders can be encrypted with this key. Once you type this command, various set of questions will be asked. The questions will be:
- What kind of encryption to use? I selected 1 which is RSA and RSA.
- What should be the key size? I chose 2048, you can choose any size in the range of 1024 and 4096.
- When should the Key expire? I selected 0 , which means that the key never expires. But can provide days, weeks or years if you want it to expire in a particular time.
Other things like passphrase will be asked, you will be prompted to enter it twice. Make sure you use a strong one and that you remember the passphrase. Also your credentials will be used. The credentials that I have used here (provided below) are just for testing. It is recommended that you use your genuine credentials like name, email ID and provide some comment.
The following content shows my answer and how the output will be:
gpg (GnuPG) 1.4.16; Copyright (C) 2013 Free Software Foundation, Inc. This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Please select what kind of key you want: (1) RSA and RSA (default) (2) DSA and Elgamal (3) DSA (sign only) (4) RSA (sign only) Your selection? 1 RSA keys may be between 1024 and 4096 bits long. What keysize do you want? (2048) 2048 Requested keysize is 2048 bits Please specify how long the key should be valid. 0 = key does not expire
= key expires in n days w = key expires in n weeks m = key expires in n months y = key expires in n years Key is valid for? (0) 0 Key does not expire at all Is this correct? (y/N) y You need a user ID to identify your key; the software constructs the user ID from the Real Name, Comment and Email Address in this form: "Heinrich Heine (Der Dichter) <email@example.com>" Real name: John Doe Email address: firstname.lastname@example.org Comment: tis is key generation You selected this USER-ID: "John Doe (tis is key generation) <email@example.com>" Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o You need a Passphrase to protect your secret key.
Once you enter the passphrase, it begins to generate the key. It will ask you to do some work. It is recommended to move the mouse or type something or use the drives to open some files. It will use this work to generate random bits. You may have to do this multiple times. The output for me is shown below:
We need to generate a lot of random bytes. It is a good idea to perform some other action (type on the keyboard, move the mouse, utilize the disks) during the prime generation; this gives the random number generator a better chance to gain enough entropy. Not enough random bytes available. Please do some other work to give the OS a chance to collect more entropy! (Need 187 more bytes) +++++ ...+++++ We need to generate a lot of random bytes. It is a good idea to perform some other action (type on the keyboard, move the mouse, utilize the disks) during the prime generation; this gives the random number generator a better chance to gain enough entropy. Not enough random bytes available. Please do some other work to give the OS a chance to collect more entropy! (Need 92 more bytes) .....+++++ Not enough random bytes available. Please do some other work to give the OS a chance to collect more entropy! (Need 114 more bytes) +++++
Once done, the key has been generated. It will look similar to the content below:
gpg: /home/akshay/.gnupg/trustdb.gpg: trustdb created gpg: key FA2314B6 marked as ultimately trusted public and secret key created and signed. gpg: checking the trustdb gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u pub 2048R/FA2314B6 2015-04-02 Key fingerprint = 5A02 5D77 3E0A 8B69 8086 3032 DE51 6EA5 FA23 14B6 uid John Doe (tis is key generation) <firstname.lastname@example.org> sub 2048R/6F78E642 2015-04-02
There are two important things here: provide a strong passphrase and make sure to remember your passphrase
Now that the keys are generated, we will now have to export the public key file for importing it on other systems or to send it by email. To start the export, use the following command:
gpg --armor --output file-enc-pubkey.txt --export 'John Doe'
Replace 'John Doe' with the name you used while generating the key.
It is also recommended to take a backup of the private key. We can use gpg to do that. To take the backup, use the following command:
gpg --armor --output file-enc-privkey.asc --export-secret-keys 'John Doe'
Here the file "file-enc-privkey.asc" will hold the backup of the private key safely. Once exporting and key backup is complete, we can now encrypt and decrypt the .tar.gz file. Use the following command to encrypt:
gpg --encrypt --recipient 'John Doe' files.tar.gz
Remember to change 'John Doe' in the above command to the name given by you during key generation, else the encryption will fail. When the command runs successfully, an encrypted file called "files.tar.gz.gpg" will be created.
Now we can decrypt the tar.gz archive using the following command. It will use the private key along with the passphrase to decrypt and provide the decrypted folder. Use the following command to decrypt:
gpg --output output.tar.gz --decrypt files.tar.gz.gpg
The above command will ask for the passphrase and then decrypt the encrypted file and create a compressed file named "output.tar.gz" which can then be extracted to folder with tar to get back the files. The following image shows the output of encrypting and decrypting commands:
2.4 Why GPG?
GPG supports both: public key encryption and symmetric encryption and this provides a good amount of flexibility and can be used for a wide range of applications. There isn't a need to provide any kind of sensitive information and also gpg can have any number of encryptors by using the public key. Choice is given to the user to select from multiple encryption algorithms. These reasons make it a very useful security tool to for encryption of files and folders or data.
3 Encryption using OpenSSL
3.1 Introduction to OpenSSL
The OpenSSL project is a collaborative effort to develop a robust, commercial-grade, full-featured and Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS) protocols as well as a full-strength general purpose cryptographic library. OpenSSL is available for most Unix-like operating systems and it is based on SSLeay. OpenSSL supports also many SSH, SFTP, and SCP applications. Here we use OpenSSL to encrypt data by making use the asymmetric encryption and the AES cipher. Symmetric encryption can be used for encrypting bigger files or data.
3.2 Generating the Public and Private keys
The first thing we have to do is generate the public and private keys.We first generate the private key. To do so, use the following command:
openssl genrsa -out private_key.pem 1024
The above command instructs OpenSSL to use RSA to generate a private key with a size of 1024 bytes. The key is then stored securely within a file called "private_key.pem". The output of this command will look similar to the image below:
Once the private (the secret) key is generated, we can use that to generate the public key so that they form a pair. Use the following command to generate the public key:
openssl rsa -in private_key.pem -out public_key.pem -outform PEM -pubout
It will look like the image below:
3.3 Encrypting data
We can now use the public key to encrypt data. Here we will encrypt the file "test.txt" and store the encrypted text in the file encrypt.dat. Execute the following command:
openssl rsautl -encrypt -inkey public_key.pem -pubin -in encrypt.txt -out encrypt.dat
The following images show the text file before and after encryption:
3.4 Decrypting data
Here we use the private key to decrypt the file. Run the following command:
openssl rsautl -decrypt -inkey private_key.pem -in encrypt.dat -out decrypt.txt
The file decrypt.txt will contain the decrypted data. The execution of the above command and also the file content is shown in the image below:
The methods shown above are highly secure when used carefully and allow multiple ciphers and security levels to suit different security levels. Thus any of these can be used is various scenarios for encrypting files/folders and raw data.