Symmetric and asymmetric - key encryption with gpg and gpg-zip

Created:29 Jun 2018 19:38:09 , in  Security

We have stored more and more data, sometimes logins, passwords and whole databases, by popular cloud storage services today. On one hand, keeping files with them seems like a good idea. You get access to your files on demand, on any device you connect to service with, from anywhere in the world and at any time you see fit. Pure convenience.

On the other hand, though, there are small issues of trusting strangers on their integrity with regards to their methods of handling your data, and also intended snooping by them to think through before signing up.

Owners of cloud storage service will tell you, that your data will be transferred securely and kept encrypted at all times while with them. The trouble is, who can encrypt, can also decrypt your files.

Last but not least, even if your company is trustworthy, it can get hacked one day. There is no month a big brand with presence on the internet is exposed.

To avoid upsetting surprises my approach to storing data in the cloud is rather cautious. I encrypt everything I want to keep on someone's else servers and I use strong algorithms to do so. All data gets encrypted with GnuPG.

This article aims at explaining how to effectively encrypt single files and whole directories of them using symmetric and asymmetric - key encryption algorithms available through Gnu Privacy Guard (gpg).

Symmetric - key cryptography

Symmetric encryption algorithms rely on the same key to encrypt plaintext data and decrypt ciphertext. One of the most secure and widely used ciphers for symmetric - key cryptography is called Advanced Encryption Standard (AES). AES is a subset of Rijndael block ciphers ( block ciphers work on fixed-size blocks of data and change them according to a transformation given by unvarying symmetric key).

Three varying lengths of symmetric key have been chosen for AES. They are: 128 (AES-128), 192 (AES-192) and 256 (AES-256) bits. The longer the key, the more secure and difficult to recover it is. On the other hand, encrypting plaintext with longer keys takes more time.

For modern computers breaking AES with key length of at least 128 bits is considered too complex in terms of time and data outlay to be feasible.

Symmetric - key algorithms are relatively simple and fast, so they are widely used to encrypt bulk of data today.

Asymmetric - key cryptography

Asymmetric key cryptography is based upon the notion of two different but mathematically related keys. One is called "public" the other "private". Public key serves as a means of encrypting plaintext. Decryption is done with private key.

Private key should be known only to the owner and kept secure. Even though both keys are related, guessing private key from the public one is computationally infeasible. For this reason, it is entirely safe to give public key to anyone who wishes to send the proprietor of related private key an encrypted message.

Asymmetric encryption algorithms, due to the length of public key, usauly are slower and computationally more expensive than symmetric algorithms, so for majority of cases they are used to encrypt small amounts of data only.

There exist encryption systems which leverage both symmetric and a asymmetric - key cryptography algorithms. They are called hybrid-encryption systems. One such systems is part of GNU Project and called GnuPG (or gpg).

Gpg encryption algorithms

GnuPG comes equipped with a fair number of quality implementations of symmetric (ciphers) and asymmetric - key algorithms (pubkeys). To obtain their short names type:

.

gpg --version

Here is what I get on my Debian Stretch box:

Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA
Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
        CAMELLIA128, CAMELLIA192, CAMELLIA256

As hinted earlier in this text, I'm interested in AES (AES192, alternatively AES 256) for symmetric - key encryption and RSA for public key encryption.

Obtaining key for asymmetric - key encryption

To check what public keys you have in the keyring type:

gpg --list-keys

If nothing has been found, you can generate a pair of keys with a public key ready to use as follows:

gpg --gen-key

Key generation has two stages. In the first of them, among other questions, you will be asked for user ID for key.

It could be something like: USER@HOST.DOMAIN (substitute USER,HOST and DOMAIN for your own values).

Gpg, once given all the answers and obtaining enough entropy, will generate and add to your keyring a brand new RSA key with length of 2048 bits. Key of this length is long enough to be secure but also still usable for encryption.

Now you can find your key typing:

gpg --list-public-keys USER@HOST.DOMAIN

Encrypting using public key

To encrypt file FILE for recipient RECIPIENT using public key generated in the previous step and save output in file OUTPUT_FILE type:

gpg --output OUTPUT_FILE --encrypt --recipient RECIPIENT FILE

In order to decrypt OUTPUT_FILE you'll need private key that matches the public key:

gpg --output FILE --decrypt OUTPUT_FILE

Encrypting using symmetric key

To encrypt file FILE using AES128 cipher type:

gpg --symmetric FILE

Cipher and output file name can be configured using --cipher-algo and --output options respectively.

gpg --output OUTPUT_FILE --cipher-algo AES256 --symmetric FILE              

To decrypt file using symmetric key type:

gpg --decrypt OUTPUT_FILE

Making encrypted data portable

One frequently useful option for making encrypted data portable is --armor. It instructs gpg to output data in ASCII armored format rather than in binary one:

gpg --armor --output OUTPUT_FILE --cipher-algo AES256 --symmetric FILE

Encrypting directories with gpg-zip

Gpg has --multiline option which enables you to pass a list of files to encrypt to it. Each name on the list must be separated by a new line character for it to work with no errors. If you can't ensure this you might want to take a look at gpg-zip program.

Gpg-zip is tar and gpg in one, a program which encrypts whole directories of files effortlessly. It does it, depending on your needs, using either symmetric - key or asymmetric - key encryption algorithms:

 
gpg-zip --encrypt --recipient RECIPIENT DIRECTORY > OUTPUT_FILE

The line of code above encrypts all files in directory DIRECTORY using public key for recipient RECIPIENT and saves it in file OUTPUT_FILE .

Here is another version of the same thing but with --ouput option rather than output redirection.

gpg-zip --output OUTPUT_FILE --encrypt --recipient RECIPIENT DIRECTORY

Symmetric - key encryption of a directory of files can be realized with gpg-zip as follows:

gpg-zip --symmetric --output OUTPUT_FILE --cipher-algo AES256 --recipient RECIPIENT --encrypt DIRECTORY

To decrypt file with gpg-zip you would do the following:

gpg-zip --output FILE --decrypt OUTPUT_FILE 

Encrypting data from standard input stream

Like many other command line programs, gpg can accept stream of data from standard input. To indicate this, you ad "-" (hyphen) in the place you would normally put in a file name to encrypt. Here is a short example of this:

  
mysqldump DATABASE | gpg --output OUTPUT_FILE --encrypt --recipient RECIPIENT -

What happens above is, database DATABASE gets dumped by mysqldump and passed to gpg which encrypts it. Output of the operation gets saved in OUTPUT_FILE (You need to add user and password in mysql client configuration file ~/.my.cnf file for this example to work ).

Final thoughts

Gpg and gpg-zip make both symmetric and asymmetric encryption readily available to anyone who needs it, or more importantly to anyone who does not want to or simply cannot trust third parties with regards to security of their data.

I hope, this article gives both enough examples and answers the most common question on how to encrypt quickly and effectively. To deal successfully with advanced encryption cases you might need to accustom yourself with gpg manual.

Gpg is frequently used to encrypt archives. For how to create them you might want to look at building and compressing archives with tar and process substitution article.

If you liked the article, please share it.

This post was updated on 30 Jun 2018 10:36:04

Tags:  encryption