Security

How-To

Encrypting and decrypting files

Rando

The following is a description on how to encrypt files on your computer, using only free, open-source software.

Encryption is the act of locking something up so someone else may not view it without a password.

You have a file you want to encrypt on a Windows computer. So you right-click on the file, and it is encrypted into the new file. When you want to access the file, you unencrypt it, namely by you right-clicking on it again. The program asks for a password. When you supply it, it produces an unencrypted duplicate of the file you encrypted.

Any kind of file can be encrypted in this approach.

In future installments, I'll delve into how to do this from the Linux command line and how to share encrypted files across multiple computers, as well as sharing encrypted files with others.

For setting up a free encryption environment in a Windows environment, you'll need two programs. One does all the behind-the-scenes work of encrypting and decrypting, as well as generating and managing keys. The second program acts as the front-end, which will allow you to apply these tools in an -easy-to-use way.

For the first task, I'll use a collection of tools called the GNU Privacy Guard (GnuGP). (Here is the How-To). It is an open-source free application and encryption library from the Free Software Foundation. Yay! FSF.

Specifically, I downloaded a version of GnuGP for Windows here. I clicked on the program and it ran me through the installation process. By default it installed all its command-line driven programs (by default) into C:\Program Files\GNU\GnuPG\ folder. If the installer works correctly, all of GnuPG's functions should be accessible from the command line.

Once this program are in place, you need to generate a key. GnuGP is a form of public key cryptography. A key is a series of digits, used (in this instance) in much the same way a password is

For purpose of this project, all you need to understand is that you need a key for unlocking your files once they are encrypted. To do this, you open the Windows Command Prompt (Go Start-->All Programs-->Accessories-->Command Prompt) and type in "gpg --gen-key" at the command line. Pick the encryption method and run through the other options. For personal encryption, the defaults are a safe bet. I picked DSA, 2048 bits, and a key that does not expire. Follow the instructions attentively.

In this key-generating process, the software asks you for a password. THIS IS THE PASSWORD YOU WILL USE TO UNENCRYPT YOUR FILES. Do not lose or forget this password, or you WILL be unable to access anything you've encrypted. That is a fact, Jack. Also, do not put it in a plain-text on the computer where the encrypted files are stored. Duh!

Once you've generated a key, you then need to find a program that could work within Microsoft Windows graphical interface that will use this key to encrypt and decrypt a program. Please note though, you could encrypt and decrypt from the command line using GnuPG. A nice graphical program does speed things along though.

The GnuPG site has links to a number of front-ends. For this example I'll use the free GPGee. Again, download and follow the installation instructions.

You don't start GPGee like a typical program. Instead, it integrates itself within the Windows Explorer file browser Once installation is complete, all you need to do is open the file browser (Start-->All programs-->Accessories-->Windows Explorer), right-click once on a file. You will see an option for GPGee menu. There you will have an option to encrypt or decrypt a file (either by PK or Symmetric. For this example, we'll use PK).

Should the GPGee program work correctly, after you right click on the file and choose the PK encrypt option, up will pop a small box, with a list of your keys. (GnuGP provided you with the KeyID when it was finished generating the key, but if this is new for you, there should only be one key available in GPGee anyway).

Check the one you just created and click O.K. Now, search in the same folder for a file with the identical name of the file you just created, but with .gpg extension, , i.e. the encrypted version of "test.doc" is named "test.doc.gpg" -- see?

That .gpg file is the encrypted file. If it was a WordPad file, for instance, when you open it you will see only gibberish. That is because it is encrypted.

Please keep in mind that this process does not destroy the original file. It still remains in place. If you want the encrypted file to be the only copy, you'll need to erase the original unencrypted file.

Unencrypting a file in this set-up is just as easy. Again, find the file in Windows Explorer, right click on the file, choose the GPGee mini-menu, choose verify/decrypt. It will then ask you for your password.

Fill that in, and it unecrypts the original file, naming it as the original file.

Encrypting Files in Linux

In a previous post, I explained how to encrypt files on a Windows system, using Gnu Privacy Guard (GnuPG). This entry will fill in the details for how I used GnuPG from the Linux command-line. I won't recap the general procedures of encrypting and decrypting--it essentially works the same as in Windows.

Here is the How-to on GnuPG, if'n you get lost below.

The Ubuntu server comes with the GnuPG program installed. To check if you have a copy running, run the Advancing Packaging Tool (apt) on the command-line:

#apt-get install gnupg

If the version you have is the current one, it will let you know. If not it will (presumably) update it. (for those wishing to install by hand, go here).

O.K., with GnuPG up and running, the next step is to generate a key. Do this with the following command:

#gpg - -gen-key

Follow the instructions. The defaults are safe bets if you're not sure which options to take. The passphrase you enter is YOUR PRIVATE KEY--do NOT share with others.

To find out what keys you already have, use this command:

#gpg - -list-keys

If there is more than one key, you can tell yours by the comments you added in. When you get a list of keys, each key will have its public key number on first line. Its the number on the right of the slash, directly after the number of bits used to encrypt (1024/2048, etc.). This is the Unique Number (UID). The next line is the secret key number.

To encrypt, you use this command:

#gpg -e [FileToEncrypt]
GPG will ask for the "recipient." For our purposes, it is asking for the UID of the encryption key you wish to use. To decrypt a file, you would do this:
gpg -d [Name of file to decrypt] 
You will be asked for a password. The program will just copy the contents onto the screen. To stream the contents into a file, use this command:
gpg -do [Name of the resulting file] [Name of file to decrypt] 
Encyption and Decryption Across Multiple Files

Say, you want to encrypt or decrypt your material on other computers.Or, you'd like others users to encrypt materuial to send to you, that only you could unlock. In either case, success in this endeavor could come from the use of the Public Key!!

I'm assuming that you already know how to encrypt and decrypt files in Windows and/or Linux. If not, please study the afore-linked pages.

For this post, I'll just go over the general methods and leave the specifics to you. I'll be using the free, open-source cross-platform software program Gnu Privacy Guard (GnuPG).

First thing is that you would need to "export" your key. This means the program generates a public key that other computers (including those run by other people) can use to encrypt their data that they want to send to you.

In GnuPG, this is done at the command-line, thusly:

#gpg -ao [nameoffileyouwantpublickeyin] [UID] --export
The "-o" option tells the program to send the output to a file, rather than just to the screen. You type in the name of a new file that will contain your public key. The -a option tells the program to copy the results into the file using ASCI, rather in a binary format, which could be hard to read.

Say, you want to read that document from another computer. With the same Linux or Windows setup, you download the public key file from where it was generated (or , if from another person, from their public key file). Then, on your computer, you would import a key, thusly:

#gpg --import [nameoffileholdingkey]

Back