If you store private information on your Linux system and you want to prevent other people who use the system from viewing your private files, you need to password protect these files.
The first step is to choose a good, strong, secure password. We have previously written about two good options for generating strong, secure password in our post, Two Free Methods for Generating Strong, Secure Passwords.
For the example in this post, we went to https://www.grc.com/passwords.htm and took the first 12 characters of the 63 random alpha-numeric characters (a-z, A-Z, 0-9) password generated, SAbussGgJnu5.
Check if GNU Privacy Guard is Installed
Once you have generated your password, check to see if the gpg (GnuPG or GNU Privacy Guard) package is installed on your computer. To do this, select Accessories | Terminal to open a Terminal window.
Enter the following line at the command prompt:
$ whereis gpg
If gpg is installed, you should see a line similar to the one in the following image. In our installation of Ubuntu 10.04, gpg was installed by default.
If you do not have gpg installed, type the following command in the Terminal window to install it:
$ sudo apt-get install gpg
Encrypt a File
As an example, we created a .zip file, called my_backup.zip, containing some text files. To apply a passphrase to a file, navigate to the directory that contains the desired file in the Terminal window. Our file is in our home directory, which is the default directory when the Terminal window opens.
Type the following line, replacing the filename with the name of your file, and press Enter:
$ gpg –c my_backup.zip
You are asked to enter your passphrase for the first time. Type your desired passphrase, which in our case is SAbussGgJnu5, and press Enter.
NOTE: You may see the following message display above the Enter passphrase line:
gpg: gpg-agent is not available in this session
The gpg-agent is an application that can run as a daemon and temporarily and securely remembers your passphrase for you. You do not have to install it to use gpg to encrypt a file. However, if you encrypt and decrypt files often, it would make it easier if your passphrase can be securely and temporarily stored so you don’t have to enter it as often. We cover the installation of gpg-agent later in this post.
After you have entered your passphrase the first time, you are asked to repeat your passphrase. Enter your passphrase again and press Enter.
The passphrase is applied and you are returned to a prompt.
Gpg creates a new file with the extension .gpg in the same directory as the original file. In our case, the file is called my_backup.zip.gpg. This is the encrypted and password protected copy of the original file. You can store this file on your hard drive or put it on a USB flash drive to take with you or to an external hard drive to back it up. You do not need to keep the original file.
Decrypt a File
To decrypt a file encrypted with gpg, open a Terminal window again, if you closed it earlier. Enter the following line, replacing the filename with your filename, and press Enter. Remember to add the .gpg extension to the end of your original filename.
gpg my_backup.zip.gpg
If you did not delete the original file, and it is still in the same directory as the encrypted file, gpg asks you if you want to overwrite the existing file. Type ‘y’ and press Enter.
A decrypted version of the file (your original file) is placed in the same directory as the encrypted file.
Install the GNU Privacy Guard Agent
Now, we will show you how to install gpg-agent so you don’t have to always enter your passphrase when encrypting and decrypting files. To begin, select Administration | Synaptic Package Manager from the System menu.
The Synaptic Package Manager dialog box displays. In the Quick search edit box, enter gpg-agent. The results of the search start displaying as you type the term. Select the gnupg-agent item from the list.
Click the check box to the left of the gnupg-agent item and select Mark for Installation from the popup menu.
The Synaptic Package Manager automatically determines if any other packages are required to install the selected package. In this case, a package called pinentry-gtk2 is required in addition to gnupg-agent. This package provides for the dialog box that initially displays asking for your passphrase. Click Mark to continue with the installation.
To apply the changes, click the Apply button.
A Summary dialog box displays the packages to be installed, providing you a last chance to make any changes or to cancel the installation. Click Apply to continue.
Once the required files are downloaded, a dialog box displays the progress of the installation.
When the installation is finished, a dialog box displays the status of the installation. Click Close.
Select Quit from the File menu to close the Synaptic Package Manager.
Set Up the GNU Privacy Guard Agent
Now, we will set up gpg-agent. First, we need to tell gpg to use the agent. To do this, open the Nautilus File Manager by selecting Home Folder from the Places menu.
The configuration file we need to edit is in a hidden directory, so we need to see the hidden files and directories in the File Browser. To do this, select Show Hidden Files from the View menu.
Navigate to the .gnupg directory in your Home directory. Right-click on the gpg.conf file and select Open with gedit from the popup menu.
At the end of the gpg.conf file, add the following line and click Save.
use-agent
NOTE: If this line already exists in the file preceded by a “#” (meaning the line is commented out), remove the “#” from the beginning of the line.
Now, click the Create a new document button on the toolbar in gedit to create a new file.
Enter the following lines into the new file and click Save:
pinentry-program /usr/bin/pinentry-gtk-2
no-grab
default-cache-ttl 1800
NOTE: By default, the pinentry-gtk-2 dialog box was installed for entering the passphrase, so that’s what we enter on the first line as the executable to use to open the dialog box for entering your passphrase. The image below displays the executable file used to display the dialog box for entering your passphrase.
Enter “gpg-agent.conf” (without the quotes) in the Name edit box for the name of the file and navigate to the .gnupg directory in your Home directory where the gpg.conf file is located. Click Save.
Close gedit by selecting Quit from the File menu.
Test the GNU Privacy Guard Agent
To test the gpg-agent, open a Terminal window again by selecting Accessories | Terminal from the Applications menu. Enter the following line and press Enter.
eval “$(gpg-agent –daemon)”
This line sets some environment variables. You can now try to encrypt or decrypt a file with a passphrase and the gpg-agent handles the passphrase request.
The gpg-agent handles the request for a passphrase by displaying a dialog box asking for your passphrase. Enter your passphrase and click OK.
You will notice that there is no request for a passphrase in the Terminal window.
Set the GNU Privacy Guard Agent to Run at Startup
The best way to use the gpg-agent is to configure it to start when you login to Ubuntu so it is valid for any Terminal windows you run on your desktop. We will edit the modules file, adding the command we used earlier to set up the environment variables for gpg-agent. To do this, open a Terminal window again, if there is none open, and enter the following lines at the prompt:
$ cd /etc/
$ sudo gedit modules
NOTE: You must use “sudo” when editing the modules file, because you must have root access to make changes to that file.
Add the following line at the end of the list in the modules file:
eval “$(gpg-agent –daemon)”
To close gedit, select Quit from the File menu.
Close the Terminal window by typing “exit” (without the quotes) and pressing Enter.
The gpg-agent should now be ready for use each time you login to Ubuntu.
Note that using gpg for encryption only works for files and not for folders. You should create a .zip or .tar archive of the files you want to secure and then use gpg to add the password protected encryption to it.
by Lori Kaufman
i make a lot of backups, and this is a really great article – is there a way to integrate the passphrase automatically so i can just include it in the backup script i have already made? (a way to set the pass phrase for crontab creation)
Thanks!
Okay. Great advice, awesome instructions. Here's my question. Let's say I'm using ubuntu as my server software, and windows for the rest of the office computers. I need 4 out of 5 computers to access everything on the network, and 1 out of 5 to be restricted from one file. Will this work? If I add the encryption will it prompt me in windows from my regular desktop, or am I s.o.l.?