How to Encrypt Files on Linux using GnuPG

You may want to Add Extra Entropy with a headless server.

How to Setup Additional Entropy for Cloud Servers Using Haveged

In this Document:

Create a GPG private/public key-pair

Export the public keyfile

Export your private key for backup

Import Public Key

Encryption

Encrypt A File Manually

Trust the key

Decryption

Harden Security

Remove Private Key
Import the private key

Advantages

Create a GPG private/public key-pair

You will need to create a key pair if you have not done so already.

Choose a password for your private key. This password will be required to decrypt files that have been encrypted with the public key.

If you do not need the private key on your server then you can create the key-pair on a local workstation and then just export the public key on the local workstation. Then import the public key to the server.

~# gpg --full-generate-key
gpg (GnuPG) 2.1.18; Copyright (C) 2017 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Please select what kind of key you want:
(1) RSA and RSA (default)
(2) DSA and Elgamal
(3) DSA (sign only)
(4) RSA (sign only)
Your selection? 1
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048) 4096
Requested keysize is 4096 bits
Please specify how long the key should be valid.
0 = key does not expire
<n> = key expires in n days
<n>w = key expires in n weeks
<n>m = key expires in n months
<n>y = key expires in n years
Key is valid for? (0) 0
Key does not expire at all
Is this correct? (y/N) y

GnuPG needs to construct a user ID to identify your key.

Real name: bbserver
Email address: bbserver@example.com
Comment: bbserver gpg key
You selected this USER-ID:
"bbserver (bbserver gpg key) <bbserver@example.com>"

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
gpg: key A7F44248C3A03D78 marked as ultimately trusted
gpg: directory '/root/.gnupg/openpgp-revocs.d' created
gpg: revocation certificate stored as '/root/.gnupg/openpgp-revocs.d/5296EB83E2DE759654EDA8E5A7F44248C3A03D78.rev'
public and secret key created and signed.

pub rsa4096 2018-05-18 [SC]
5296EB83E2DE759654EDA8E5A7F44248C3A03D78
5296EB83E2DE759654EDA8E5A7F44248C3A03D78
uid bbserver (bbserver gpg key) <bbserver@example.com>
sub rsa4096 2018-05-18 [E]

Export the public keyfile

~# gpg --armor --output bbserver-publickey.txt --export 'bbserver'

To Display your public key to copy and paste into your password manager

~# cat bbserver-publickey.txt

Output:

To List installed public keys

~# gpg --list-keys

Output:

~# gpg --list-keys
gpg: checking the trustdb
gpg: marginals needed: 3 completes needed: 1 trust model: pgp
gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u
/root/.gnupg/pubring.kbx
------------------------
pub dsa1024 2002-02-28 [SCA]
1719003ACE3E5A41E2DE70DFD97A3AE911F63C51
uid [ unknown] Jamie Cameron <jcameron@webmin.com>
sub elg1024 2002-02-28 [E]

pub rsa4096 2017-04-10 [SC]
EC60F3DA9CB79ADCCF560D1F121E166DD9C821AB
uid [ unknown] Ilia Rostovtsev <ilia@rostovtsev.ru>
sub rsa4096 2017-04-10 [E]

pub dsa1024 2009-08-13 [SC]
D1EAE49036C029DEB7133233B0740C10F9232D77
uid [ unknown] Virtualmin Script Install Updates (For signing updated Virtualmin script.pl files) <latest-scripts@virtualmin.com>
ub elg2048 2009-08-13 [E]

pub rsa4096 2018-05-18 [SC]
5296EB83E2DE759654EDA8E5A7F44248C3A03D78
uid [ultimate] bbserver (bbserver gpg key) <bbserver@example.com>
sub rsa4096 2018-05-18 [E]

To List installed private keys

~# gpg --list-secret-keys

Output:

root@bbserver:~# gpg --list-secret-keys
/root/.gnupg/pubring.kbx
------------------------
sec rsa4096 2018-05-18 [SC]
5296EB83E2DE759654EDA8E5A7F44248C3A03D78
uid [ultimate] bbserver (bbserver gpg key) <bbserver@example.com>
ssb rsa4096 2018-05-18 [E]

It is a good idea to copy the ID / Fingerprint into you password manager as well

5296EB83E2DE759654EDA8E5A7F44248C3A03D78

Export your private key for backup

Warning!!! If you are logged in to your terminal using a tools such as Putty then make certain you do not have logging turned on before displaying your private key in the ssh terminal window.

~# gpg --export-secret-keys -a 5296EB83E2DE759654EDA8E5A7F44248C3A03D78 > bbserver.asc

To display your private key to copy and paste into your password manager

~# cat bbserver.asc

Output:

Once your done copying your private key into your password manager it is a good idea to delete the output of the private key for security reasons.

~# rm bbserver.asc

Don't forget to put the password you choose for the private key in your password manager as well.

Import Public Key

On the machine or account that you want to encrypt with the public key you must import the key into that account.

Copy the public key "bbserver-publickey.txt" into the home folder of the user you want to import the key into.

In this case the user is sammy. Login into the account. Now import the key.

sammy@bbserver:~$ gpg --import bbserver-publickey.txt
gpg: directory '/home/sammy/.gnupg' created
gpg: keybox '/home/sammy/.gnupg/pubring.kbx' created
gpg: /home/sammy/.gnupg/trustdb.gpg: trustdb created
gpg: key A7F44248C3A03D78: public key "bbserver (bbserver gpg key) <bbserver@example.com>" imported
gpg: Total number processed: 1
gpg: imported: 1

You can list the keys to see what keys are currently imported:

sammy@bbserver:~$ gpg --list-keys
/home/sammy/.gnupg/pubring.kbx
------------------------------
pub rsa4096 2018-05-18 [SC]
5296EB83E2DE759654EDA8E5A7F44248C3A03D78
uid [ unknown] bbserver (bbserver gpg key) <bbserver@example.com>
sub rsa4096 2018-05-18 [E]

Encryption

Encrypt A File Manually

sammy@bbserver:~/backups/data$ gpg --encrypt --recipient 'bbserver' sammy_wordpress.sql.bz2
gpg: 35C480BB71A4882A: There is no assurance this key belongs to the named user
sub rsa4096/35C480BB71A4882A 2018-05-18 bbserver (bbserver gpg key) <bbserver@example.com>
Primary key fingerprint: 5296 EB83 E2DE 7596 54ED A8E5 A7F4 4248 C3A0 3D78
Subkey fingerprint: 77BD AC0D 16C1 8887 6B63 0EE1 35C4 80BB 71A4 882A

It is NOT certain that the key belongs to the person named
in the user ID. If you *really* know what you are doing,
you may answer the next question with yes.

Use this key anyway? (y/N) y
sammy@bbserver:~/backups/data$

Using ls to list our files we can see that "sammy_wordpress.sql.bz2.gpg" was created

sammy@bbserver:~/backups/data$ ls
sammy_wordpress.sql.bz2 sammy_wordpress.sql.bz2.gpg

Trust the key

Notice above you have to confirm that you want to use this key even though the user is not confirmed. This is fine until you want to use this key in any kind of automation such as a bash script and or cron job.

We can sign the key or trust the key to get around this issue.

sammy@bbserver:~$ gpg --edit-key 'bbserver'
gpg (GnuPG) 2.1.18; Copyright (C) 2017 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

pub rsa4096/A7F44248C3A03D78
created: 2018-05-18 expires: never usage: SC
trust: unknown validity: unknown
sub rsa4096/35C480BB71A4882A
created: 2018-05-18 expires: never usage: E
[ unknown] (1). bbserver (bbserver gpg key) <bbserver@example.com>

gpg> trust
pub rsa4096/A7F44248C3A03D78
created: 2018-05-18 expires: never usage: SC
trust: unknown validity: unknown
sub rsa4096/35C480BB71A4882A
created: 2018-05-18 expires: never usage: E
[ unknown] (1). bbserver (bbserver gpg key) <bbserver@example.com>

Please decide how far you trust this user to correctly verify other users' keys
(by looking at passports, checking fingerprints from different sources, etc.)

1 = I don't know or won't say
2 = I do NOT trust
3 = I trust marginally
4 = I trust fully
5 = I trust ultimately
m = back to the main menu

Your decision? 5
Do you really want to set this key to ultimate trust? (y/N) y

pub rsa4096/A7F44248C3A03D78
created: 2018-05-18 expires: never usage: SC
trust: ultimate validity: unknown
sub rsa4096/35C480BB71A4882A
created: 2018-05-18 expires: never usage: E
[ unknown] (1). bbserver (bbserver gpg key) <bbserver@example.com>
Please note that the shown key validity is not necessarily correct
unless you restart the program.

gpg> save
Key not changed so no update needed.

There is nothing more needed for this user ( sammy ) to trust the key.

Now that the key is trusted we can encrypt files without the prompt

sammy@bbserver:~/backups/data$ gpg --encrypt --recipient 'bbserver' sammy_wordpress.sql.bz2
gpg: checking the trustdb
gpg: marginals needed: 3 completes needed: 1 trust model: pgp
gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u

Decryption

In this case we cannot decrypt the file that was encrypted with the public key as the "sammy" user. The user does not have the private key.

Here is the attempt to decrypt:

sammy@bbserver:~/backups/data$ gpg --output sammy_wordpress.sql.bz2 sammy_wordpress.sql.bz2.gpg
gpg: WARNING: no command supplied. Trying to guess what you mean ...
gpg: encrypted with 4096-bit RSA key, ID 35C480BB71A4882A, created 2018-05-18
"bbserver (bbserver gpg key) <bbserver@example.com>"
gpg: decryption failed: No secret key

We created this key as root so we will have to decrypt the file as root.

You will be prompted for your password that was created with the key pair as shown above.

root@bbserver:/home/sammy/backups/data# gpg --output sammy_wordpress.sql.bz2 sammy_wordpress.sql.bz2.gpg
gpg: WARNING: no command supplied. Trying to guess what you mean ...
gpg: encrypted with 4096-bit RSA key, ID 35C480BB71A4882A, created 2018-05-18
"bbserver (bbserver gpg key) <bbserver@example.com>"

Harden Security

You can harden security by removing the private key from the server making it impossible to decrypt a file that has been encrypted with the public key. If needed you can import the private key when needed

Remove Private Key

Warning!!! Make certain you have backed up your private key, password and fingerprint safely and securely before removing it from your server.

Delete the private key

You will be prompted several times and you need to choose yes to all of them.

root@bbserver:~# gpg --delete-secret-key 'bbserver'
gpg (GnuPG) 2.1.18; Copyright (C) 2017 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

sec rsa4096/A7F44248C3A03D78 2018-05-18 bbserver (bbserver gpg key) <bbserver@example.com>

Delete this key from the keyring? (y/N) y
This is a secret key! - really delete? (y/N) y

Note: Deleting the private key does not delete the public key from the server.

Import the private key

Copy your private key onto your server. In my case I am using ssh to connect to the server so I just use nano and then paste in the private key and save the file.

The contents of your private key should look similar to the private key output shown above.

~# nano bbserver.asc

After the file is created / copied onto the server you need to import the file into gpg.

~# gpg --import bbserver.asc

Output:

root@bbserver:~# gpg --import bbserver.asc
gpg: key A7F44248C3A03D78: "bbserver (bbserver gpg key) <bbserver@example.com>" not changed
gpg: key A7F44248C3A03D78: secret key imported
gpg: Total number processed: 1
gpg: unchanged: 1
gpg: secret keys read: 1
gpg: secret keys imported: 1

To confirm you can list the private keys

~# gpg --list-secret-keys

Output:

Remove your file containing the private key now that it is imported.

~# rm bbserver.asc

Advantages

None of the encrypters needs to know sensitive information about the encryption - encryption is done with the public key. (You can create the key pair on your local workstation and only transfer the public key to your servers)
No passwords will appear in script files or jobs
You can have as much as encrypters on any system you want
If you keep your private key and the passphrase secret, everything is fine and very very hard to compromise
You can decrypt with the private key on Unix, Windows and Linux platforms using the specific PGP/GPG implementation
No need for special privileges on encrypting and decrypting systems, no mounting, no containers, no special file systems

How to Setup Additional Entropy for Cloud Servers Using Haveged

GPG Keys Cheatsheet

Mega Scripts

How to Encrypt Files on Linux using GnuPG

Create a GPG private/public key-pair

Export the public keyfile

Export your private key for backup

Import Public Key

Encryption

Encrypt A File Manually

Trust the key

Decryption

Harden Security

Remove Private Key

Delete the private key

Import the private key

Advantages

Related