The Tin Hat
Linux File Encryption Using GPG

Linux File Encryption Using GPG

Category: misc
A 5 Minute Read

Image By Nicki Mannix


Support The Tin Hat on Patreon! Just one dollar makes all the difference in helping me write more content!

Encryption is a dangerous munition, or at least it was according to US export regulations between the second world war and the twenty first century. Though ridiculous as it may sound today, strong encryption is under attack once again by the US government, with the likes of ISIS and Boko Haram as the frightening face of the new anti-encryption campaign. To be fair, the US government isn't attacking all encryption, rather they're attacking encryption that works. What they're seeking is a world in which encryption is broken in a very specific and controlled way, such that government agencies can get access to the encrypted data while still locking out other adversaries. This, of course, is fundamentally stupid.

As a response to such an absurd policy direction, I'm writing this guide to show you a reliable way to encrypt files. While the proposals of the US government aren't directed so much at file encryption as they are for encryption of messages, these are things that I've written about several times before. Thus, I thought I'd pivot slightly with this guide and focus on encrypting other kinds of data reliably. This will be the first of a two-part series on file encryption focusing on encrypting data with GPG. Later we will focus on Tomb file encryption.

GPG? Isn't That For Email?

GPG is an encryption toolset that is best known for encrypting email, and while it is magnificent in this regard (usability aside), it's also equally capable at encrypting files. Moreover, GPG is also usually associated with asymmetric encryption, that is encryption using separate public and private keys, but it also has the capability to encrypt files symmetrically using a password. Today we'll learn how to encrypt files using the symmetric side of GPG, though there are definitely legitimate use cases for each.

But why would we use GPG for file encryption?

There are several pros and cons to using GPG for file encryption. The benefits are that it is usually installed by default on just about any Linux distribution, and it's rock-solid reliable. The cons are that it doesn't hide file size, and can be (in some regard) hard to use at first for beginners. It also doesn't work on directories on its own, requiring another utility called tar, though this is also installed by default on just about every distribution.

Step 1: Preparing The Data

(If you are only encrypting one file, skip this step)

Typically when we want to encrypt data it involves more than one file, and because of this we need to first aggregate all the different files we want to encrypt into one clump. For this we use a classic tool called Tar. Tar (Tape ARchive) essentially takes multiple files and welds them together, and also provides the ability to apply compression in the process, such as GZIP and XZ, to reduce the file-size. We always want to compress our files before encrypting them, otherwise the data will be too random (as compression relies on patterns).

Here is an example that will create an archive called archive.tar.xz using three text files, with XZ compression being applied in the process.


tar -cJf archive.tar.xz file-1.txt file-2.txt file-3.txt

The -c flag is what signals tar to create an archive, the -J flag signals the use of XZ compression on the data, and the -f flag signals the file you want to create and must always be the last flag used. XZ compression will result in very small file-sizes, but can be slow. If you wish to use gzip compression instead, which will be much faster but will result in larger file-sizes, then use the -z flag instead of -J, and label your file archive.tar.gz instead of archive.tar.xz.

Step 2: GPG Encryption

Now that the data has been aggregated to only one file, we can use GPG to encrypt it. First, however, we may want to change the default encryption algorithm that GPG uses. To do this, we must edit the gpg.conf file and add a line at the end.


nano ~/.gnupg/gpg.conf

Now simply type the following in at the very end of the file, then save and exit (CTRL+X, Y, then Enter)


cipher-algo AES256

What this does is set the default algorithm to be AES-256, which is a gold-standard for symmetric encryption.

With this finally set, and with the data aggregated into a single file, we can start encrypting our files!


gpg -c archive.tar.xz

Here, the -c flag tells GPG to use symmetric encryption, which means you'll have to input a password. Make sure that the password is strong. I strongly recommend using Diceware, as it allows you to use incredibly strong passwords that are easy to remember. The file that GPG will output will be named archive.tar.xz.gpg, in other words it will be the original filename with '.gpg' tagged onto the end.

Step 3: Cleaning Up

The file ending in '.gpg' will be the encrypted file that you can send or upload online without worrying (assuming you used a strong password). If, however, you don't want any trace of the original files on your computer, you'll need to do a bit of cleanup. I've already written a quick guide on secure file deletion, so give that a read for a more in depth explanation. Nevertheless, the command you'll want to use to securely erase the unenecrypted data from your disk is the shred command.


shred -u archive.tar.xz file-1.txt file-2.txt file-3.txt

What this does is overwrites the data on the disk for all of our original, unenecrypted files. The -u flag will signal shred to then remove the files after overwriting them. If everything goes well, you now have a GPG encrypted archive of your encrypted files.

Step 4: Decryption

Decrypting the files takes about as long as encrypting them. First, you'll want to use GPG to decrypt the archive, then tar to uncompress and unpack it.


gpg -d archive.tar.xz.gpg
tar -xf archive.tar.xz

Here, the -d flag tells GPG to decrypt the data. This will leave you with the compressed archive, archive.tar.xz, which the second command will decompress and unpack, leaving you with your original data.

And You're Done

That may seem like quite a bit of work, but after getting the hang of it, which doesn't take long, it is actually a very quick process. I personally use this method for when I work with data on Tails, as it allows me to encrypt and decrypt data without having to install any other software, and without having to go online.

But what are your favourite methods for file encryption? Leave a comment down below.

Share, Follow, & Comment