Beta 42

Research and Development


Create Encrypted TAR Archive


Install GnuPG

sudo apt install gnupg

Optionally, install Nautilus extension:

sudo apt install seahorse-nautilus

Optionally, download The GNU Privacy Handbook.


Encrypt file using passphrase:

gpg -c –o filename.gpg filename

To verify the signature, type:

gpg --verify filename.gpg

Note: GnuPG will prompt for password from the terminal, to avoid logging the password in history.

Encrypting existing archive using the default symmetric cipher (using the same passphrase for encryption and decryption):

gpg -o fileToTar.tgz.gpg --symmetric fileToTar.tgz

Again, GnuPG will prompt for a passphrase.

To decrypt the file:

gpg fileToTar.tgz.gpg

GnuPG and Tar with Passphrase

Use the tar command to create an archive and pipe it to the gpg command for encryption and password protection.

Example using the AES-256 encryption algorithm:

tar czvpf - file1.txt file2.pdf file3.jpg | gpg --symmetric --cipher-algo aes256 -o myarchive.tar.gz.gpg

Again, GnuPG will prompt for a passphrase. The archive will be created as an encrypted archive, using a secure algorithm and protected by the given custom passphrase.

Extracting the encrypted archive:

gpg -d myarchive.tar.gz.gpg | tar xzvf -

Generate Encryption Keys

The --full-generate-key option generates the keys in an interactive session within the terminal window. GnuPG will prompt for a passphrase.

gpg --full-generate-key

Pick an encryption type from a menu. Unless you have a good reason not to, type 1 and press Enter.

Choose a bit-length for the encryption keys (Enter to accept the default).

Specify how long the key should last. If 1y is selected, he key will last 12 months and will need renewing after one year.

Finally, GnuPG will prompt for a passphrase.

GnuPG keeps the public keys in your key ring.

Note: The key ring is simply the public keys stored in a file, but the name sounds nice because everyone has a key ring in the real world, and these keys are keys of a sort.

To list the keys in your key ring, type:

gpg --list-keys

Backup Keys

Backup all the files stored in the ~/.gnupg folder.

Note: The private keyring is protected by a passphrase.

If needed, export an ascii armored version of the private key:

gpg --output private.pgp --armor --export-secret-key

Revoke Keys

To revoke the key, run the following command:

gpg --output revoke.asc --gen-revoke uid

The uid will be the key user id, e.g. the email address. This will generate a revocation certificate (the passphrase used to generate the certificate will be required). A revocation reason will be required, selecting from a numbered list ranging from zero to three.

The command will output the certificate to a file (in this example: revoke.asc).

Export Public Key to a File

To share files, messages and/or emails with others, share the public key by exporting it.

To export the public key to a file, open a terminal and type:

gpg --armor --export > key.asc

To export the key in a readable format (for example, as ASCII in a text file), run the following:

gpg --armor --output key.txt --export

This file can be viewed using a standard text editor.

Type the following command to get the fingerprint of a key:

gpg --fingerprint

If you think that the key fingerprint is good, you can sign the key and validate it. Here's the command you use to sign the key:

gpg --sign-key

GPG asks for confirmation and then prompts you for the passphrase. After that, GPG signs the key.

Note: Because key verification and signing are potential weak links in GPG, be careful about what keys you sign. By signing a key, you say that you trust the key to be from that person or organization.

Export Public Key to a Keyserver

Make the public key easy to share and find by registering it to a keyserver, such as the MIT repository.

First, find the key id by opening a terminal and typing:

gpg --fingerprint

Locate the key and take note of the final eight digits of the key user ID (the user ID fingerprint). For example, B852 085C.

Using the eight-digit user ID, register the key ok keyserver:

gpg --keyserver --send-key B852085C

The public key will be registered with the keyserver, where others can then find and import it. The public key is safe to share. It cannot be used to decrypt files or messages but can be used to encrypt them and sent to you, where only you can decrypt them.

Encrypting and Decrypting Files

To encrypt a file, open a terminal and run the following:

gpg --encrypt --recipient '' --output encryptedfile.txt.enc originalfile.txt

Optionally, replace the recipient email with your key fingerprint if you'd prefer. Replace the output and input file names with the files you’re encrypting, as well as your output file.

To decrypt the file, run the following command:

gpg --decrypt --output decrypted.txt encryptedfile.txt.enc

Provide your passphrase to allow access to your private key to be able to decrypt the file. It'll then output the decrypted contents as the file listed under the --output flag.

Privacy and Security Concerns

A PGP public key contains information about one's email address. This is generally acceptable since the public key is used to encrypt email to your address. However, in some cases, this is undesirable.

For most use cases, the secret key need not be exported and should not distributed. If the purpose is to create a backup key, use the backup option:

gpg --output backupkeys.pgp --armor --export --export-options export-backup

This will export all necessary information to restore the secrets keys including the trust database information. Make sure you store any backup secret keys off the computing platform and in a secure physical location.

If this key is important to you, you may print out the key on paper using paperkey and place the paper key in a fireproof/waterproof safe.

Public Key Servers

In general, it's not advisable to post personal public keys to key servers.

There is no method of removing a key once it's posted and there is no method of ensuring that the key on the server was placed there by the supposed owner of the key.

It is much better to place your public key on a website that you own or control. Some recommend for distribution. However, that method tracks participation in various social and technical communities which may not be desirable for some use cases.

For the technically adept, the webkey domain level key discovery service could be an option.