Archive

Posts Tagged ‘symmetric cryptography’

Using GPG for Symmetric Cryptography

September 25, 2016 Leave a comment

GPG may be used to encrypt data and protect it from prying eyes. We may either use symmetric-ciphers or the public-key cryptography method to protect our data. In this blog, I’ll summarize the use of symmetric ciphers on OSX.

When we have more than one file to encrypt, it would be prudent to encrypt an archive of the files instead of encrypting them one by one.

% ls -la
-rw-r--r--@   1 umar  staff   916K Sep 25 01:08 file-1.pdf
-rw-r--r--@   1 umar  staff   5.3M Sep 25 01:08 file-2.pdf

% tar cfvj my-files.tar.bz2 file-*
a file-1.pdf
a file-2.pdf

Choosing a Passphrase/Password

When encrypting files, GPG would prompt for a passphrase. Please follow guidelines for a strong passphrase. See Stanford University’s guidelines for choosing a strong passphrase.

Encrypting a File

The -c or --symmetric option is used to encrypt files with a symmetric cipher.

The output files may be saved in binary or ASCII-armor format. The ASCII-armor versions, although relatively larger in size, are typically used when sharing encrypted files through email. The default option is to generate binary output (i.e., .gpg files). The --armor option generates the ASCII-armor version of the encrypted output.

GPG uses CAST5 as the default cipher. However, the 256-bit Advanced Encryption Standard (i.e., AES256) is one of the ciphers recommended by the Computer Security Resource Center at NIST. We can select the encryption algorithm with the option --cipher-algo.

% # Binary output
% gpg --output my-files.tar.bz2.gpg \
      --cipher-algo AES256 \
      --symmetric \
      my-files.tar.bz2

% # ASCII-armor output
% gpg --output my-files.tar.bz2.gpg \
      --cipher-algo AES256 \
      --armor \
      --symmetric \
      my-files.tar.bz2

% ls -la
-rw-r--r--@   1 umar  staff   916K Sep 25 01:08 file-1.pdf
-rw-r--r--@   1 umar  staff   5.3M Sep 25 01:08 file-2.pdf
-rw-r--r--    1 umar  staff   4.7M Sep 25 01:13 my-files.tar.bz2
-rw-r--r--    1 umar  staff   6.4M Sep 25 01:17 my-files.tar.bz2.asc
-rw-r--r--    1 umar  staff   4.7M Sep 25 01:16 my-files.tar.bz2.gpg

Decrypting a File

The -d or --decrypt option may be used to decrypt the encrypted files (whether .asc or .gpg)

% gpg --output decrypted-files.tar.bz2 \
      --decrypt \
      my-files.tar.bz2.asc
gpg: AES256 encrypted data
gpg: encrypted with 1 passphrase

% ls -la
-rw-r--r--    1 umar  staff   4.7M Sep 25 01:28 decrypted-files.tar.bz2
-rw-r--r--@   1 umar  staff   916K Sep 25 01:08 file-1.pdf
-rw-r--r--@   1 umar  staff   5.3M Sep 25 01:08 file-2.pdf
-rw-r--r--    1 umar  staff   4.7M Sep 25 01:13 my-files.tar.bz2
-rw-r--r--    1 umar  staff   6.4M Sep 25 01:17 my-files.tar.bz2.asc
-rw-r--r--    1 umar  staff   4.7M Sep 25 01:16 my-files.tar.bz2.gpg

We can confirm that the output after decryption is the same as the input before encryption using MD5 checksums.

% md5sum my-files.tar.bz2 decrypted-files.tar.bz2
MD5 (my-files.tar.bz2)        = cbdff2d18d943d36c4224aada805e6ce
MD5 (decrypted-files.tar.bz2) = cbdff2d18d943d36c4224aada805e6ce