This guide is for dummies, from a kind-of dummy. I believe that if you know too much, you start to take too many things for granted and newbies cannot understand your explanations any longer.

Introduction

GPG is a great tool for file encryption now that it comes (I believe) pre-installed with Linux Mint and likely with other distros too.

GPG enables file encryption with two methods, symmetric and asymmetric. These have drawbacks related to simplicity, the strength of encryption as well as the means to control data access.

• Symmetric (password-based) encryption is less secure but provides more ease of use now that all you need is a single password. There are at least two drawbacks. First, a password can be cracked more easily compared to key-based approaches. Second, any node capable of encrypting can also decrypt, which reduces the capability to control who can decrypt your valuable data.
• Asymmetric encryption (public-key cryptography) assumes a public key for encryption and the corresponding private key for decryption. The key can be long, which makes cracking the encryption much more difficult compared to a sole password. On the other hand, the asymmetric method enables any machine to encrypt data without knowing the private key, which helps minimizing the number of nodes that can access your encrypted secrets.

What I say above about cracking difficulty is based on the assumption that a password cannot be as long as a key.

By the way, a respective asymmetric method is used in TLS for the so-called "secure" network connection between machines. You can find more information here.

This guide assumes that:

• Your operating system is Linux, maybe Ubuntu or Linux Mint.
• You are not afraid of the command line.
• You can google for more if some concepts are not familiar.

For background information, you can see:

• GPG concepts: https://www.reddit.com/r/GnuPG/comments/uq8bq7/please_explain_like_im_5_years_old_what_is_a_gpg/
• Commands for GPG asymmetric encryption: https://www.gnupg.org/gph/en/manual/x110.html
• Commands to export GPG keys: https://unix.stackexchange.com/questions/481939/how-to-export-a-gpg-private-key-and-public-key-to-a-file

Some GPG basics

The figure below illustrates some key concepts and features of GPG. The truth is more complicated, but this is what you should understand for this guide.

The figure shows the following:

• You can encrypt your files either symmetrically or asymmetrically.
• For asymmetric encryption, GPG will hold your keys locally in your computer.
• The private key is protected with a password of your choice.
• You can export your keys to enable:
  • Sharing your public key with someone to send encrypted content only visible to you (assuming your private key stays secret).
  • Importing your keys (including the private one) into a computer. This is practical for restoring encrypted backup files, for instance.

Tarballs for compression and file bundling

If you want to encrypt a complete folder instead of a single file, it is easiest to compress the folder first, and I recommend the tarball format. You could use whatever compression tool you want to. However, the tools for the tarball are widely available for Linux and can easily be executed from the command line. This will help you in case you want to automatize your encryption with a shell script.

To create a tarball from your folder, say "myfolder", you can use the comand below. Curiously, supplying the folder name as ./myfolder/ would create a root dir called . into the archive. To avoid this, the command below gives the relative folder name.

$ tar -czvf myfolder.tar.gz myfolder/

To decompress the tarball, you can give the command below. Alternatively, just double-click the file in the graphical file manager in your distro.

$ tar -xvzf myfolder.tar.gz

Symmetric encryption with password

Encrypt symmetrically

To encrypt symmetrically, you can use the command below. This will ask for an arbitrary password. As usual, the longer and more complex the better.

$ gpg -c myfolder.tar.gz

I assume that the resulting file will be called myfolder.tar.gz.gpg.

Decrypt symmetrically

The decryption goes as below, but I encountered a surprise. GPG did not ask for the password if you just supplied it locally for encryption. I wonder if the password is cached only for the login session or even beyond a reboot. I'll need more experience to answer, but this might be down the Linux distro rather than GPG.

$ gpg --output myfolder.tar.gz --decrypt myfolder.tar.gz.gpg

Asymmetric file encryption with public and private key

Generate key

To start, generate a key for asymmetric encryption. This will include both the public part for encryption and private part for decryption. Please read the notes below.

$ gpg --full-generate-key

Key size. For a good level of security in the foreseeable future, we recommend 4096 bytes. A longer key is more difficult to crack.

Key identity. Make sure to provide an identity you can use to refer to the key because GPG can hold multiple keys locally. Therefore, in asymmetric encryption, you must indicate which key to use. In this guide, we assume that the associated email address is my@mail.org.

Key password. Your must give a password to protect your locally stored private key. As usual, a longer, more complex password provides more security.

Key storage location. The command stores the key internally into GPG. I assume that, physically, the key will live in the folder ~/.gnupg.

Encrypt asymmetrically

Assuming you want to encrypt a tarball again (myfolder.tar.gz), you can use the command below. For the recipient, you must indicate the identifier of your (public) key.

$ gpg --output myfolder.gpg --encrypt --recipient my@mail.org myfolder.tar.gz

As given in the command, the resulting file will be called myfolder.gpg.

Now that the method is asymmetric, the minimum is the public key indeed. That is, your friend could hand you their public key for encryption. After you have encrypted some files for your friend, they could decrypt the files with their private key.

Decrypt asymmetrically

To decrypt your tarball GPG file, use the command below. This will prompt for the password of the (private) key. Here, you give the name of the resulting file explicitly.

$ gpg --output myfolder.tar.gz --decrypt myfolder.gpg

The command will not work if the private key does not exist in the keyring. This means that you must either have created the key locally or imported it.

Share or back up your keys

In the case of encrypting backups, you should back up the keys too in case you lose the local key files for some reason. It is out of scope in this guide how you should store key backed up keys, but you should preferable have two copies far from each other and in a secure place - and separated from the encrypted files!

Key export

To back up the keys, export these (public and private) into a file in the "ASCII armored format".

The command below exports the public key.

$ gpg --output public.pgp --armor --export my@mail.org

Respectively, the command to export the private key is as follows. Unlike the public key export, this will ask for the password of the key.

$ gpg --output private.pgp --armor --export-secret-key my@mail.org

Please note that you are not supposed to ever share your private key with anyone. If you expect someone to encrypt files for you, it is enough to share the public key.

Encrypt the keys. To transport or store your keys in a somewhat secure manner, it is good to encrypt even these, especially if you use an external service (such as the cloud). However, to avoid a neverending loop of exporting public and private keys, it is better to stick with the symmetric, password-based method here. Just use a long, complex password, and think carefully how to store or transport the exported keys to avoid risks.

Key import

The following command imports a public key (name assumed to be public.pgp).

$ gpg --import public.pgp

Respectively, the following imports a private key (called private.pgp). This will prompt for the password of the key.

$ gpg --import private.pgp

After the import, the keys should work as if they had been created locally.