File encryption with GPG

Published: 4 years ago web dev

As part of my backup strategy, I have decided to upload my backups to BackBlaze (a relatively cheap cloud provider). These web backups do contain sensitive data and until now I have not encrypted them. However that's about to change! Encrypting files on Debian isn't something I've done before so I'm documenting my process for future reference.

The first thing to do is generate a GPG key pair:

gpg --gen-key

Choose the following options:

(1) RSA and RSA
(2) 4096 bits long
(3) 0 expiry

Then enter your real name/comment/email and enter a passphrase.

Confirm your key has been created:

gpg --list-keys

BACK UP the public and private keys! In my situation I'll have no need to leave the private key on the server so this should be removed. In reality, you should create the secret key on the machine that will be doing the decrypting so that you do not need to transfer it over the internet.

Anyway, replace [the key name] with part of the key identifier created previously.

gpg --armor --output backups-pubkey.asc --export '[the key name]'

gpg --armor --output backups-privkey.asc --export-secret-keys '[the key name]'

Now you can encrypt and decrypt files at will:

gpg --encrypt --recipient '[the key name]' file.tar.gz

gpg --output file.tar.gz --decrypt file.tar.gz.gpg

Additional note

If like me you found you created the keys for one user but then actually needed them for another user, the easiest solution is to copy ~/.gnupg to your other user. I have no idea if this is a great idea but it looks like it is at least one solution described in the docs.