≡ Menu

Linux: HowTo Encrypt And Decrypt Files With A Password

To encrypt and decrypt files with a password, use gpg command. It is an encryption and signing tool for Linux/UNIX like operating system such as FreeBSD/Solaris and others.

gnupg

GnuPG stands for GNU Privacy Guard and is GNU's tool for secure communication and data storage. It can be used to encrypt data and to create digital signatures. It includes an advanced key management facility.

Encrypting a file in linux

To encrypt a single file, use command gpg as follows:
$ gpg -c filename

To encrypt myfinancial.info.txt file, type the command:
$ gpg -c myfinancial.info.txt
Sample output:

Enter passphrase:<YOUR-PASSWORD>
Repeat passphrase:<YOUR-PASSWORD>

This will create a myfinancial.info.txt.gpg file. Where,

  • -c : Encrypt with symmetric cipher using a passphrase. The default symmetric cipher used is CAST5, but may be chosen with the --cipher-algo option. This option may be combined with --sign (for a signed and symmetrically encrypted message), --encrypt (for a message that may be decrypted via a secret key or a passphrase), or --sign and --encrypt together (for a signed message that may be decrypted via a secret key or a passphrase).

Please note that if you ever forgot your password (passphrase), you cannot recover the data as it use very strong encryption.

Decrypt a file

To decrypt file use the gpg command as follow:
$ gpg myfinancial.info.txt.gpg
Sample outputs:

gpg myfinancial.info.txt.gpg
gpg: CAST5 encrypted data
Enter passphrase:<YOUR-PASSWORD>

Decrypt file and write output to file vivek.info.txt you can run command:
$ gpg myfinancial.info.gpg –o vivek.info.txt
Also note that if file extension is .asc, it is a ASCII encrypted file and if file extension is .gpg, it is a binary encrypted file.

See also:

Tweet itFacebook itGoogle+ itPDF itFound an error/typo on this page?

Comments on this entry are closed.

  • Anonymous May 22, 2005, 9:10 am

    Thanks! This helped me a lot. Encryption everywhere seems to be only about e-mail. I just wanted to encrypt a password file.

  • garam May 27, 2005, 12:09 pm

    This came very handy…and is now bookmarked! Thanks.

  • David Legg July 30, 2007, 10:58 am

    This is fine as far as it goes. However, if you decrypt a file and look at it using a word processor (say), the word processor might well leave back-up copies of your sensitive file in /tmp or in a back-up directory. So when you delete your unencrypted file, you have to delete any other copies that might be lying around the filing system too. A better way around this problem might be to use whole partition encryption: http://encryptionhowto.sourceforge.net/Encryption-HOWTO-4.html
    But even then, you need to watch out for stuff that may be on a different disk/partition, e.g. in /tmp.

  • nixCraft July 30, 2007, 9:32 pm

    David,

    Good point about backup files. Thanks for sharing howto links.

    Appreciate your post!

  • Otávio January 5, 2008, 5:34 pm

    Great post.

    I need to encript a backup file in non interactive mode, so I do not have a prompt to type the password, because is a automated script.

    Do you have how I can proceed?

    Tkx in advance.

  • Maroon Ibrahim January 10, 2008, 9:39 pm

    Sirs,

    can i encrypt squid.conf or httpd.conf that are located on /etc/xxx folder… knowing that squid process and apache process need to access this file in order to read the file configuration! if this is not workable in my case… is there a way to hide the .conf files from even the root users.. please your help is highly appreciated…

    greetings from lebanon

    Regards,

  • Scream June 12, 2008, 3:10 am

    i want to encrypt/hide .conf. your help is highly appreciated…

  • Hassan December 27, 2008, 5:18 am

    thank for help I want to decrypt rar files

  • Cool Leecher April 29, 2009, 2:05 pm

    1) Unless the app is aware of the encryption , you cannot encrypt such .conf files.
    2) It is possibles to write a script that wraps the process , i.e squid and call the gpg , decrypt the file and then call the squid , reencrypt the file , delete the .conf …
    It is actually bound to how the process calls his conf files ,i.e at the beginning , in the loop …
    3) You can even recompile squid with some crypting lib. and change all calls to read file to be proceeded by a decryption function.
    4) No body but the root should have the root pass , other users must be in specific groups that enable them to do some stuff that normally only the root can do and hence avoid giving them the root pass.

  • Jay June 4, 2009, 2:09 am

    I thought, even if you encrypt a backup script, it will still run as it is.
    But it’s not.

    I just want to hide the backup script form others because it contains critical information about the files being backed up.

  • Rishabh Mishra July 15, 2009, 11:30 pm

    Jay: I think you will need to create a new backup script that decrypts and reads an encrypted file containing the critical information about the files being backed up.

    The information about the files will be protected, and the script should still run normally.

  • sureshkumar October 21, 2009, 10:15 am

    It’s very nice stuff … encryption and decryption in linux and tell me how to set password for each file and folder under linux.

  • fffrrr November 1, 2009, 3:37 pm

    A good post nixcraft, but I have a doubt, how linux encrypts? I mean in a navite level, without use particular apps or tools… thx

  • Kris February 1, 2010, 2:01 pm

    Non interactive encrypt/decrypt:-

    Encrypt it…
    gpg –yes –passphrase [passphrase] -c [filename]

    Decrypt it…
    gpg –yes –passphrase [passphrase] [filename]

    Piece of pie…

    • Khan Hannan September 13, 2011, 4:50 pm

      This was a life saver.

    • Khan Hannan September 13, 2011, 7:23 pm

      So I thought this would help, but unfortunately it didn’t. I’m wondering why. Also, when I do a “gpg -h”, “–passphrase” doesn’t show up as one of the options. Is this like a secret option or something?

      • Cristian December 12, 2011, 5:50 pm

        Hi,
        You must to use the follow commands:

        gpg –batch –yes –passphrase [passphrase] -c [filename]

        Bye,

  • john February 10, 2010, 3:25 am

    where would you check if the passphrase is entered correctly or not? If I want to encrypt a binary file to enter the correct password before someone can run my program, where do I implement the passphrase check? In the binary file or in my program?

  • Naresh February 15, 2010, 2:58 pm

    Thank u very much

  • Muhanad August 15, 2010, 12:30 am

    Sirs

    I need to encrypt folder with it’s content with out need to encrypt all files inside this folder please your help.
    your help is highly appreciated

    Best Regard

  • Anitha August 18, 2010, 12:24 pm

    Hai,…

    I want to encrypt squashfs.img(squashfs.img.enc) file in Fedora Live OS. It should be decrypted while booting.. Can anyone knows how to do this?

  • Anon December 20, 2010, 2:39 pm

    There is a nice command line tool available here for file encryption.. http://code.google.com/p/kpbe/ ,,, it supports many algorithms, requires Mono.

  • Paul April 2, 2011, 1:34 am

    For Gnome if you prefer the right click option install “seahorse-plugins” from synaptic or apt-get install, if you’re a KDE user you can install kgpg, both options allow key generating and management alone with right click encrypt options. If you prefer the GUI option that is.

  • abhandari May 29, 2011, 8:01 am

    hey admin!
    If i m not wrong: there is typo error on:
    ————–
    To decrypt file use gpg command:
    $ gpg myfinancial.info.gpg
    ————–which i could be like this—-
    To decrypt file use gpg command:
    $ gpg –decrypt myfinancial.info.gpg -o someoutputfile.txt
    —————-

  • sandeep June 13, 2011, 6:20 am

    That’s very interesting. I like it.

  • Pavan November 16, 2011, 10:52 am

    Hi,
    I have encryted the file in windows machine but when i trying to dycrypt from linux using gpg filename it is not encrypting .the eror come has

    gpg: encrypted with RSA key, ID 83994B4A
    gpg: decryption failed: secret key not available

    When i am use the command gpg -d also same eroro

    Thanks
    pavan

  • Cristian December 12, 2011, 5:49 pm

    Hi,
    You must to use the follow commands:

    gpg –batch –yes –passphrase [passphrase] -c [filename]

    Bye,

  • Pavan December 16, 2011, 9:53 am

    Its not working

  • Naresh Kumar December 27, 2011, 12:06 pm

    Hi,

    Is there any difference between .gpg and .pgp files. I have a pgp encrypted file and a key. Can anyone please let me know how to decrypt it through PHP or shell command? Thanks in advance.

    Regards,
    N Naresh Kumar

  • syamjith S February 16, 2012, 12:44 pm

    Hi
    My command is ” gpg –yes –passphrase=mypassphrase myfile.pgp ” its works fine in my terminal but i try to execute this command though php using
    system (“gpg –yes –passphrase=mypassphrase myfile.pgp”,$res);
    its return 2 ie its doesn’t work . Then i tried this command to execute through perl cgi its report compilation error in “–” characters in above command

    • Shammi April 15, 2012, 9:58 pm

      Could you please what are the steps if we need to do the pgp encryption using shell script.

  • RickL June 22, 2012, 7:28 pm

    I got the following non-interactive commands to work on Oracle Enterprise Linux. I assume that contains a pretty standard version of gpg:

    To encrypt a file:

    $ echo welcome | gpg --yes --passphrase-fd 0 -c try.txt 

    Here the passphrase is “welcome” and –passphrase-fd 0 means take the passphrase from standard input

    To decrypt the same file and pipe contents to standard output:

    $ echo welcome | gpg --yes --passphrase-fd 0 -d try.txt.gpg | tee yar.txt

    The passphrase is again “welcome” and I tee the output to yar.txt

    You can get info on these — commands which don’t show up in gpg –help by looking at the gpg man pages (man gpg)

    BTW, I’m just learning this stuff myself, so don’t expect any other pearls of wisdom from me. Needed to get this working non-interactively for work, and thought I’d share what I learned.

  • jr July 18, 2012, 12:48 pm

    Thanks – This topic helped me to extract a gpg file using PGP tool ..

  • Phicko August 29, 2012, 8:06 am

    Thanks a lot this was very helpful to me.

  • Shyam August 29, 2012, 5:27 pm

    Is there a way to decrypt if I dont remember the passphrase ??

  • sanchit matta September 14, 2012, 5:20 pm

    What can i do if i want to encrypt a folder?

  • Paul September 15, 2012, 2:23 am

    If you use kgpg then the folder will be compressed before it is encrypted but here have been changes to seahorse and Gnome 3, it is called seahorse-nautilus now and I can’t be sure if it will compress the folder first before encrypting because it has lost a lot of useful functions in the change. If anybody is afraid of command line, not that it is a bad thing, just a little long winded and confusing, check out EW (Encryption Wizard), it uses java, cross platform and can encrypt multiple files at once as well as compressing folders before encryption.

    • sanchit matta September 15, 2012, 7:12 am

      hey paul, i have a CentOs server , what should i do to encrypt a folder, use kgpg before using gpg?

  • Paul September 18, 2012, 4:47 am

    kgpg is a GUI front end for gpg on the KDE desktop, it allows you to create, manage and delete private and public keys as well as symmetric and asymmetric encryption. It is integrated into Dolphin which is the native KDE file manager. Once you have created the keys it’s just a matter of right click, then if my memory serves me right, actions and then encrypt file. For Gnome 3 use seahorse-nautilus and all related plugins from the repositories for the same right click function to encrypt files using gpg, seahorse and seahorse-nautilus are also a gpg GUI front end. For newer desktops such as MATE, seahorse-nautilus won’t work because MATE uses a different file manager which I think is called Caji, in this case you could use 7z and compress with a password. 7z compression uses 128 bit or 256 bit AES, not sure which it is so please forgive me on that.

  • Paul September 18, 2012, 4:53 am

    I forgot, 7z password protection isn’t available on KDE, but is for other desktop environments such as MATE and Gnome3, it’s something to do with a problem with the archive manager for KDE, although you can install file-roller and use the password protection that way if need be.

  • Paul September 18, 2012, 5:00 am

    If you want to encrypt a folder and all it’s contents that will stay on the drive and not be compressed or archived, maybe you could check out CryptKeeper. Cryptkeeper is also very useful for cloud synchronizing as it encrypts every file within the folder individually and renames them. For Cryptkeeper you can unlock the folders by using the icon in the system tray, then inputting your password and the folder will appear in your file manager as any other folder. Cryptkeeper works for KDE, Gnome 3 and MATE from my experience although you might have to put it in the list of start-up applications if you don’t want to manually start it every session. I hope all this is helpful to everybody here.

  • kartik November 7, 2012, 5:52 am

    hello sir,
    i want to modify my .pfofile to customise my user account. is it based on kind of shell ?
    or i can change the any profile.

  • Usep Nugraha November 14, 2012, 4:57 am

    tanks, its help to protect my file

  • Z.Brannigan December 29, 2012, 2:40 pm

    Thank you!

  • C.T August 20, 2013, 3:47 am

    i use linux and when i created my system i choose to encypt my home file and the hard drive so i think that means my entire hard drive is encypted

  • duaa December 18, 2013, 9:45 am

    Write a program that will take a text file as input, either encrypt or decipher the text using a
    keyword cipher (Vigenere cipher), and save the modified text file. The program should ask the
    user for the keyword to use in the cipher, whether the file needs to be encrypted or deciphered,
    and the name of both the input file and the output file.
    In a Vigenere cipher, each letter of the alphabet maps to a number. For our program we will use
    the assigned ASCII value of each character. To encrypt the message, a special key word is used.
    The keyword is repeated as often as necessary, and the values of the letters in the keyword are
    added to the values of the letters in the cypher text to create the encrypted message. When it is
    time to decipher the message, the value of the letters in the keyword are subtracted from the
    values of the the letters in the encrypted message and the result is the original text. So, here is an
    example of how to encrypt a message using the Vigenere ciphere. I’ll leave it to you to figure out
    how to decipher it.

  • duaa December 18, 2013, 9:46 am

    can you help me

    • Akash Patle June 2, 2014, 10:56 am

      what’s your problam

  • Akash Patle June 2, 2014, 10:55 am

    kgpg is a GUI front end for gpg on the KDE desktop, it allows you to create, manage and delete private and public keys as well as symmetric and asymmetric encryption. It is integrated into Dolphin which is the native KDE file manager. Once you have created the keys it’s just a matter of right click, then if my memory serves me right, actions and then encrypt file. For Gnome 3 use seahorse-nautilus and all related plugins from the repositories for the same right click function to encrypt files using gpg, seahorse and seahorse-nautilus are also a gpg GUI front end. For newer desktops such as MATE, seahorse-nautilus won’t work because MATE uses a different file manager which I think is called Caji, in this case you could use 7z and compress with a password. 7z compression uses 128 bit or 256 bit AES, not sure which it is so please forgive me on that.

  • me December 15, 2014, 4:06 am

    Hi,

    I use Kubuntu and have gpg installed as a default program.

    First point. What is the difference between pgp and gpg?

    I have downloaded a programme from a website and the page talks of using keys to validate the program.

    Second point. Am I correct in assuming that the key must be imported into gpg before a validation can take place. Can validations be done ‘on the fly’?

    I am wondering how validations can help.

    Is it not possible to put a programme on a website, and place a key there that will fit, and the user (downloader) will note consistency on analysis. As for downloading keys, could someone not upload a key to a server that will show consistence on using gpg when the program itself may be problematic?

    Point three. Should keys be used that are published a website, or only those available via servers?

    No doubt, I will be back

    Thanks

    Ps. Is there a good forum for gpg discussions

  • Dave March 5, 2015, 10:53 am

    Here is something we use to make cron jobs run automated encrypted backups without writing password in the script file (but writing it in a separate file … degree of security is debatable, though)

    If you don’t want to write passwords inside scripts, but keep the password in a separate file that can be read only by root then for example:

    # cat /secret/location/passwdfile | gpg -c --passphrase-fd 0 backup-file-to-encrypt.gz

    This creates the file backup-file-to-encrypt.gz.gpg with the password inside /secret/location/passwdfile.
    Permissions (400):
    r-- --- --- root root /secret/location/passwdfile

    Adjust permissions and owner according to which user you want to run the cron.

    On centos, if gpg is not available, then use gpg2, but you have to use the –batch option

    # cat /secret/location/passwdfile | gpg2 -c --batch --passphrase-fd 0 backup-file-to-encrypt.gz

    To decrypt,

    # cat /secret/location/passwdfile | gpg --passphrase-fd 0 backup-file-to-encrypt.gz.gpg

    Or in centos:

    # cat /secret/location/passwdfile | gpg2 --batch --passphrase-fd 0 backup-file-to-encrypt.gz.gpg

    –passphrase-fd means take passphrase from File Descriptor , 0 means STDIN which is the output of cat piped to the gpg command