WEBVTT

0
00:01.890 --> 00:06.890
In this lecture I'll show you how to encrypt a file using gpg.

1
00:06.900 --> 00:15.180
There are two types: Symmetric aka Private Key Encryption and asymmetric or Public Key

2
00:15.180 --> 00:16.690
encryption.

3
00:16.800 --> 00:24.930
As we’ve seen from the output of gpg --help GPG supports many different encryption

4
00:25.020 --> 00:26.000
algorithms.

5
00:26.670 --> 00:36.300
However the most commonly known ones are advanced encryption standard or AES  for symmetric encryption

6
00:36.810 --> 00:49.120
and  RSA and ECDSA for asymmetric encryption. Note that ECDSA stands for Elliptic Curve Digital 

7
00:49.120 --> 00:49.900
Signature Algorithm

8
00:49.900 --> 00:59.270
and is starting to replace RSA. For example The Bitcoin cryptocurrency uses ECDSA. 

9
01:00.800 --> 01:05.330
Let's see how to encrypt a file using symmetric encryption.

10
01:05.330 --> 01:12.050
Then the file can be decrypted by anyone who has the password or the passphrase.

11
01:12.050 --> 01:19.850
This can be useful just for encrypting your own sensitive files locally or to encrypt a file before

12
01:19.850 --> 01:22.570
sending it to someone else.

13
01:22.760 --> 01:30.710
If you choose to send the encrypted file to someone else over an unsecured channel like the Internet

14
01:31.070 --> 01:37.310
you'll have to make sure that you'll find a more secure channel to send him the passphrase;  the exchange

15
01:37.430 --> 01:46.250
of the shared password, in a secure manner, can be problematic sometimes. There are 2 formats of output you 

16
01:46.460 --> 01:57.020
can get: binary and text. The binary version will take up less space but the ASCII or text version

17
01:57.290 --> 02:04.670
is preferable when you want to transport it as text like say pasting it into an email. GPG

18
02:04.690 --> 02:07.010
can encrypt any file type

19
02:07.070 --> 02:17.200
but for this example I'll take a text file. I've already created a simple text file called secret.txt

20
02:17.390 --> 02:31.630
This is its contents and I’m executing: gpg -c secret.ext
and its prompting for a passphrase.

21
02:31.840 --> 02:41.490
Use something complex, at least 12-14 random characters including ditis and the special characters or

22
02:41.490 --> 02:46.140
6 random words; just for this example

23
02:46.170 --> 02:49.080
I'll use something simple to write it fast.

24
02:56.180 --> 03:00.760
And in the same directory a new file has appeared.

25
03:00.950 --> 03:04.360
This is the encrypted file in binary form.

26
03:04.520 --> 03:08.210
Secret to that the secret.txt.gpg


27
03:08.510 --> 03:10.570
Let's see its contents.

28
03:12.260 --> 03:22.660
It's random gibberish! By default GPG uses  AES256 as the encryption algorithm.

29
03:22.660 --> 03:31.480
This is very secure but if you want to change it for any reason you can use the --cipher-algo

30
03:31.590 --> 03:39.350
option. To check what part of the available symmetric algorithms execute gpg 

31
03:39.400 --> 03:39.970
--version.

32
03:42.630 --> 03:50.950
The symmetric encryption algorithms available are in the cipher section. For the next example

33
03:51.180 --> 03:57.470
let's choose blowfish which is by the way a very strong algorithm.

34
03:57.480 --> 04:07.250
I also want to specify manually the name of the output file and I'm executing a gpg-c

35
04:07.260 --> 04:11.180
-cipher -algo

36
04:12.360 --> 04:15.060
the name of the algorithm blowfish

37
04:17.380 --> 04:18.210
-o

38
04:18.250 --> 04:23.050
and the name of the output file for example

39
04:23.050 --> 04:30.460
secret_blowfish.txt.gpg and the file that will be encrypted

40
04:30.460 --> 04:41.410
secret.txt. It's asking for the passphrase and I'm entering the  passphrase or the password.

41
04:48.750 --> 04:56.250
And the new file named secret_blofish.txt.gpg has appeared in the current working

42
04:56.250 --> 04:56.850
directory.

43
04:58.300 --> 05:02.330
After encrypting your file, if you want to keep it for storage,

44
05:02.410 --> 05:13.560
don't forget to erase the clear text version, this file. You could use the  shred command instead of rm

45
05:13.630 --> 05:22.510
because it overrides the file to hide its contents and then delete it. This will make it very hard

46
05:22.510 --> 05:26.280
for anyone who wants to recover the deleted file.

47
05:26.440 --> 05:34.360
Something like this shred -vu -n 100 secret.txt


48
05:38.050 --> 05:43.480
The file was overwritten 100 times and then deleted.

49
05:43.600 --> 05:47.790
When you want to decrypt your file you execute: gpg  -o 

50
05:47.860 --> 05:56.230
the name of the clear text file that will be created secret.txt -d and the name of

51
05:56.290 --> 06:02.760
the encrypted file secret.txt.gpg

52
06:02.950 --> 06:10.530
There is a new file called the secret.txt in the currentworking directory.

53
06:10.780 --> 06:16.090
It has automatically determined if it was symmetrically encrypted,

54
06:16.090 --> 06:25.270
the encryption algorithm or if it was encrypted asymmetrically with something like RSA or e ECDSA and

55
06:25.360 --> 06:27.810
it needs to look for a private key.

56
06:29.270 --> 06:34.400
Maybe you wonder why didn't it ask for any passphrase?

57
06:34.400 --> 06:40.520
The answer is that the gpg uses by default a software component called gpg agent

58
06:43.420 --> 06:56.540
this is its man page. Gpg-agent runs as a demon and manages secret or private keys.It's running as a

59
06:56.540 --> 07:07.600
demon in the background so for this session the gpg. demon is keeping a copy of the passphrase securely

60
07:07.630 --> 07:09.760
in the RAM.

61
07:09.930 --> 07:20.380
You can make it forget the passphrase like this:echo RELOADAGENT in upper case letters


62
07:20.510 --> 07:23.610
| gig-connect-agent

63
07:26.930 --> 07:35.410
or if you want to manually terminate the currently running agent you can execute gpgconf --

64
07:35.410 --> 07:39.930
kill gpg-agent.

65
07:39.990 --> 07:49.430
Now if I try to decrypt the same file it will ask for the passphrase.Let's run the command that decrypt

66
07:49.460 --> 07:55.230
the file, this one, and it's asking for the passphrase.

67
08:01.360 --> 08:09.640
Let's move on and see how to create an ASCII format output instead of binary. As I said it is useful

68
08:09.730 --> 08:18.820
when you want to use the encrypted message, in text based applications, like pasting it somewhere. To produce

69
08:18.910 --> 08:21.510
an encrypted ASCII format,

70
08:21.550 --> 08:28.900
all you have to do is to add -a or -- -armor option to the  gpg command like this: 


71
08:29.050 --> 08:37.900
gpg -ca and the clear text file that will be encrypted secret.txt 

72
08:45.990 --> 08:54.540
and the resulting encrypted file is secret.txt.asc in the current working directory.

73
08:55.520 --> 09:01.890
All of the options we have seen in the previous exemples are still available.

74
09:01.910 --> 09:06.640
This is a text file.

75
09:06.850 --> 09:08.500
This is the encrypted file.

76
09:09.560 --> 09:22.240
And you decrypted as usual gpg-d secret.txt.asc and it was decrypted.

77
09:22.240 --> 09:24.850
This is the contents of the file.

78
09:24.850 --> 09:31.230
Remember that the gpg agent kept a copy of the passphrase in the RAM.

79
09:31.280 --> 09:36.660
Okay, that's all about the symmetric or private key encryption using gpg.

80
09:36.760 --> 09:41.990
In the next lecture will move to asymmetric or public key encryption.

81
09:42.010 --> 09:43.390
See you in a second!