GPG notes

Jump to navigationJump to search

symmetric key encryption with GPG

Users often want to encrypt a file with a simple password or passphrase. This is called symmetric key encryption because the same password is used for both encrypting and decrypting a file. GPG is most often used for more robust and safe public/private key pair encryption and signing. But can be more effort and trouble if you are just encrypting a file for yourself. These examples show how GPG can be used for simple symmetric key encryption.

Note that OpenSSL also supports symmetric key encryption. You are likely to find OpenSSL on more machines than GPG, so you may prefer to use that tool instead.

symmetric key encryption

This encrypts the given file, foo.plain. Each line is equivalent and shows different ways for specifying input and output (from a file or stdin/stdout). The --armor option specifies ASCII encoded output instead of binary.

cat foo_plain_in.txt | gpg --symmetric --armor > foo.enc
gpg --symmetric --armor foo_plain_in.txt > foo.enc
gpg --symmetric --armor --output foo.enc foo_plain_in.txt

=== symmetric key decryption ===

Note that the '--use-agent' option is not required. Normally the agent is used to unlock the secret key in a key pair in your keyring, but  I just use it to get the passphrase for symmetric key encryption. The GPG key agent can provide more options for how you provide the passphrase. This makes the graphical GUI popup appear to ask for a password.

The '--no-mdc-warning' is necessary to suppress the warning that the message was not protected with a SHA-1 checksum (modification detection code). The MDC is not very useful with simple symmetric encryption anyway.

cat foo.enc | gpg --decrypt --no-mdc-warning --quiet --use-agent > foo_plain_out.txt


This was a rough first attempt at a bash alias that would decrypt either GPG or OpenSSL encrypted files. If it fails on gpg then it attempts openssl.

gpg --decrypt --no-mdc-warning --quiet --use-agent foo.enc || openssl bf -d -a -salt -in foo.enc