The (Code) Den

GPG is an awesome open-source cryptographic library. One of it’s uses is data encryption. Most of us use file-hosting services like Dropbox, and some of us keep confident stuff in there like passwords, 2FA recovery keys, or CC info. I won’t argue that this is a bad idea, since it’s pretty convenient, but only if the files are properly protected.

The example below uses a folder, and since gpg can be used on a single file only, we archive the folder, and pass it to gpg. For decryption, it goes in reverse order, decrypt then extract. If you want to encrypt a single file, just remove the tar pipes.

Encryption:
tar -cz 2FA/ | gpg --s2k-mode 3 --s2k-count 65011712 --s2k-digest-algo SHA512 --s2k-cipher-algo AES256 --compression-algo BZIP2 -co encrypted_file
Decryption:
gpg -d encrypted_file | tar -zx


Explanation of options:

• Use --symmetric (-c) to encrypt a file with a passphrase. Symmetric here means the same passphrase is used for both encryption and decryption.
• Use --output (-o) to specify the output file.
• Use --compression-algo to specify the compression algorithm for the output file.
• Use --s2k-cipher-algo to specify the symmetric cipher algorithm used to actually encrypt the message.
• Use --s2k-digest-algo to specify the digest algorithm used for hashing passphrases in various operations (e.g., the symmetric passphrase specified when using -c).
• Use --s2k-mode to choose how the passphrases for symmetric encryption are mangled.
• Use --s2k-count to specify how many times the passphrases mangling for symmetric encryption is repeated.
• Use --decrypt (-d) to decrypt an encrypted file.

To get a list of supported algorithms, use gpg --version.