Exploring file encryption in Linux

This article explores file encryption in Linux using tools that readily available from the OS ISO itself.
There are numerous other command line & GUI tools that can be used to encrypt files linux.

We can use file encryption tools to indirectly encrypt directory content as well. We just need to create a tar archive of the directory & we are goof to go.

Method 1: Using gpg

GnuPG stands for GNU Privacy Guard and is GNU’s tool for secure communication and data storage. It can be used to encrypt data and to create digital signatures. It includes an advanced key management facility.

Encrypting a file in linux:

To encrypt a single file, use command gpg as follows:

[root@centops ~]# gpg -c myfile.txt
can't connect to `/root/.gnupg/S.gpg-agent': No such file or directory
gpg-agent[39037]: directory `/root/.gnupg/private-keys-v1.d' created

-c : Encrypt with symmetric cipher using a passphrase. The default symmetric cipher used is CAST5, but may be chosen with the –cipher-algo option.

Decrypt a file:

To decrypt file use the gpg command as follows:

[root@centops ~]# gpg myfile.txt.gpg
gpg: 3DES encrypted data
can't connect to `/root/.gnupg/S.gpg-agent': No such file or directory
gpg: encrypted with 1 passphrase
gpg: WARNING: message was not integrity protected
[root@centops ~]# cat myfile.txt
this is a test to check for file encryption!!:
[root@centops ~]#

Method 2: using zip

We can use -e option to encrypt the file resulting from a zip operation. Given below is an example.

[root@centops ~]# zip -e  myfile.txt.zip myfile.txt
Enter password:
Verify password:
  adding: myfile.txt (stored 0%)
[root@centops ~]# ls -l myfile.txt.zip
-rw-r--r--. 1 root root 245 Oct 30 07:51 myfile.txt.zip
[root@centops ~]#
[root@centops ~]# unzip myfile.txt.zip
Archive:  myfile.txt.zip
[myfile.txt.zip] myfile.txt password:
 extracting: myfile.txt
[root@centops ~]# cat myfile.txt
this is a test to check for file encryption!!:
[root@centops ~]#

Method 3: Using openssl

HowTo : Encrypt a File

$ openssl enc -aes-256-cbc -salt -in file.txt -out file.txt.enc


openssl OpenSSL command line tool.
enc                 Encoding with Ciphers.
-aes-256-cbc The encryption cipher to be used.
-salt Adds strength to the encryption.
-in Specifies the input file.
-out Specifies the output file.

-salt option should ALWAYS be used if the key is being derived from a password.

The reason for this is that without the salt the same password always generates the same encryption key.

When the salt is being used the first eight bytes of the encrypted data are reserved for the salt: it is generated at random when encrypting a file and read from the encrypted file when it is decrypted.

HowTo : Decrypt a File

$ openssl enc -aes-256-cbc -d -in file.txt.enc -out file.txt


-d Decrypts data.
-in Specifies the data to decrypt.
-out Specifies the file to put the decrypted data in.

Base64 Encode and Decode:

Base64 encoding is a standard method for converting 8-bit binary information into a limited subset of ASCII characters.

It is needed for safe transport through e-mail systems, and other systems that are not 8-bit safe.

By default the encrypted file is in a binary format.
If you are going to send it by email, you have to save encrypted file in Base64-encode.

To encrypt file in Base64-encode, you should add -a option :

$ openssl enc -aes-256-cbc -salt -a -in file.txt -out file.txt.enc


-a Tells OpenSSL that the encrypted data is in Base64-ensode.

Option -a should also be added during decryption :

$ openssl enc -aes-256-cbc -d -a -in file.txt.enc -out file.txt

Non interactive Encrypt / Decrypt
Since the password is visible, this form should only be used where security is not important.

By default a user is prompted to enter the password.

If you are creating a BASH script, you may want to set the password in non interactive way, using -k option.
Public key cryptography was invented just for such cases.

Encrypt a file using a supplied password :

$ openssl enc -aes-256-cbc -salt -in file.txt -out file.txt.enc -k PASSWORD

Decrypt a file using a supplied password :

$ openssl enc -aes-256-cbc -d -in file.txt.enc -out file.txt -k PASSWORD