What is GPG, and how do I use it to encrypt files on IU's research computing systems?

GNU Privacy Guard (GPG, also GnuPG) is free encryption software that's compliant with the OpenPGP (RFC4880) standard. Using GPG you can encrypt (and decrypt) files that contain sensitive data, such as protected health information (PHI) regulated by the Health Insurance Portability and Accountability Act (HIPAA) privacy and security rules. For more on GPG, see the GNU Privacy Guard website.

At Indiana University, GPG is installed as a command-line application in the default user environments on Big Red II, Karst, and Mason. To use GPG, you create a unique encryption key, and then use that key to encrypt and decrypt your files. If you need help using GPG on IU's research computing systems, contact the UITS Scientific Applications and Performance Tuning (SciAPT) team.

• Creating an encryption key
• Encrypting a file
• Decrypting a file

---

Creating an encryption key

To create a unique key for encrypting and decrypting files with GPG:

1. Make sure gpg-agent is running; on the command line, enter:

     gpg-agent -s --daemon --write-env-file --use-standard-socket

   You will see something like the following (in which username is your Network ID username and Machine is the name of the system):

     GPG_AGENT_INFO=/N/u/username/Machine/.gnupg/S.gpg-agent:22743:1; export GPG_AGENT_INFO;

2. On the command line, enter:

     gpg --gen-key

3. You will see something like the following (in which username is your Network ID username and Machine is the name of the system):

     gpg (GnuPG) 2.0.14; Copyright (C) 2009 Free Software Foundation, Inc.
     This is free software: you are free to change and redistribute it.
     There is NO WARRANTY, to the extent permitted by law.
     
     gpg: keyring `/N/u/username/Machine/.gnupg/secring.gpg' created
     gpg: keyring `/N/u/username/Machine/.gnupg/pubring.gpg' created
     Please select what kind of key you want:
        (1) RSA and RSA (default)
        (2) DSA and Elgamal
        (3) DSA (sign only)
        (4) RSA (sign only)
     Your selection?

   Enter 1 to select the default key.

4. GPG will prompt you to choose a keysize (in bits). Enter 1024.
5. You will see:

     Requested keysize is 1024 bits
     Please specify how long the key should be valid.
              0 = key does not expire
           <n>  = key expires in n days
           <n>w = key expires in n weeks
           <n>m = key expires in n months
           <n>y = key expires in n years
     Key is valid for? (0)

   Enter a value to specify how long the key should remain valid (e.g., 2 for two days, 3w for three weeks, 10m for 10 months, or 0 for no expiration date).

6. GPG will prompt you to confirm the expiration date. If the correct date is displayed, enter y.
7. GPG will prompt for information it will use to construct a user ID to identify your key. At the prompts, enter your name, email address, and a comment.
8. GPG will prompt you to confirm or correct your information. You'll see a prompt something like this:

     You selected this USER-ID:
         "Full Name (comment) <username@iu.edu>"
   
     Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit?

9. If the information displayed is correct, enter o to accept the user ID. To correct errors or quit the process, enter the appropriate alternative ( n , c , e, or q ).
10. If you accept the user ID, GPG will prompt you to enter and confirm a password. Afterward, GPG will begin generating your key. You'll see:

      We need to generate a lot of random bytes. It is a good idea to
      perform some other action (type on the keyboard, move the mouse,
      utilize the disks) during the prime generation; this gives the
      random number generator a better chance to gain enough entropy.

This process may take several minutes to complete. When it's finished, you will see something like:

  gpg: key 09D2B839 marked as ultimately trusted
  public and secret key created and signed.
  
  gpg: checking the trustdb
  gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
  gpg: depth: 0  valid:   4  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 4u
  gpg: next trustdb check due at <expiration_date>
  pub   1024R/09D2B839 2013-06-25 [expires: <expiration_date>]
        Key fingerprint = 6AB2 7763 0378 9F7E 6242  77D5 F158 CDE5 09D2 B839
  uid                  Full Name (comment) <username@indiana.edu>
  sub   1024R/7098E4C2 2013-06-25 [expires: <expiration_date>]

You can now use the key (until it expires) to encrypt files in your account (for instructions, see the next section).

Encrypting a file

To encrypt a file using a GPG key you created, on the command line, enter (replace user_id with the email address you specified when you created the key and my_file with the name of the file to encrypt):

  gpg -e -r user_id my_file

GPG will create an encrypted version of the file you specified; the encrypted file will have a .gpg file extension (e.g., my_file.gpg). After confirming the encrypted version has been created, you can delete the original unencrypted file.

Decrypting a file

To decrypt a .gpg file (e.g., my_file.gpg), on the command line, enter:

  gpg my_file.gpg

GPG will prompt you for the password associated with the key you used to encrypt the file. When you enter the correct password, GPG will recreate the original, unencrypted version of the file (e.g., my_file). This process does not delete or alter the encrypted version of the file (my_file.gpg).