Encrypt a file with GNU Privacy Guard (GPG) using the strongest cipher and key-strengthening options offered by GPG.
The default GPG symmetric file encryption settings (CAST5 and SHA-1 on older GPG versions) are weaker choices compared to other options available.
And the command-line switches to enable the stronger GPG options are verbose, not easily-remembered, and inconvenient.
GPGit provides a single command to call GPG with its strongest file encryption options.
-
GPG installed.
-
GPGit script placed in a directory location in $PATH.
GPG is present by default on most Linux distros (whereis gpg or whereis gpg2), else it is available from the distro repos.
(GPG2 is to be preferred, if it is installed on the machine, as it is more resistant to attack. Replace gpg with gpg2 in the gpgit script.)
GPG for Windows is available from websites such as GPG4Win, or the standalone command-line executable can be extracted from a Git installation.
- gpgit
- gpgit.bat
As your preferred user:
chmod 700 gpgit sudo mv gpgit /usr/local/bin/usr/local/bin is just an example of a $PATH location.
Move gpgit.bat to a suitable directory. Ensure that directory is in the $PATH variable. If not add the directory: Windows/Super key + Break > Advanced tab > Environmental Variables button > click Path line > Edit button > Variable value - append at the end of existing line info: C:\directory path\to gpgit.bat;
gpgit <filename>GPG asks for a passphrase (and confirmation) and then creates an encrypted copy of the original file with the file extension .gpg
Decrypt the encrypted file with:
gpg <filename>.gpg gpgit <filename> -cGPG asks for two passphrases (passphrase one, confirmation; gpgit message: applying cascade encryption [...]; passphrase two, confirmation), and creates two files. The file with the double extension .gpg.gpg is the cascade-encrypted file.
Two steps of decryption will be required, e.g. for secret.txt.gpg.gpg
gpg secret.txt.gpg.gpgthen
gpg secret.txt.gpgresulting in secret.txt
The default AES256 cipher call used in GPGit can be replaced with other ciphers offered by GPG.
TWOFISH is probably the strongest cipher alternative to AES256.
gpg --version
gpg (GnuPG) 1.4.20
Copyright (C) 2015 Free Software Foundation, Inc.
pgpdump default.txt.gpg
Sym alg - AES with 128-bit key(sym 7)
Iterated and salted string-to-key(s2k 3):
Hash alg - SHA1(hash 2)
Salt - 8f c8 6b 9a b0 b8 c2 10
Count - 65536(coded count 96)
pgpdump gpgit.txt.gpg
Sym alg - AES with 256-bit key(sym 9)
Iterated and salted string-to-key(s2k 3):
Hash alg - SHA512(hash 10)
Salt - a6 60 04 ad f3 e8 09 43
Count - 65011712(coded count 255)
gpg2 --version
gpg (GnuPG) 2.1.11
libgcrypt 1.6.5
Copyright (C) 2016 Free Software Foundation, Inc.
pgpdump default2.txt.gpg
Sym alg - AES with 128-bit key(sym 7)
Iterated and salted string-to-key(s2k 3):
Hash alg - SHA1(hash 2)
Salt - 9c 2f ca 1f 9e 19 e5 eb
Count - 31457280(coded count 238)
pgpdump gpgit2.txt.gpg
Sym alg - AES with 256-bit key(sym 9)
Iterated and salted string-to-key(s2k 3):
Hash alg - SHA512(hash 10)
Salt - 31 13 57 9c 49 54 d2 f8
Count - 65011712(coded count 255)
GPGit is released under the GPL v.3.