Department of Electrical Engineering and Computer Science



Guide to File Encryption

This document gives an overview of some of the file encryption methods available for use in UT EECS Unix/Linux accounts and home areas. This is not a general overview of file encryption methods and standards. For more information, check out the following Wikipedia articles:

Additionally, the following resources will give you more information on the Gnu Privacy Guard (GPG) software used in this document:

General Overview

Encrypting your files is one method to reduce the risk of having unauthorized persons gain access to sensitive information. Be aware that you should continue to safeguard encrypted files by properly setting their file permissions and mode. Also, remember that encrypted files (cipher text) are unreadable – even to you – without turning them back into unencrypted files (plain text). If you forget or lose the encryption key, you will not be able to access the information stored in cipher text. You might want to consider keeping plain text backups for important files on off-line media (CDs, DVDs, etc.).

Symmetric Key Encryption

When most people think about encryption they think about symmetric key encryption. This is the classic method of taking plain text and a key and turning it into cipher text. The same key (or a trivially related key) is then used to turn the cipher text back into plain text. While this method is relatively easy to implement and understand, it has some significant drawbacks:

  • In most cases, symmetric encryption tends to be easier to crack, especially when simple passwords/passphrases are used.
  • The encryption key has to be pre-arranged between sender and recipient.

Asymmetric Key Encryption

In asymmetric key encryption, a user generates a key pair consisting of a private key (or secret key) and a public keywhich are mathematically related. Plain text is encrypted using the recipient's public key and can then only be decrypted (in practice) using the corresponding private key. There are many advantages to asymmetric key schemes, such as the (generally) larger size of the keys, the safety of distributing only public keys, easy support for multiple recipients, the ability to use keys for digital signatures (non-repudiation), and the simplicity of encrypting a file for the use by a third party by using a public key. Disadvantages include the difficulty of safeguarding the private key.

Picking a good password

You can use the GPG system for symmetric as well as asymmetric encryption schemes. Either method requires the use of a password or pass phrase. For a password containing uppercase and lowercase letters, digits, and special characters, 8-10 characters are sufficient for most users. This should *not* be your current CS password.

It is important if you use a 8-character password that you choose those characters randomly from the available typable characters on a standard keyboard (about 94). Assuming a cracker can brute-force check 100,000 passwords a second (doable on even a Pentium III), this is how long it would take (worst case scenario) to crack your password:

Letters available for passwordLetters used in passwordTime to crack
26 (lowercase characters) 3 263*.00001 = 0.18 seconds
  8 268*.00001 = 2,088,271 seconds = 24.17 days
52 (English characters) 3 523*.00001 = 1.4 seconds
  8 528*.00001 = 534,597,285 seconds = 17 years
94 (keyboard characters) 3 943*.00001 = 8.3 seconds
  8 948*.00001 = 6.09*1010 seconds = 1,933 years

Naturally, the above supposes that the cracker only has one Pentium III system available. Even a small cluster of Core 2 Duo systems could cut the above times by a factor of about 25-100. Also, using a random key search, the cracker has a 50:50 chance of finding the password in half the time listed. As you can see, cracking an 8-character password consisting of all English language characters suddenly becomes quite feasible, taking maybe 1-3 months using a few fast systems. Brute-forcing a truly random 8-character password with the characters chosen from a pool of 94 would require the computing power equivalent of thousands of Pentium IIIs to succeed in an appreciable time. Using a 10 character password from a 94-character space would take over 17,000 millenia on a Pentium III and is unrealistic even using a large cluster of modern systems.

Picking a good pass phrase

For the purposes of this document, a pass phrase is a password consisting of plain English words. In general, a character of English prose yields about 1 bit of “entropy” or randomness. To generate a pass phrase that is equivalent to an 8-character random password, you would need something of a length of about log2(948) = 53 characters. Adding just a few random characters can significantly increase the complexity of a pass phrase. A phrase such as: “Thi$ is my #difficult& p@ssphrase.” can be considered reasonably safe.

Safe Encryption

This section describes symmetric encryption using a password or pass phrase.

  • gpg --symmetric [--cipher-algo cipher] file → Symmetric Encryption of file to file.gpg.
    Optionally, pick the encryption cipher.
  • gpg file.gpg → Decryption of file.gpg to file.

Using GPG for Symmetric Encryption

Assuming you have a file called plain.txt you can use gpg with symmetric encryption thusly:

# gpg --symmetric plain.txt
Enter passphrase: 
Repeat passphrase:
 
# ls plain*
plain.txt  plain.txt.gpg 

# /bin/rm plain.txt

To decrypt plain.txt.gpg

# gpg plain.txt.gpg
gpg: CAST5 encrypted data
Enter passphrase: 
gpg: encrypted with 1 passphrase
gpg: WARNING: message was not integrity protected

# cat plain.txt
This is plain text.

By default, GPG uses the CAST5 cipher for symmetric encryption. This cipher is generally considered a safe choice. However, if you prefer another cipher algorithm, run gpg --version to see what methods are available.

gpg (GnuPG) 1.4.1
Copyright (C) 2005 Free Software Foundation, Inc.
This program comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it
under certain conditions. See the file COPYING for details.

Home: ~/.gnupg
Supported algorithms:
Pubkey: RSA, RSA-E, RSA-S, ELG-E, DSA
Cipher: 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH
Hash: MD5, SHA1, RIPEMD160, SHA256, SHA384, SHA512
Compression: Uncompressed, ZIP, ZLIB, BZIP2

You can use any of the ciphers listed above by adding a --cipher-algo name option to your command line, for example:

gpg --symmetric --cipher-algo AES plain.txt
Enter passphrase: 
Repeat passphrase: 

# ls plain*
plain.txt  plain.txt.gpg 

# /bin/rm plain.txt

# gpg plain.txt.gpg
gpg: AES encrypted data
Enter passphrase: 
gpg: encrypted with 1 passphrase

For more information about the various cipher algorithms, you can check their Wikipedia pages:

Safer Encryption

This section explains how to use GPG set up a public/private key pair and how to use the keys for file encryption. Once you have a key pair, you can freely distribute your public key. Files encrypted using that key can (in practice) only be decrypted using your private key. If you are interested in the mathematical reasoning, read the above-referenced Wikipedia page on Public-key cryptography as well as the pages on RSA encryption, Integer factorization, andDiscrete logarithm.

Basic public key commands in gpg:

  • gpg --gen-key → Generate a new key pair.
  • gpg --list-public-keys → Display the contents of your public key ring.
  • gpg --list-secret-keys → Display the contents of your secret key ring.
  • gpg --import keyfile.gpg → Import a key to your keyring.
  • gpg --export [--armour] key_id → Export a public key.
    Optionally, ASCII-armor the output.
  • gpg --encrypt plain.txt → Encrypt a file using public key encryption.

Creating a Key Pair

Before you use GPG for public key encryption, you will need to generate a key pair. While the default settings are probably sufficient for most users, you can tweak a large number of the individual options such as key size and algorithms.

The following is a slightly abbreviated interactive key generation session:

# gpg --gen-key
Please select what kind of key you want:
   (1) DSA and Elgamal (default)
   (2) DSA (sign only)
   (5) RSA (sign only)
Your selection? 1
DSA keypair will have 1024 bits.
ELG-E keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048) 
Requested keysize is 2048 bits
Please specify how long the key should be valid.
         0 = key does not expire
        = key expires in n days
      w = key expires in n weeks
      m = key expires in n months
      y = key expires in n years
Key is valid for? (0) 
Key does not expire at all
Is this correct? (y/N) y

You need a user ID to identify your key; the software constructs the user ID
from the Real Name, Comment and Email Address in this form:
    "Heinrich Heine (Der Dichter) "

Real name: J. Random User
Email address: jruser(at)cs.utk.edu
Comment: 
You selected this USER-ID:
    "J. Random User "

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O
You need a Passphrase to protect your secret key.
Enter Passhrase:
Repeat Passphrase:
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
+++++++++++++++++++++++++++++++++++.++++++++++++++++++++.+++++++++++++++
.+++++++++++++++.++++++++++.+++++++++++++++++++++++++++++++++++>++++++++++.
.>++++++++++.......................+++++

gpg: /home/jruser/.gnupg/trustdb.gpg: trustdb created
gpg: key F6631C4C marked as ultimately trusted
public and secret key created and signed.

gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u
pub   1024D/F6631C4C 2007-01-18
      Key fingerprint = 45F3 A337 6785 4DA8 FDA8  BB23 A75A 0FDB F663 1C4C
uid                  J. Random User 
sub   2048g/A0C6B76F 2007-01-18

It is very important that you choose a safe password or pass phrase for the key, the same as you would for symmetric encryption. This password is used to encrypt the copy of your private key that is being kept on disk.

Managing your Keyrings

The first time you use GPG to generate a key pair or to encrypt a file using public key encryption, the software sets up two “key rings” for you. The public key ring contains your public key(s) as well as any public keys you have imported from other GPG (or PGP) users. The secret key ring contains all your personal private keys, often just one. The keys in the secret key ring are used to decrypt cipher text or to digitally sign files or email, while the keys in the public key ring are used to encrypt plain text or to verify digital signatures.

To view the contents of your keyrings use the gpg --list-public-keys and gpg --list-secret-keys commands. For example:

# gpg --list-public-keys
/home/jruser/.gnupg/pubring.gpg
----------------------------------
pub   1024D/F6631C4C 2007-01-18
uid                  J. Random User 
sub   2048g/A0C6B76F 2007-01-18

pub   1024D/D83511F6 2001-06-26
uid                  Gerald W. Carter 
sub   1024g/1FB5F197 2001-06-26

pub   2048R/DB539AED 2006-05-05 [expires: 2007-05-15]
uid                  Apple Product Security 
sub   2048R/63F2948C 2006-05-05 [expires: 2007-05-15]

# gpg --list-secret-keys 
/home/jruser/.gnupg/secring.gpg
-------------------------------
sec   1024D/F6631C4C 2007-01-18
uid                  J. Random User 
ssb   2048g/A0C6B76F 2007-01-18

In general, you will probably only ever need to import new public keys into your key ring if you want to encrypt files for other users. Many people freely publish their public keys online such as on their web pages or in email. Another way to retrieve other people's public keys is to use a key server. You can read the manual page (run man gpg) for GPG to learn how to access key servers.

A big problem in creating a Public Key Infrastructure (PKI) is to ensure that a public key really “belongs” to the person who claims to be the owner of said key. GPG addresses this problem with a “web of trust” model. This works through an idea of the transitivity of trust, i.e. if A trusts B and B trusts C then A has good reason to trust C. After you import another user's public key, you can digitally sign it, thus vouching for the legitimacy of that key. For example, if you sign J. Random User's public key and then send it back to him or upload it to a public key server, J. Random can then merge your signature with others', increasing his trustworthiness. When another GPG user examines J. Random's public key she will see your signature. If she already trusts your key (e.g. because you handed it to her in the past) she now has good reason to also trust J. Random User's public key.

To import a third-party public key, run the gpg --import command on the key file. Public keys are often distributed inASCII-armored format (more about that below) and may look similar to this (abbreviated):

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.4.3 (Darwin)

mQGiBDslOIMRBACZAZpDi9dK9tU+r7yHaansmBiFdNaw0LXerKzFel3NrWxJcqEQ
7bP/kigJzdoWE2r9GNWNgwZqMQ7WJ1tVOFQfWlKbDVi47qOwTXGQgxD3idjWtfoS
JImPZrGpR/5jrcWhdaSKrieuzZ27oZOWoDvFsrCrAWDsvvmdZumOdwuo5wCguxFw
V6b5S9P9Pti5TZZUXx3adwUEAIhoe/1Smg1G5U1D6HhEK6C0bK6qTdSxL436F1s1
.
.
.
-----END PGP PUBLIC KEY BLOCK-----

Importing a new public key will look similar to this:

# gpg --import publickey.gpg
gpg: key D6AC4AEB: public key "Some O. User " imported
gpg: Total number processed: 1
gpg:               imported: 1
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u

To learn more about trust options for keys, the various trust models, how to sign keys, etc, please read the GPG Documentation.

Extracting Your Private Key

You may want to, at different times, extract your public key from your key ring (e.g. to post it on a web site, email it to other users, etc.). By handing your public key to another user, they gain the ability to encrypt files for your use. By default, GPG creates files in a binary format. This is acceptable for keys that are distributed on electronic media such as CDs or USB keys. However, if you are planning to distribute a key via the web or email, it is often useful to “ASCII-armor” the file. This simply creates a text-only representation of your key as seen in the above example. To extract your key, run gpg --export --armour userid where userid is any unique part of your key's ID (such as your email address). This dumps the key to standard output, so you can use standard shell redirection to capture the key file:

# gpg --export --armour jruser(at)cs.utk.edu > jruser_pubkey.gpg
# head -n 5 jruser_pubkey.gpg
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.4.1 (GNU/Linux)

mQGiBEWv0vIRBAD/OkuG1S+CJNvcA1UX8ugssu10Ts0etVcJhLgLAIbXqiWYWjJb
rKidUX/NKqEPisiF8dLnzJ5Q1RBQ5NIKaLJ80TJUkwlVARZFM8DlsAmqhelM1CgU

Encrypting Files Using Your Public Key

To encrypt a file using your public key, use the gpg –encrypt command. This will give you an interactive session asking for the recipient(s) of the encrypted file. In many cases that recipient will simply be you yourself. However, if you want others whose public keys you have in your keyring to also decrypt the file, you can specify multiple recipients.

# gpg --encrypt plain.txt
gpg: WARNING: using insecure memory!
gpg: please see http://www.gnupg.org/faq.html for more information
You did not specify a user ID. (you may use "-r")

Current recipients:

Enter the user ID.  End with an empty line: jruser

Current recipients:
2048g/A0C6B76F 2007-01-18 "J. Random User "

Enter the user ID.  End with an empty line: 

# ls plain*
plain.txt  plain.txt.gpg

As with extracting keys, you can add the --armour option to generate an ASCII output file. To encrypt files in a non-interactive fashion, you can specify the recipient(s) on the command-line using the --recipients id [id …] option such as:

# gpg --encrypt --recipient jruser souser plain.txt

Decrypting Files Using Your Private Key

Decrypting files that were encrypted using your public key (whether by you or by others) works the same as in symmetric key encryption by simply running gpg on the encrypted file:

# gpg plain.txt.gpg

You need a passphrase to unlock the secret key for
user: "J. Random User "
2048-bit ELG-E key, ID A0C6B76F, created 2007-01-18 (main key ID F6631C4C)

Enter passphrase:

gpg: encrypted with 2048-bit ELG-E key, ID A0C6B76F, created 2007-01-18
      "J. Random User "

Safest Encryption

There are several ways to make encryption even safer. As mentioned above, you should use a sufficiently “random” password or pass phrase. When using public key encryption, create a key with a significant key size (1kb or more). One big problem is that here at CS you are likely to keep encrypted files on the same file system as your key file. While reversing your public key encryption on a file may be close to impossible without the key, if your private key is compromised alongside with encrypted files, an attacker only has to crack the password encryption on the key file and can then crack any file encrypted with the corresponding public key.

To make this scenario virtually impossible, you can keep your key files on media separate from your encrypted files. Naturally, it is simple to copy encrypted files to a CD or a USB key but this might involve shuffling a large number of files around. It may be more convenient to keep your key files on external media and only mount that media whenever you need to encrypt or decrypt any of your files. GPG provides a relatively easy way to do this by using the --homedir option or the $GNUPGHOME environment variable.

Keeping Your Key Files On Separate Media

Note: If you are keeping your GPG keys on read-only media (CDs, DVDs, etc.), you will need to create new keys and perform any editing on your keyrings (such as importing new public keys) on writable media and then copy your key files to the read-only file system (e.g. re-burn the CD).

Assuming the media where you want to keep your keys is mounted on your system as /media/keys, you can set your $GNUPGHOME environment variable to /media/keys and then perform all GPG actions as before. If /media/keys does not contain a .gnupg directory yet, you can have GPG create one by generating a new key pair or you can copy an existing .gnupg to the media. You can have the $GNUPGHOME available at all times by adding it to your shell's initialization files. See the Dotfiles documentation for more help.

A sample session using $GNUPGHOME might look like this:

# ls -la /media/keys
drwx------  2 jruser root 4096 Jan 18 17:01 ./
drwxr-xr-x  5 root   root 4096 Jan 18 17:01 ..

# export GNUPGHOME=/media/keys/.gnupg

#  gpg --gen-key 
gpg (GnuPG) 1.4.1; Copyright (C) 2005 Free Software Foundation, Inc.
This program comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it
under certain conditions. See the file COPYING for details.
gpg: directory `/media/keys/.gnupg' created
gpg: new configuration file `/media/keys/.gnupg/gpg.conf' created
gpg: WARNING: options in `/media/keys/.gnupg/gpg.conf' are not yet active during this run
gpg: keyring `/media/keys/.gnupg/secring.gpg' created
gpg: keyring `/media/keys/.gnupg/pubring.gpg' created

[omitted]

pub   1024D/FE9FE752 2007-01-18
      Key fingerprint = FDC3 9C02 B3EF F4FB 4B7F  10F0 4CD8 D4D1 FE9F E752
uid                  J. Random User 
sub   2048g/DD9296F6 2007-01-18
 
# ls -la /media/keys
drwx------  3 jruser root     4096 Jan 18 17:11 ./
drwxr-xr-x  5 root   root     4096 Jan 18 17:01 ../
drwx------  2 jruser domusers 4096 Jan 18 17:12 .gnupg/

Similarly, you could have copied an existing .gnupg directory to /media/keys and simply used all the keys, settings, etc. stored in that directory. Instead of using the $GNUPGHOME variable, you can also add a --homedir option to any gpg command line (e.g. --homedir /media/keys/.gnupg).

Advanced Topics

  • gpg --sign → Sign a file - may be combined with various encryption options.
  • gpg --verify file → Verify the signature on (plain text) file.
  • gpg --sign-key keyid → Sign the key with id keyid.

There are many more options fir signing files and keys. Please read the manual page (run man gpg) for more information.

Digital Signatures

There are many advanced topics and options available to the interested used when using public key encryption. For example, you can use your private key to digitally sign a file. This provides file authentication, integrity verification, and some measure of non-repudiation of a file's contents. What this means is that someone verifying a digital signature can be sure that a file or message was generated by the original user, that it was not tampered with in transport, and that the original signer cannot disavow authorship. Similarly, you can sign another public key to lend it your imprimatur. As only your private key can generate your signature, others can trust that you felt that the signed key was genuine.

A signature is created by running a hash function on the file's contents and then encrypting the resulting hash using the signer's private key. The recipient of a file or email message can then decrypt the hash using the user's freely available public key. Since only the signer's private key could have been used to encrypt that hash, the message is authenticated. Additionally, by computing another hash of the plain text and comparing it with the one obtained from the signature, the recipient can determine whether or not the message was tampered with in transit. If the hashes match, the message was not altered.

SIGNING A FILE

Here is an example transaction using encryption and signing. User jruser:

gpg --encrypt --recipient souser --sign plain.txt

You need a passphrase to unlock the secret key for
user: "J. Random User "
1024-bit DSA key, ID F6631C4C, created 2007-01-18

Enter passphrase:

gpg: 1D421216: There is no assurance this key belongs to the named user

pub  1024g/1D421216 2001-06-11 Some O. User 
 Primary key fingerprint: 0D2D 98CF 3EEE 71E0 6949  DE0E 54A2 7626 D6AC 4AEB
      Subkey fingerprint: 5EBC AC5D C53F 3A00 21F6  B322 F9BB A31B 1D42 1216

It is NOT certain that the key belongs to the person named
in the user ID.  If you *really* know what you are doing,
you may answer the next question with yes.

Use this key anyway? (y/N) y

Note that jruser was warned that there was no assurance that the key belonged to souser. Had we previously signed this key, this question would not have been asked.

User souser will now decrypt the file plain.txt.gpg. Note that GPG will automatically attempt to verify a signature if present:

# gpg --decrypt plain.txt.gpg
You need a passphrase to unlock the secret key for
user: "Some O. User "
1024-bit ELG-E key, ID 1D421216, created 2001-06-11 (main key ID D6AC4AEB)

Enter passphrase:
gpg: encrypted with 1024-bit ELG-E key, ID 1D421216, created 2001-06-11
      "Some O. User "
This is plain text.
gpg: Signature made Fri Jan 19 15:13:56 2007 EST using DSA key ID F6631C4C
gpg: Good signature from "J. Random User "
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 45F3 A337 6785 4DA8 FDA8  BB23 A75A 0FDB F663 1C4C

Again, since jruser's public key was not signed by souser, GPG warned that there was no indication that the signature actually belonged to Some O. User. Also notice that GPG printed the contents of plain.txt (“This is plain text.”) to standard output. You can redirect this to a file with the --output plain.txt option.

SIGNING KEYS

To sign a key you trust, use the --sign-key keyid option:

# gpg --sign-key jruser 
pub  1024D/F6631C4C  created: 2007-01-18  expires: never       usage: CS  
                     trust: unknown       validity: unknown
sub  2048g/A0C6B76F  created: 2007-01-18  expires: never       usage: E   
[ unknown] (1). J. Random User 


pub  1024D/F6631C4C  created: 2007-01-18  expires: never       usage: CS  
                     trust: unknown       validity: unknown
 Primary key fingerprint: 45F3 A337 6785 4DA8 FDA8  BB23 A75A 0FDB F663 1C4C

     J. Random User 

Are you sure that you want to sign this key with your
key "Some O. User " (D6AC4AEB)

Really sign? (y/N) y

You need a passphrase to unlock the secret key for
user: "Some O. User "
1024-bit DSA key, ID D6AC4AEB, created 2001-06-11

Enter passphrase: 

Now decryption will no longer warn you that keys are not known to be associated with a specific person (abbreviated example):

Enter passphrase:
gpg: encrypted with 1024-bit ELG-E key, ID 1D421216, created 2001-06-11
      "Some O. User "
This is plain text.
gpg: Signature made Fri Jan 19 15:13:56 2007 EST using DSA key ID F6631C4C
gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, classic trust model
gpg: depth: 0  valid:   1  signed:   2  trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: depth: 1  valid:   2  signed:   0  trust: 1-, 0q, 0n, 0m, 1f, 0u
gpg: Good signature from "J. Random User "

Copying Keys to Personal Computers

Assuming you generated a public/private key pair on your UTKCS Unix/Linux account, you might want to use the same key (or keys) on your personal Linux, Windows, or Macintosh system. This section explains how to use the same keys you generated for use in your CS account on your personal computer. This becomes important, for example, if you are going to use GPG to encrypt email that is sent from an email client on your PC. Since most keys generated with GPG are compatible with PGP (Pretty Good Privacy), you can also use some of the commercially available PGP packets with the same keys.

GPG For Linux

Most Linux distributions will have a pre-compiled package of GPG available as part of their package management systems. You can also download the sources from http://www.gnupg.org/download/ and compile and install them yourself. The easiest method to set it up is simply to copy the entire ”.gnupg” folder from your UTKCS home area to your Linux home area on your PC/Laptop. Once you've copied this directory, the GPG command should now work the same on both systems.

GPG for Windows

Installing

The GPG package is also available in a command-line form for Microsoft Windows athttp://www.gnupg.org/download/#auto-ref-2 - this is an installer package, so you won't need to do any compilation. Be sure to add the “Destination Folder” used during the install process (most likely C:\Program Files\GNU\GnuPG) to your cmd.com or command.com search PATH. To do this in Windows XP, open the “System” control panel, select the “Advanced” tab and click the “Environment Variables” button. Select the PATH variable from the list of “User variables” at the top of the window and click the “Edit” button. If the “Variable value” field is empty, simply add the “Destination Folder” from the GPG install; if it already contains any entries, append a semicolon (;) and then the folder. To save, keep clicking OK until you have left the System control panel.

Copying Keys

You will need to copy the ”.gnupg” folder from your UTKCS home area into the “Application Data” folder of your Windows user account and remove the leading dot. To do this, first use your favorite SFTP or SCP program (see Remote Access) to copy your .gnupg folder to your Windows system – it's OK to have it copied to the Desktop for now. Note that you may have to select the viewing of “hidden” files in your SFTP client program to be able to see files beginning with a dot. Next, rename the ".gnupg" folder to "gnupg".

Now browse to the “Documents and Settings” folder on your main Windows installation hard drive, probably C:\. Find the folder whose name matches your user name and browse to it. (If you do not see a folder labeled “Application Data”, select “Folder Options” from the Tools menu. Then click the “View” tab, and under “Advanced Settings” find “Hidden files and folders” and select “Show hidden files and folders”. After clicking OK, you should see an “Application Data” folder.) Move the “gnupg” folder from your Desktop to this folder.

GUI Frontend

Now you can use all the same gpg commands as described above from within DOS command-line windows in Windows XP. If you prefer not to have to use the command line, there are graphical GPG front-ends available for Windows. You might want to try “WinPT”, available at: http://winpt.sourceforge.net WinPT contains a graphical key manager, graphical encryption/decryption options, etc. It also automatically associates .gpg files with itself, so you can just double-click on files to decrypt them. WinPT also contains a Windows shell extension, so you can right-click on a file and get options for encryption, signing, etc.

GPG For Mac OS X

A Mac OS X version of the Gnu Privacy Guard is available at http://macgpg.sourceforge.net/ and contains all the files you need to be up and running with GPG on the command-line (terminal). Simply install the latest version, then copy your ”.gnupg” directory from your UTKCS home area to your Mac user's home area using SCP, SFTP, rsync, or your favoriteGUI file transfer tool. If you prefer, there is a GUI front-end available at the same site called “GPGFileTool” which you can install in addition to the main GPG package.


 

The University of Tennessee, Knoxville. Big Orange. Big Ideas.

Knoxville, Tennessee 37996 | 865-974-1000
The flagship campus of the University of Tennessee System