DEV Community

Cover image for How to use GnuPG for encrypting files on MacOS
Efe Ertugrul
Efe Ertugrul

Posted on • Updated on

How to use GnuPG for encrypting files on MacOS

GnuPG is an implementation of OpenPGP standard.
People use it for public-private key encryption.
It is one of the tools that Edward Snowden used to uncover the secrets of the NSA.

GnuPG is a complex tool.
I will only show you how to use it for file encryption without using keys.
And i will show some configuration files to make commands more simple.

I assume you know how to use a Unix console and have Homebrew package manager installed.

First you should install GnuPG with Homebrew:

brew install gnupg
Enter fullscreen mode Exit fullscreen mode

This will install GnuPG version 2.2.19 (or later)

Check installation:

gpg --version
Enter fullscreen mode Exit fullscreen mode

You should be able to see something like this:

gpg (GnuPG) 2.2.19
libgcrypt 1.8.5
Copyright (C) 2019 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <https://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Enter fullscreen mode Exit fullscreen mode

Now we can use GnuPG.

I have a text file named test.txt.
It contains this text:

this is a test file
Enter fullscreen mode Exit fullscreen mode

To encrypt test.txt file i will use this command:

gpg -c --armor --cipher-algo AES256 --no-symkey-cache --output test.asc test.txt 
Enter fullscreen mode Exit fullscreen mode

This command will ask you a password and create an encrypted version of test.txt file and save as test.asc file.

Command explanation:

-c means use symmetric cipher so you will enter a password for that file.
--armor is for a readable ascii output so you can easily copy/paste it.
--cipher-algo AES256 is for using AES-256 cipher. (U.S. government using it so why not)
--no-symkey-cache means GnuPG will not remember password. If you don't enter this --decrypt command won't ask your passphrase.
--output test.asc means save encrypted file as test.asc

Now i have test.asc (encrypted test.txt).
It contains this text:

-----BEGIN PGP MESSAGE-----

jA0ECQMCFBL2lERVNBzj0kwBXxdKtTQSCu4aHyiP93EfUjqYX+Qsp6sWAF+RHUMW
rqjQiLMSlSrxnBxG0E+qfoTmN+26Qb0qd9XAY7S3OTQTfi6XyvjjrNr0yiJ9
=r3J6
-----END PGP MESSAGE-----
Enter fullscreen mode Exit fullscreen mode

As you can see it is readable but meaningless.
This is because of the --armor option we added to the command.

To decrypt test.asc file i will use this command:

gpg --decrypt --no-symkey-cache --output test1.txt test.asc
Enter fullscreen mode Exit fullscreen mode

This command will ask you the password you used and if it is correct it will create a decrypted file as test1.txt.

Now i have test1.txt.
It contains this text:

this is a test file
Enter fullscreen mode Exit fullscreen mode

Configuration Files

There are some configuration files im using.
I will show you how to create these files.
These configuration files are not neccessary but they are shortening the commands i use everyday.

GnuPG creates a folder for itself.
It is normally in your $HOME folder named .gnupg.
It contains caches, your keyrings, your configuration files.
So go there and create a file named gpg.conf.(if it doesn't exists)

Write these in gpg.conf:

armor
personal-cipher-preferences AES256
verbose
use-embedded-filename
Enter fullscreen mode Exit fullscreen mode

Save it.

Now create another configuration file named gpg-agent.conf.(gpg-agent comes with gnupg installation)

Write these in gpg-agent.conf:

default-cache-ttl 0
max-cache-ttl 0
disable-scdaemon
Enter fullscreen mode Exit fullscreen mode

default-cache-ttl 0 and max-cache-ttl 0 disables password cache. disable-scdaemon disables smart card daemon program. Smart Card program starts automatically whenever gpg-agent starts. I don't use smart cards so i'm disabling it.

Save it.

Now actually you should restart your gpg-agent program manually.

Kill it with this command:

gpgconf --kill gpg-agent
Enter fullscreen mode Exit fullscreen mode

It will launch automatically when you call gpg.
If it doesn't you can run this command to launch it:

gpgconf --launch gpg-agent
Enter fullscreen mode Exit fullscreen mode

Anyway now we don't need to add any options. We can simply run our command like this:

gpg -c test.txt
Enter fullscreen mode Exit fullscreen mode

This command will automatically create a file named test.txt.asc with cipher aes-256, also in ascii format and won't remember the password.

To decrypt it simply enter this command:

gpg -d test.txt.asc
Enter fullscreen mode Exit fullscreen mode

It will create a decrypted file as text.txt.

This is one of the ways to use GnuPG.
As i said before it does so much more.
You can look for more info here at GnuPG

Discussion (0)