{"id":9419,"date":"2022-05-13T20:00:00","date_gmt":"2022-05-13T20:00:00","guid":{"rendered":"http:\/\/ci02a1030020002661"},"modified":"2025-10-01T13:03:43","modified_gmt":"2025-10-01T18:03:43","slug":"how-to-lock-secret-files-with-gpg","status":"publish","type":"post","link":"https:\/\/bitcoinmagazine.com\/technical\/how-to-lock-secret-files-with-gpg","title":{"rendered":"How To Lock And Protect Away Secret Files With GNU Privacy Guard"},"content":{"rendered":"
<\/div>

In this guide, I will explain the options at your disposal for encrypting files using open-source software on a Linux, Mac, or Windows computer. You can then transport this digital information across distance and time, to yourself or others.<\/p>\n

The program \u201cGNU Privacy Guard\u201d (GPG) an open-source version of PGP (Pretty Good Privacy), allows:<\/p>\n

    \n
  1. Encryption using a password.<\/li>\n
  2. Secret messaging using public\/private key cryptography<\/li>\n
  3. Message\/Data authentication (using digital signatures and verification)<\/li>\n
  4. Private key authentication (used in Bitcoin)<\/li>\n<\/ol>\n

    Option One<\/h2>\n

    Option one is what I\u2019ll be demonstrating below. You can encrypt a file using any password you like. Any person with the password can then unlock (decrypt) the file to view it. The problem is, how do you send the password to someone in a secure way? We\u2019re back to the original problem.<\/p>\n

    Option Two<\/h2>\n

    Option two solves this dilemma (how-to here). Instead of locking the file with a password, we can lock it with someone\u2019s public key \u2014 that \u201csomeone\u201d is the intended recipient of the message. The public key comes from a corresponding private key, and the private key (which only the \u201csomeone\u201d has) is used to unlock (decrypt) the message. With this method, no sensitive (unencrypted) information is ever sent. Very nice!<\/p>\n

    The public key is something that can be distributed over the internet safely. Mine is here<\/a>, for example. They are usually sent to keyservers. Keyservers are like nodes that store public keys. They keep and synchronize copies of peoples\u2019 public keys. Here\u2019s one:<\/p>\n

    Ubuntu Keyserver<\/a><\/p>\n

    You can enter my email<\/a> and find my public key in the result. I\u2019ve also stored it here<\/a> and you can compare what you found on the server.<\/p>\n

    Option Three<\/h2>\n

    Option three is not about secret messages. It is about checking that a message has not been altered during its delivery. It works by having someone with a private key sign<\/em> some digital data. The data can be a letter or even software. The process of signing creates a digital signature (a large number derived from the private key and the data that\u2019s getting signed). Here\u2019s what a digital signature looks like:<\/p>\n

    <\/figure>\n

    It\u2019s a text file that begins with a \u201cbegin\u201d signal, and ends with an \u201cend\u201d signal. In between is a bunch of text that actually encodes an enormous number. This number is derived from the private key (a giant number) and the data (which is actually always a number also; all data is zeros and ones to a computer).<\/p>\n

    Anyone can verify that the data has not been changed since the original author signed it by taking the:<\/p>\n

      \n
    1. Public key<\/li>\n
    2. Data<\/li>\n
    3. Signature<\/li>\n<\/ol>\n

      The output to the query will be TRUE or FALSE. TRUE means that the file you downloaded (or message) has not been modified since the developer signed it. Very cool! FALSE means that the data has changed or the wrong signature is being applied.<\/p>\n

      Option Four<\/h2>\n

      Option four is like option three, except that instead of checking if the data has not been modified, then TRUE will mean that the signature was produced by the private key associated with the public key offered. In other words, the person who signed has the private key to the public key that we have.<\/p>\n

      Interestingly, this is all that Craig Wright would have to do to prove he is Satoshi Nakamoto. He doesn\u2019t have to actually spend any coins.<\/p>\n

      We already have the addresses (similar to public keys) that are owned by Satoshi. Craig can then produce a signature with his private key to those addresses, combined with any message such as \u201cI really am Satoshi, haha!\u201d and we can then combine the message, the signature, and the address, and get a TRUE result if he is Satoshi, and a CRAIG_WRIGHT_IS_A_LIAR_AND_A_FRAUD result if he isn\u2019t.<\/p>\n

      Option Three And Four \u2014 The Difference.<\/h2>\n

      It\u2019s actually a matter of what you trust. If you trust that the sender owns the private key to the public key you have, then verification checks that the message has not changed.<\/p>\n

      If you don\u2019t trust the private key \/ public key relationship, then verification is not about the message changing, but the key relationship.<\/p>\n

      It\u2019s one or the other for a FALSE result.<\/p>\n

      If you get a TRUE result, then you know that BOTH the key relationship is valid, AND the message is unaltered since the signature was produced.<\/p>\n

      Get GPG For Your Computer<\/h2>\n

      GPG already comes with Linux operating systems. If you are unfortunate enough to be using a Mac, or God forbid a Windows computer, then you\u2019ll need to download software with GPG. Instructions to download and how to use it on those operating systems can be found here.<\/a><\/p>\n

      You don\u2019t need to use any of the graphical components of the software, everything can be done from the command line.<\/p>\n

      Encrypting Files With A Password<\/h2>\n

      Create the secret file. This can be a simple text file, or a zip file containing many files, or an archive file (tar). Depending on how sensitive the data is, you might consider creating the file on an air-gapped computer. Either a desktop computer built with no WiFi components, and never to be connected to the internet by cable, or you can build a Raspberry Pi Zero v1.3 very cheaply, with instructions here.<\/a><\/p>\n

      Using a terminal (Linux\/Mac) or CMD.exe (Windows), change your working directory to wherever you put the file. If that makes no sense, search the internet and in five minutes you can learn how to navigate the file system specific to your operating system (search: \u201cYouTube navigating file system command prompt\u201d and include your operating system\u2019s name).<\/p>\n

      From the correct directory, you can encrypt the file (\u201cfile.txt\u201d for example) like this:<\/p>\n

      gpg -c file.txt<\/p>\n

      That\u2019s \u201cgpg\u201d, a space, \u201c-c\u201d, a space, and then the name of the file.<\/p>\n

      You\u2019ll then be prompted for a password. This will encrypt the new file. If you\u2019re using GPG Suite on the Mac, notice the \u201cSave in Keychain\u201d is checked by default (see below). You might want to not save this password if it\u2019s particularly sensitive.<\/p>\n

      <\/figure>\n

      Whichever OS you use, the password will be saved for 10 minutes to the memory. You can clear it like this:<\/p>\n

      gpg-connect-agent reloadagent \/bye<\/p>\n

      Once your file is encrypted, the original file will remain (unencrypted), and a new file will be created. You must decide if you will delete the original or not. The new file\u2019s name will be the same as the original but there\u2019ll be a \u201c.gpg\u201d at the end. For example, \u201cfile.txt\u201d will create a new file called \u201cfile.txt.gpg\u201d. You can then rename the file if you wish, or you could have named the file by adding extra options in the command above, like this:<\/p>\n

      gpg -c \u2013output MySecretFile.txt file.txt<\/p>\n

      Here, we have \u201cgpg\u201d, a space, \u201c-c\u201d, a space, \u201c\u2013output\u201d, a space, the filename you want, a space, the name of the file you are encrypting.<\/p>\n

      It\u2019s a good idea to practice decrypting the file. This is one way:<\/p>\n

      gpg file.txt.gpg<\/p>\n

      This is just \u201cgpg\u201d, a space, and the name of the encrypted file. You don\u2019t need to put any options.<\/p>\n

      The GPG program will guess what you mean and will attempt to decrypt the file. If you do this immediately after encrypting the file, you may not be prompted for a password because the password is still in the computer\u2019s memory (for 10 minutes). Otherwise, you\u2019ll need to enter the password (GPG calls it a passphrase).<\/p>\n

      You will notice with the \u201cls\u201d command (Mac\/Linux) or \u201cdir\u201d command (Windows), that a new file has been created in your working directory, without the \u201c.gpg\u201d extension. You can read it from the command prompt with (Mac\/Linux):<\/p>\n

      cat file.txt<\/p>\n

      Another way to decrypt the file is with this command:<\/p>\n

      gpg -d file.txt.gpg<\/p>\n

      This is the same as before but with a \u201c-d\u201d option as well. In this case, a new file is not created, but the contents of the file are printed to the screen.<\/p>\n

      You can also decrypt the file and specify the output file\u2019s name like this:<\/p>\n

      gpg -d \u2013output file.txt file.txt.gpg<\/p>\n

      Here we have \u201cgpg\u201d, a space, \u201c-d\u201d which is not strictly required, a space, \u201c\u2013output\u201d, a space, the name of the new file we want, a space, and finally the name of the file we are decrypting.<\/p>\n

      Sending The Encrypted File<\/h2>\n

      You can now copy this file to a USB drive, or email it. It is encrypted. Nobody can read it as long as the password is good (long and complicated enough) and can\u2019t be cracked.<\/p>\n

      You could send this message to yourself in another country by storing it in email or the cloud.<\/p>\n

      Some silly people have stored their Bitcoin private keys to the cloud in an unencrypted state, which is ridiculously risky. But if the file containing Bitcoin private keys is encrypted with a strong password, it\u2019s safer. This is especially true if it\u2019s not called \u201cBitcoin_Private_Keys.txt.gpg\u201d \u2013 Don\u2019t do that!<\/p>\n

      WARNING: It\u2019s important to understand that in no way am I encouraging you to put your Bitcoin private key information on a computer (hardware wallets<\/a> were created to allow you to never need to do this). What I am explaining here is for special cases, under my guidance. My students in the mentorship program<\/a> will know what they are doing and will only use an air-gapped computer, and know all the potential risks and problems, and ways to avoid them. Please don\u2019t type seed phrases into a computer unless you are a security expert and know exactly what you are doing, and don\u2019t blame me if your bitcoin is stolen!<\/p>\n

      The encrypted file can also be sent to another person, and the password can be sent separately, perhaps with a different communication device. This is the simpler, and less secure way, compared to option two explained at the beginning of this guide.<\/p>\n

      There are actually all sorts of ways you can construct the delivery of a secret message across distance and time. If you know these tools, think hard and carefully about all the risks and scenarios, a good plan can be made. Or, I am available to assist.<\/p>\n

      Good luck, and happy Bitcoining!<\/p>\n

      This is a guest post by Arman The Parman. Opinions expressed are entirely their own and do not necessarily reflect those of BTC Inc or <\/em>Bitcoin Magazine.<\/em><\/p>\n","protected":false},"excerpt":{"rendered":"

      Users can take advantage of the cryptographic protection offered by GPG to secure files and data that they want to keep well under wraps.<\/p>\n","protected":false},"author":2824,"featured_media":7603,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[35],"tags":[329,1467,422,2322,1831,2321,73,330],"class_list":{"0":"post-9419","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-technical","8":"tag-cryptography","9":"tag-encryption","10":"tag-feature","11":"tag-gpg","12":"tag-martys-bent","13":"tag-pgp","14":"tag-privacy","15":"tag-security"},"author_data":{"id":2824,"name":"Arman The Parman","nicename":"arman-the-parman","avatar_url":"https:\/\/bitcoinmagazine.com\/wp-content\/uploads\/2024\/12\/atp2-96x96.png"},"featured_image_url":"https:\/\/bitcoinmagazine.com\/wp-content\/uploads\/2024\/11\/54499d8a-5be5-458a-9d6a-529d1d6f9df2.jpg","_links":{"self":[{"href":"https:\/\/bitcoinmagazine.com\/wp-json\/wp\/v2\/posts\/9419","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/bitcoinmagazine.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/bitcoinmagazine.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/bitcoinmagazine.com\/wp-json\/wp\/v2\/users\/2824"}],"replies":[{"embeddable":true,"href":"https:\/\/bitcoinmagazine.com\/wp-json\/wp\/v2\/comments?post=9419"}],"version-history":[{"count":0,"href":"https:\/\/bitcoinmagazine.com\/wp-json\/wp\/v2\/posts\/9419\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/bitcoinmagazine.com\/wp-json\/wp\/v2\/media\/7603"}],"wp:attachment":[{"href":"https:\/\/bitcoinmagazine.com\/wp-json\/wp\/v2\/media?parent=9419"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/bitcoinmagazine.com\/wp-json\/wp\/v2\/categories?post=9419"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/bitcoinmagazine.com\/wp-json\/wp\/v2\/tags?post=9419"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}