How to encrypt a file.

Posted on 2013-11-16
Last Modified: 2013-11-24
I want to simply encrypt a file using GnuPG on Windows 7 PC
gpg -c c:\aaa\test.txt
I get prompted for a passphrase...I enter it twice into the popup window.
File gets copied as test.txt.gpg (but the original file is sitting right beside it still, so I have to manually delete it) - so I delete it.
Now it is not very secure because someone can come along and right click the .gpg file and choose decrypt. And it does without asking for the very passphrase I applied to it.

How can I make it do the following:
encrypt the file with a passphrase and allow no way of opening it without entering the passphrase.
Question by:claghorn
LVL 35

Expert Comment

ID: 39654249
You can use zip category softwares (7Zip, Winzip) to set password on files.
Check below link.
LVL 14

Accepted Solution

Giovanni Heward earned 500 total points
ID: 39654568
so I have to manually delete it - so I delete it.
If you did not securely delete it, then you'll need to overwrite that deleted data.  This can be done with the cipher command natively, or with the tools referenced below.

It appears that gpg-agent.exe is caching your symmetric key (password) in memory.  If you were to distribute your protected file, the symmetric key would be required to decrypt.

You can test this locally on your machine as follows:

gpg --symmetric --cipher-algo aes256 -o test.gpg test.txt
taskkill /f /im gpg-agent.exe
gpg -d test.gpg

Open in new window

Here's the switches supported by gpg-agent.exe

Syntax: gpg-agent [options] [command [args]]
Secret key management for GnuPG


     --daemon                     run in daemon mode (background)
     --server                     run in server mode (foreground)
 -v, --verbose                    verbose
 -q, --quiet                      be somewhat more quiet
 -s, --sh                         sh-style command output
 -c, --csh                        csh-style command output
     --options FILE               read options from FILE
     --no-detach                  do not detach from the console
     --no-grab                    do not grab keyboard and mouse
     --log-file                   use a log file for the server
     --use-standard-socket        use a standard location for the socket
     --pinentry-program PGM       use PGM as the PIN-Entry program
     --scdaemon-program PGM       use PGM as the SCdaemon program
     --disable-scdaemon           do not use the SCdaemon
     --keep-tty                   ignore requests to change the TTY
     --keep-display               ignore requests to change the X display
     --default-cache-ttl N        expire cached PINs after N seconds
     --ignore-cache-for-signing   do not use the PIN cache when signing
     --no-allow-mark-trusted      disallow clients to mark keys as "trusted"
     --allow-preset-passphrase    allow presetting passphrase
     --enable-ssh-support         enable ssh support
     --enable-putty-support       enable putty support
     --write-env-file FILE        write environment settings also to FILE

Please report bugs to <>.

Use the --default-cache-ttl switch to expire your cache as desired.

Regarding automatic secure removal on the original file, it seems the included GUI, Kleopatra, provides an option to remove the unencrypted file (not certain as of yet if removal is secure, however) although it doesn't appear the GPG command provides for this same functionality.

To be on the safe side, I'd use another utility such as SDelete to accomplish the same purpose.  Can copy the stand-alone executable to same folder as GPG4Win.

gpg --symmetric --cipher-algo aes256 -o test.gpg test.txt&sdelete -p 7 test.txt

Open in new window

Some other secure deletion apps are:

Pick any one which meet is US Department of Defense 5220.22 M compliant or uses Gutmann's algorithm (if overly paranoid.)

See Secure File Deletion: Fact or Fiction?
LVL 14

Expert Comment

by:Giovanni Heward
ID: 39655394
If you're looking to encrypt local files for your own use, rather than for secure distribution,  TrueCrypt may be a better alternative for you.

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

LVL 38

Expert Comment

by:Rich Rumble
ID: 39657864
Understand encryption and the product before you use them, also it's Asymentric encryption  :)
GPG does make an encrypted version, and you do have to delete or move the original somewhere else. Also you have to be in charge of your keys so that they aren't just sitting around with the source. It's like password protecting an attachment in email and sending the password in the body.
LVL 14

Expert Comment

by:Giovanni Heward
ID: 39657909
also it's Asymentric encryption

Actually, while PGP/GPG support both asymmetric and symmetric algorithms, the examples provided are strictly symmetric (e.g. CAST5, AES)

gpg --symmetric --cipher-algo aes256 -o test.gpg test.txt

The default GPG cipher for file encryption is CAST5 (CAST-128), a symmetric block cipher.

PGP encryption uses a serial combination of hashing, data compression, symmetric-key cryptography, and finally [asymmetric] public-key cryptography

Granted, a higher degree of confidentiality could be obtained by encrypting the symmetric key with an asymmetric public key, generated by a much stronger cryptosystem such as RSA/DSA/Elgamal 2048-bit.

But let's not confuse the poor lad.  :0)

Author Closing Comment

ID: 39673505
Yes, I have to kill the agent because it was caching the passphrase and using it at will.
And even when I reboot the computer the agent remains killed!
Which is good.

gpg --symmetric --cipher-algo aes256 -o test.gpg test.txt
taskkill /f /im gpg-agent.exe

then to decrypt I use:
gpg --output test.txt --decrypt test.gpg

and it asks for the passphrase regardless if its from
some gui or from the command line. which is good.


Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
Encryption on Windows 2012 6 51
IRM and Office 2016 5 241
Assessment for encryption solutions 4 88
Bit Locker 2 55
Article by: btan
Provide an easy one stop to quickly get the relevant information on common asked question on Ransomware in Expert Exchange.
Healthcare providers, insurance companies and other covered entities trust eFax Corporate to transmit their most sensitive documents. eFax Corporate can help your organization implement a HIPAA compliant cloud faxing solution.
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
Here's a very brief overview of the methods PRTG Network Monitor ( offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

759 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now