?
Solved

How to encrypt a file.

Posted on 2013-11-16
6
Medium Priority
?
926 Views
Last Modified: 2013-11-24
I want to simply encrypt a file using GnuPG on Windows 7 PC
gpg -c c:\aaa\test.txt
I get prompted for a passphrase...I enter it twice into the popup window.
File gets copied as test.txt.gpg (but the original file is sitting right beside it still, so I have to manually delete it) - so I delete it.
Now it is not very secure because someone can come along and right click the .gpg file and choose decrypt. And it does without asking for the very passphrase I applied to it.

How can I make it do the following:
encrypt the file with a passphrase and allow no way of opening it without entering the passphrase.
0
Comment
Question by:claghorn
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
6 Comments
 
LVL 38

Expert Comment

by:Mahesh
ID: 39654249
You can use zip category softwares (7Zip, Winzip) to set password on files.
Check below link.
http://www.howtogeek.com/170352/
http://windows.microsoft.com/en-in/windows-vista/can-i-protect-files-or-folders-with-a-password
0
 
LVL 15

Accepted Solution

by:
Giovanni Heward earned 2000 total points
ID: 39654568
so I have to manually delete it - so I delete it.
If you did not securely delete it, then you'll need to overwrite that deleted data.  This can be done with the cipher command natively, or with the tools referenced below.

It appears that gpg-agent.exe is caching your symmetric key (password) in memory.  If you were to distribute your protected file, the symmetric key would be required to decrypt.

You can test this locally on your machine as follows:

gpg --symmetric --cipher-algo aes256 -o test.gpg test.txt
taskkill /f /im gpg-agent.exe
gpg -d test.gpg

Open in new window


Here's the switches supported by gpg-agent.exe

Syntax: gpg-agent [options] [command [args]]
Secret key management for GnuPG

Options:

     --daemon                     run in daemon mode (background)
     --server                     run in server mode (foreground)
 -v, --verbose                    verbose
 -q, --quiet                      be somewhat more quiet
 -s, --sh                         sh-style command output
 -c, --csh                        csh-style command output
     --options FILE               read options from FILE
     --no-detach                  do not detach from the console
     --no-grab                    do not grab keyboard and mouse
     --log-file                   use a log file for the server
     --use-standard-socket        use a standard location for the socket
     --pinentry-program PGM       use PGM as the PIN-Entry program
     --scdaemon-program PGM       use PGM as the SCdaemon program
     --disable-scdaemon           do not use the SCdaemon
     --keep-tty                   ignore requests to change the TTY
     --keep-display               ignore requests to change the X display
     --default-cache-ttl N        expire cached PINs after N seconds
     --ignore-cache-for-signing   do not use the PIN cache when signing
     --no-allow-mark-trusted      disallow clients to mark keys as "trusted"
     --allow-preset-passphrase    allow presetting passphrase
     --enable-ssh-support         enable ssh support
     --enable-putty-support       enable putty support
     --write-env-file FILE        write environment settings also to FILE

Please report bugs to <http://bugs.gnupg.org>.

Use the --default-cache-ttl switch to expire your cache as desired.

Regarding automatic secure removal on the original file, it seems the included GUI, Kleopatra, provides an option to remove the unencrypted file (not certain as of yet if removal is secure, however) although it doesn't appear the GPG command provides for this same functionality.

GUI
To be on the safe side, I'd use another utility such as SDelete to accomplish the same purpose.  Can copy the stand-alone executable to same folder as GPG4Win.

gpg --symmetric --cipher-algo aes256 -o test.gpg test.txt&sdelete -p 7 test.txt

Open in new window


Some other secure deletion apps are:
http://eraser.heidi.ie/
http://active-eraser.com/

Pick any one which meet is US Department of Defense 5220.22 M compliant or uses Gutmann's algorithm (if overly paranoid.)

See Secure File Deletion: Fact or Fiction?
http://www.sans.org/reading-room/whitepapers/incident/secure-file-deletion-fact-fiction-631
0
 
LVL 15

Expert Comment

by:Giovanni Heward
ID: 39655394
If you're looking to encrypt local files for your own use, rather than for secure distribution,  TrueCrypt may be a better alternative for you.

See http://www.experts-exchange.com/Networking/Network_Management/Disaster_Recovery/Q_28295298.html#a39651525
0
Put Machine Learning to Work--Protect Your Clients

Machine learning means Smarter Cybersecurity™ Solutions.
As technology continues to advance, managing and analyzing massive data sets just can’t be accomplished by humans alone. It requires huge amounts of memory and storage, as well as the high-speed power of the cloud.

 
LVL 38

Expert Comment

by:Rich Rumble
ID: 39657864
Understand encryption and the product before you use them, also it's Asymentric encryption  :)
http://www.experts-exchange.com/Security/Encryption/A_12134-Choosing-the-right-encryption-for-your-needs.html
GPG does make an encrypted version, and you do have to delete or move the original somewhere else. Also you have to be in charge of your keys so that they aren't just sitting around with the source. It's like password protecting an attachment in email and sending the password in the body.
-rich
0
 
LVL 15

Expert Comment

by:Giovanni Heward
ID: 39657909
also it's Asymentric encryption
@richrumble

Actually, while PGP/GPG support both asymmetric and symmetric algorithms, the examples provided are strictly symmetric (e.g. CAST5, AES)

Hence...
gpg --symmetric --cipher-algo aes256 -o test.gpg test.txt

The default GPG cipher for file encryption is CAST5 (CAST-128), a symmetric block cipher.

PGP encryption uses a serial combination of hashing, data compression, symmetric-key cryptography, and finally [asymmetric] public-key cryptography
http://en.wikipedia.org/wiki/Pretty_Good_Privacy

Granted, a higher degree of confidentiality could be obtained by encrypting the symmetric key with an asymmetric public key, generated by a much stronger cryptosystem such as RSA/DSA/Elgamal 2048-bit.

But let's not confuse the poor lad.  :0)
0
 

Author Closing Comment

by:claghorn
ID: 39673505
Yes, I have to kill the agent because it was caching the passphrase and using it at will.
And even when I reboot the computer the agent remains killed!
Which is good.

so:
gpg --symmetric --cipher-algo aes256 -o test.gpg test.txt
taskkill /f /im gpg-agent.exe

then to decrypt I use:
gpg --output test.txt --decrypt test.gpg

and it asks for the passphrase regardless if its from
some gui or from the command line. which is good.

Thanks.
0

Featured Post

Tech or Treat!

Submit an article about your scariest tech experience—and the solution—and you’ll be automatically entered to win one of 4 fantastic tech gadgets.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

SSL stands for “Secure Sockets Layer” and an SSL certificate is a critical component to keeping your website safe, secured, and compliant. Any ecommerce website must have an SSL certificate to ensure the safe handling of sensitive information like…
There are many Password Managers (PM) out there to choose from. PM's can help with your password habits and routines, but they should not be a crutch you rely on too heavily. I also have an article for company/enterprise PM's.
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
Suggested Courses

650 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question