Improve company productivity with a Business Account.Sign Up


How to encrypt a file.

Posted on 2013-11-16
Medium Priority
Last Modified: 2013-11-24
I want to simply encrypt a file using GnuPG on Windows 7 PC
gpg -c c:\aaa\test.txt
I get prompted for a passphrase...I enter it twice into the popup window.
File gets copied as test.txt.gpg (but the original file is sitting right beside it still, so I have to manually delete it) - so I delete it.
Now it is not very secure because someone can come along and right click the .gpg file and choose decrypt. And it does without asking for the very passphrase I applied to it.

How can I make it do the following:
encrypt the file with a passphrase and allow no way of opening it without entering the passphrase.
Question by:claghorn
LVL 41

Expert Comment

ID: 39654249
You can use zip category softwares (7Zip, Winzip) to set password on files.
Check below link.
LVL 15

Accepted Solution

Giovanni Heward earned 2000 total points
ID: 39654568
so I have to manually delete it - so I delete it.
If you did not securely delete it, then you'll need to overwrite that deleted data.  This can be done with the cipher command natively, or with the tools referenced below.

It appears that gpg-agent.exe is caching your symmetric key (password) in memory.  If you were to distribute your protected file, the symmetric key would be required to decrypt.

You can test this locally on your machine as follows:

gpg --symmetric --cipher-algo aes256 -o test.gpg test.txt
taskkill /f /im gpg-agent.exe
gpg -d test.gpg

Open in new window

Here's the switches supported by gpg-agent.exe

Syntax: gpg-agent [options] [command [args]]
Secret key management for GnuPG


     --daemon                     run in daemon mode (background)
     --server                     run in server mode (foreground)
 -v, --verbose                    verbose
 -q, --quiet                      be somewhat more quiet
 -s, --sh                         sh-style command output
 -c, --csh                        csh-style command output
     --options FILE               read options from FILE
     --no-detach                  do not detach from the console
     --no-grab                    do not grab keyboard and mouse
     --log-file                   use a log file for the server
     --use-standard-socket        use a standard location for the socket
     --pinentry-program PGM       use PGM as the PIN-Entry program
     --scdaemon-program PGM       use PGM as the SCdaemon program
     --disable-scdaemon           do not use the SCdaemon
     --keep-tty                   ignore requests to change the TTY
     --keep-display               ignore requests to change the X display
     --default-cache-ttl N        expire cached PINs after N seconds
     --ignore-cache-for-signing   do not use the PIN cache when signing
     --no-allow-mark-trusted      disallow clients to mark keys as "trusted"
     --allow-preset-passphrase    allow presetting passphrase
     --enable-ssh-support         enable ssh support
     --enable-putty-support       enable putty support
     --write-env-file FILE        write environment settings also to FILE

Please report bugs to <>.

Use the --default-cache-ttl switch to expire your cache as desired.

Regarding automatic secure removal on the original file, it seems the included GUI, Kleopatra, provides an option to remove the unencrypted file (not certain as of yet if removal is secure, however) although it doesn't appear the GPG command provides for this same functionality.

To be on the safe side, I'd use another utility such as SDelete to accomplish the same purpose.  Can copy the stand-alone executable to same folder as GPG4Win.

gpg --symmetric --cipher-algo aes256 -o test.gpg test.txt&sdelete -p 7 test.txt

Open in new window

Some other secure deletion apps are:

Pick any one which meet is US Department of Defense 5220.22 M compliant or uses Gutmann's algorithm (if overly paranoid.)

See Secure File Deletion: Fact or Fiction?
LVL 15

Expert Comment

by:Giovanni Heward
ID: 39655394
If you're looking to encrypt local files for your own use, rather than for secure distribution,  TrueCrypt may be a better alternative for you.

The 14th Annual Expert Award Winners

The results are in! Meet the top members of our 2017 Expert Awards. Congratulations to all who qualified!

LVL 38

Expert Comment

by:Rich Rumble
ID: 39657864
Understand encryption and the product before you use them, also it's Asymentric encryption  :)
GPG does make an encrypted version, and you do have to delete or move the original somewhere else. Also you have to be in charge of your keys so that they aren't just sitting around with the source. It's like password protecting an attachment in email and sending the password in the body.
LVL 15

Expert Comment

by:Giovanni Heward
ID: 39657909
also it's Asymentric encryption

Actually, while PGP/GPG support both asymmetric and symmetric algorithms, the examples provided are strictly symmetric (e.g. CAST5, AES)

gpg --symmetric --cipher-algo aes256 -o test.gpg test.txt

The default GPG cipher for file encryption is CAST5 (CAST-128), a symmetric block cipher.

PGP encryption uses a serial combination of hashing, data compression, symmetric-key cryptography, and finally [asymmetric] public-key cryptography

Granted, a higher degree of confidentiality could be obtained by encrypting the symmetric key with an asymmetric public key, generated by a much stronger cryptosystem such as RSA/DSA/Elgamal 2048-bit.

But let's not confuse the poor lad.  :0)

Author Closing Comment

ID: 39673505
Yes, I have to kill the agent because it was caching the passphrase and using it at will.
And even when I reboot the computer the agent remains killed!
Which is good.

gpg --symmetric --cipher-algo aes256 -o test.gpg test.txt
taskkill /f /im gpg-agent.exe

then to decrypt I use:
gpg --output test.txt --decrypt test.gpg

and it asks for the passphrase regardless if its from
some gui or from the command line. which is good.


Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Ransomware is a growing menace to anyone using a computer or mobile device. Here are answers to some common questions about this vicious new form of malware.
Ransomware - Defeated! Client opened the wrong email and was attacked by Ransomware. I was able to use file recovery utilities to find shadow copies of the encrypted files and make a complete recovery.
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

588 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question