Any file or folder within Ubuntu can be encrypted so that it can only be decrypted with the use of a passphrase. What actually happens is that an encrypted version of the file or folder is created that requires a passphrase to unlock it. The original file or folder must then be deleted by the user. Whenever you wish to edit or view the file after this, you must double-click the encrypted file to extract a decrypted copy. Then, if you update the file in any way, you must re-encrypt it again.
This isn't the most user-friendly solution for protecting files and is best used with files that you wish to archive and access occasionally. A better solution of protecting files you regularly access is described in Tip 145, on page 188.
Some setup work is necessary before the files or folders can be encrypted, and you must generate a personal key pair, as described in Tip 172, on page 209, which explains how to encrypt and sign emails (in fact, essentially the same technique and underlying technology is used here).
Files encrypted using the method outlined in this tip aren't particularly "portable", which is to say, this isn't a system designed to let you copy files to another machine and decrypt them. For that to happen you would have to export your key pair, which represents a security risk. Nevertheless, how to do this is explained later in this tip.
First we look at creating a key pair, and then look at how to encrypt/decrypt files or folders.
Follow these steps to create a key pair, which is necessary before you can encrypt/password protect any files (note that you can skip these steps if you've already created a key pair by following the instructions in Tip 172, on page 209):
1. Click Applications ^ Accessories ^ Passwords and Encryption Keys to start the Seahorse application, which is used to manage all encryption keys within Ubuntu.
2. In the program window that appears, click the New button. In the dialog box that appears, select PGP Key and click the Continue button.
3. In the dialog box that appears, fill in the Full Name and Email Address fields (you can leave the Comment field blank). To be frank, the email field is only used if you later publish the public component of the key pair for email encryption purposes. If you don't intend to do this then it doesn't matter what you type. Note that you must type both a forename and surname into the Full Name text field.
4. In the Advanced key options dropdown, you can select to choose a different type of encryption, although the default choice of DSA Elgamal and 2048 bits is considered extremely secure and also flexible enough to meet most needs. Once done, click the Create button.
5. Following this, you'll be prompted for a passphrase. Essentially, this is the password that you will need to decrypt files. It's important that you make the passphrase something hard to second-guess but also memorable enough so you don't forget it. The passphrase can include letters, numbers, symbols and space characters.
6. Following this the key will be generated. Depending on the speed of your computer, this could take up to an hour. Once it's done, quit the Seahorse application.
Encrypting/decrypting files or folders
Once the key pair has been created, encrypting a file or folder is as simple as right-clicking it and selecting Encrypt. In the dialog box that appears, put a check alongside the key you created and then click OK, as shown in Figure 3.40.
If you've selected to encrypt a folder you'll be asked if you want to encrypt each file separately, or automatically create a zip archive which will then be encrypted. The latter is the best option in most cases.
If you password protected a file, once the encrypting process is complete you should find yourself with a new version of the file that has a .pgp extension. You can then delete the old file. If you encrypted a folder, you should find two files have been created—the protected .pgp version and a zip archive of the original folder. That archive, along with the original folder itself, can then be deleted.
For security reasons, the unencrypted versions should be permanently deleted, rather than just sent to the trash. To learn how to securely erase files, see Tip 113, on page 162. Before destroying the old file, however, you might want to first test-run decrypting the file.
To do so, just double-click the .pgp file and then type your passphrase when prompted. The original file will then reappear. In the case of a folder, the zip archive will appear, and you can then double-click it to extract the contents.
As mentioned in the introduction to this tip, this isn't a system designed to create portable encrypted files. To decrypt files on another computer, you need to export your key pair and the import it on the other computer. Anybody in possession of your key pair file along with any encrypted files will be able to decrypt them, so this represents a security risk. However, there are situations where it might be necessary to decrypt files on another machine. Here are the necessary steps:
1. On the computer that created the encrypted file(s), start Seahorse (Applications ^ Accessories ^ Passwords and Encryption Keys) and then right-click your personal key (the one created in the steps above). Select Properties from the menu that appears.
2. In the dialog box that appears, click the Details tab and click the Export button alongside the Export Complete Key heading. Save the file to the desktop. You will find a new file has been created with an .asc extension. This is your key pair in text format.
3. Copy the .asc file to a USB key stick or floppy disk and take it over to the second computer. Still on the second computer, start Seahorse (Applications ^ Accessories ^ Passwords and Encryption Keys) and click the Import button. Navigate to your key file and click Open. This will import the key. Following this, close Seahorse. You can then double-click any encrypted files to decrypt them.
4. If the other computer doesn't have Seahorse installed—perhaps if it's a different version of Linux, or maybe an older version of Ubuntu—copy the key file to the desktop and then type the following into a terminal window (these instructions assume gpg is installed, which is very likely):
$ gpg --import "/home/username/Desktop/key file.asc"
Obviously, you should replace keyfile.asc with the name of the .asc file, and username with your username. Then, to decrypt a file, type the following: $ gpg filename.pgp
Again, you should replace filename.pgp with the name of the file you wish to decrypt. You'll be prompted for your passphrase, so type it. Following this the original file will be restored in the same location as the .pgp file.
Note that you must ensure the internal PC clock is set correctly and shows the current time before exporting/importing keys. For various technical reasons, Seahorse and the gpg command cannot import a key if the time on the PC appears to be before the key file appears to have been created. Of course, this means that if the computer that created the key file had the wrong time, you will have real problems importing the key. The solution is to set your PC's clock to a time and date in the future. Then import the key, and return the PC's clock to the present time.
To have your computer always know the correct time, follow the steps in Tip 26, on page 83, which explains how to synchronize Ubuntu to Internet time servers.
Was this article helpful?