Difference between revisions of "Gpg and macosx"
(Aggiunto un nuovo articolo incentrato su GPG per MacOsX) |
(Removed links to the contact form thanks to a spammer at qq.com (119.92.179.110 / 203.177.79.0/24)) |
||
(2 intermediate revisions by the same user not shown) | |||
Line 1: | Line 1: | ||
− | {{ | + | {{header_en|title=StudioSG - Gnu Privacy Guard for MacOsX| keyword={{Template:keyword_en_cryptography}}| description=Installing, configuring and using Gnu Privacy Guard for MacOsX | link_page=gpg_e_macosx}} |
− | == GPG | + | == GPG for MacOsX == |
− | '''Gnu | + | '''Gnu Privacy Guard''' is a '''cryptographic software suite for personal use''' running on a wide variety of architectures among them the Macintosh family of operating systems. '''Three distinct versions''' of GPG can run on the Mac: |
− | * [http://macgpg.sourceforge.net/it/index.html MacGPG] | + | * [http://macgpg.sourceforge.net/it/index.html MacGPG] is a port of the 1.4 development branch of GPG. Development has come to a halt and packages are meant for old versions of OsX, providing support for legacy installations. |
− | * [https://sourceforge.net/projects/gpgosx GPGOsX] | + | * [https://sourceforge.net/projects/gpgosx GPGOsX] is a port of the 2.1 stable branch of GPG. All of the new functionality of the 2.0 and recent 2.1 releases are included. |
− | * [https://gpgtools.org GPGTools] | + | * [https://gpgtools.org GPGTools] is an alternate port of the 2.0 stable branch of GPG. GPGTools includes many an integration to the standard software as the Apple Mail plug-in and a native GUI. |
− | + | Both GPGOsX and GPGTools support recent OsX releases only. The minimum required version for both programs is 10.6 or 10.7. MacGPG is rather suitable for old architectures and as such is ideal for owners of '''PowerPC''' Macs, who will have to accustom themselves to the command line interface because no graphical one is provided. | |
− | === | + | === Installing === |
− | + | The install procedures slightly differ for each software. You are invited to visit the home page of each one where you'll find updated information and detailed instructions. Some links to web pages detailing the GPGTools installation procedure are available below: | |
− | * [http://notes.jerzygangi.com/the-best-pgp-tutorial-for-mac-os-x-ever | + | * [http://notes.jerzygangi.com/the-best-pgp-tutorial-for-mac-os-x-ever Step by step instructions to install GPGTools]. |
− | * [https://www.encrypteverything.ca/index.php?title=Installing_and_configuring_GPGTools_for_Mac_to_encrypt_emails_and_files | + | * [https://www.encrypteverything.ca/index.php?title=Installing_and_configuring_GPGTools_for_Mac_to_encrypt_emails_and_files Another good tutorial rich in images and details]. |
− | === | + | === Key Pair and Configuration === |
− | + | The above linked pages contain information about key pair creation. GPG uses a key pair to encrypt and decrypt files. The key pair is fundamental to GPG and encryption strength heavily depends on it. Please consult the [https://www.gnupg.org/documentation/manuals/gnupg-2.0 program documentation] for more in depth information. The basic concepts about encryption and GPG internals will be summarized below: | |
− | * GPG | + | * GPG uses '''asymmetric cryptography''' also known as '''public key cryptography'''. |
− | * | + | * '''Asymmetric cryptography''' requires a key pair: a '''public key''', used to encrypt information, and a '''private key''' needed to decrypt data. |
− | * | + | * A copy of the public key should be delivered to whoever wishes to send you encrypted e-mails or files. |
− | * ''' | + | * The private key is secret and '''should never be shared with anyone'''. |
− | * | + | * Information encrypted with the public key can be decrypted with the private one only. |
− | * ''' | + | * '''The private key can be protected using a passphrase'''. If stolen, a protected key cannot be used by unauthorized people who do not know the passphrase. |
− | + | The key pair is the building block for GPG to work and as such should be created soon after the installation to allow the program to work. Key length is a sensitive matter and frequent subject to discussion. A longer key grants a stronger security in theory, but using longer keys involves some disadvantages to be taken into account. GPG supports a '''maximum key length of 4096 bit''', but still you are recommended to set the standard value of '''2048 bit'''. The standard length is a good compromise between security and performances and it grants use of external devices like smart cards and such. The [https://www.gnupg.org/faq/gnupg-faq.html GPG FAQ] includes a discussion of key length where advantages of using more than 2048 bits are weighed against disadvantages. | |
− | + | The procedure for key generation is described below. Although some versions of GPG for Mac can be administered through a GUI, I'll use the command line interface because it is the only one common to all three programs. | |
− | * | + | * Start a terminal. |
− | * | + | * Run command '''gpg''' ''--gen-key'' providing all of the requested information as in the example below: |
hostname:~ user1$ '''gpg''' ''--gen-key'' | hostname:~ user1$ '''gpg''' ''--gen-key'' | ||
gpg (GnuPG) 1.4.9; Copyright (C) 2008 Free Software Foundation, Inc. | gpg (GnuPG) 1.4.9; Copyright (C) 2008 Free Software Foundation, Inc. | ||
Line 86: | Line 86: | ||
sub 2048g/1C97007E 2016-03-22 | sub 2048g/1C97007E 2016-03-22 | ||
− | + | The procedure requires to provide a unique identifier and some more personal information used to distinguish keys. To get a list of saved keys use the command: '''gpg''' ''--list-keys'': | |
hostname:~ user1$ '''gpg''' ''--list-keys'' | hostname:~ user1$ '''gpg''' ''--list-keys'' | ||
/home/user1/.gnupg/pubring.gpg | /home/user1/.gnupg/pubring.gpg | ||
Line 94: | Line 94: | ||
sub 2048g/1C97007E 2016-03-22 | sub 2048g/1C97007E 2016-03-22 | ||
− | ''' | + | '''During key creation you can provide an optional passphrase for the private key'''. You are encouraged to always use a passphrase, which safeguards users in case the device where thee keys are saved is stolen. A passphrase too short or too easy cold be discovered by a brute force attack. Please use a passphrase longer than 8 characters containing letters, numbers and special characters to defend against such attacks. |
− | + | GPG standard behavior can be customized setting proper values for the program options. Configuration options are saved in text files in MacOsX and can be edited recurring to any text editor. Every configured user has his or her personal copy of the configuration files, which are located in the home directory. The standard GPG configuration file for any user is '''/Users/<user name>/.gnupg/gpg.conf'''. | |
+ | For example, the configuration file of a hypothetical user1 user is: /Users/user1/.gnupg/gpg.conf. The dot preceding the .gnupg directory name means that the directory is a hidden one. To list a hidden directory when inspecting the content of its father one use option ''-a'' of command '''ls''': | ||
: '''ls''' ''-la'' | : '''ls''' ''-la'' | ||
− | + | To read or update your own configuration file: | |
− | : '''/Applications/TextEdit.app/Contents/MacOS/TextEdit''' /Users/< | + | : '''/Applications/TextEdit.app/Contents/MacOS/TextEdit''' /Users/<user name>/.gnupg/gpg.conf |
− | + | The file is fully commented, but still refer to the program manual for a description of all the options contained therein. Standard values are suitable for almost all private or professional uses. Please set different values only when you are certain of the outcome. | |
− | + | GPGOsX and GPGTools users should replace command gpg with '''gpg2''' when using the command line interface instead of the graphical one. | |
− | ==== Back-up | + | ==== Key Pair Back-up ==== |
− | + | The key pair is mandatory to open encrypted files: its loss could prove to be catastrophic as currently available processors are not powerful enough to decrypt files without. A whole document archive cold be lost for want of a key. It is a good idea to keep a safety copy of both keys stored in a safe place, different from the machine where they were created. All keys are stored inside directory '''/Users/<user name>/.gnupg''' in the form of binary files. A safe and easy way to generate a copy of the key pair consists of creating a password protected compressed archive of the directory: | |
− | : '''zip''' ''-er'' key_backup.zip /Users/< | + | : '''zip''' ''-er'' key_backup.zip /Users/<user name>/.gnupg |
− | + | The zip command will ask the user to provide a password for the archive, then to confirm the provided value by retyping it. The resulting archive, key_backup.zip, can be opened only by providing the password. The zip version shipping with OsX 10.4 or earlier releases '''does not support cryptography'''. Users should remove the ''-e'' option or the program will return error "(encryption not supported)" and fail: | |
: '''zip''' ''-r'' key_backup.zip /Users/<nome utente>/.gnupg | : '''zip''' ''-r'' key_backup.zip /Users/<nome utente>/.gnupg | ||
− | === | + | === How-to Encrypt and Decrypt Files === |
− | + | Commands to encrypt and decrypt files with GPG vary with the program installed on your Mac. Please refer to the documentation of the specific program. Below are some links to the web pages of GPGTool: | |
− | * [https://gpgtools.tenderapp.com/kb/gpgservices-faq/how-to-encrypt-and-sign-text-or-files-with-gpgservices | + | * [https://gpgtools.tenderapp.com/kb/gpgservices-faq/how-to-encrypt-and-sign-text-or-files-with-gpgservices How to encrypt and decrypt files using GPGTools]]. |
− | * [http://sites.allegheny.edu/its/best-practices/encrypting-files-gpg-tools | + | * [http://sites.allegheny.edu/its/best-practices/encrypting-files-gpg-tools Some more GPGTools examples]. |
− | + | The command line interface is uniform for all of the three programs. You can retrieve information and some examples in the [http://blog.ghostinthemachines.com/2015/03/01/how-to-use-gpg-command-line GPG documentation], where commands and related options usage is explained. The base encryption command is: | |
: '''gpg''' ''--encrypt'' <file> | : '''gpg''' ''--encrypt'' <file> | ||
− | GPG | + | GPG will ask you to provide the unique identifier for the public key of the file recipient. The key will be used to encrypt the file as in the example below: |
− | + | hostname:~ user1$ '''gpg''' ''--encrypt'' st_test01.pdf | |
You did not specify a user ID. (you may use "-r") | You did not specify a user ID. (you may use "-r") | ||
Line 134: | Line 135: | ||
hostname:~ user1$ | hostname:~ user1$ | ||
− | + | The encrypted file retains the name of the original one but a different extension: '''.gpg'''. | |
− | + | You can provide a list of recipients one for each line. '''An empty line of text marks the archive end'''. A list of saved keys available to encrypt files can be retrieved recurring to the ''--list-keys'' option: | |
hostname:~ user1$ '''gpg''' ''--list-keys'' | hostname:~ user1$ '''gpg''' ''--list-keys'' | ||
/Users/user1/.gnupg/pubring.gpg | /Users/user1/.gnupg/pubring.gpg | ||
Line 144: | Line 145: | ||
sub 2048g/1C97007E 2016-03-22 | sub 2048g/1C97007E 2016-03-22 | ||
− | + | Many files can be encrypted at once recurring to the ''--multi'' option. You'll have to provide a recipients list for each file. This could prove to be a lot of work and GPG provides option ''-r'' to simplify it. Using ''-r'' the recipient list can be added to the command line. In the example below three documents are encrypted using the key of recipient StudioSG: | |
hostname:~ user1$ '''ls''' ''-la'' | hostname:~ user1$ '''ls''' ''-la'' | ||
total 48 | total 48 | ||
Line 164: | Line 165: | ||
-rw------- 1 user1 user1 7574 Mar 18 18:50 st_test03.pdf.gpg | -rw------- 1 user1 user1 7574 Mar 18 18:50 st_test03.pdf.gpg | ||
− | + | A file is decrypted with the ''--decrypt'' option of the gpg command. GPG will prompt the user for a password and, once inserted, will output the "clear text" content of the encrypted file on the standard output. To save a decrypted version of the file the ''--output'' option and the name of the saved file are needed: | |
− | : '''gpg''' ''--output'' <file | + | : '''gpg''' ''--output'' <decrypted file> ''--decrypt'' <encrypted file> |
hostname:~ user1$ '''gpg''' ''--output'' st_test01.pdf ''--decrypt'' st_test01.pdf.gpg | hostname:~ user1$ '''gpg''' ''--output'' st_test01.pdf ''--decrypt'' st_test01.pdf.gpg | ||
Line 184: | Line 185: | ||
=== GPG-AGENT === | === GPG-AGENT === | ||
− | '''Gpg-agent''' | + | '''Gpg-agent''' is a daemon that stores in an internal cache all of the user provided passphrases then forwards them to all programs asking for one later. You basically have to insert any password only once and not each time a document is opened. The time saving is considerable for the staff of an office that needs to read and handle large amounts of documents every day. |
− | + | The daemon must be up and running to store passwords and the environment must be properly configured in order for programs to know of the daemon existence and to query it when needed. To start gpg-agent automatically in MacOsX you have to configure a '''launch agent''': | |
− | * | + | * Open the terminal window. |
− | * | + | * Move to the launch agent root directory: |
: '''cd''' ~/Library/LaunchAgents | : '''cd''' ~/Library/LaunchAgents | ||
− | * | + | * Create a file containing the gpg-agent configuration: |
: '''/Applications/TextEdit.app/Contents/MacOS/TextEdit''' org.gnupg.gpg-agent.plist | : '''/Applications/TextEdit.app/Contents/MacOS/TextEdit''' org.gnupg.gpg-agent.plist | ||
− | * | + | * Populate the file with the '''XML''' formatted gpg-agent configuration: |
<syntaxhighlight lang="xml"> | <syntaxhighlight lang="xml"> | ||
<?xml version="1.0" encoding="UTF-8"?> | <?xml version="1.0" encoding="UTF-8"?> | ||
Line 202: | Line 203: | ||
<key>ProgramArguments</key> | <key>ProgramArguments</key> | ||
<array> | <array> | ||
− | <string>/Users/< | + | <string>/Users/<user name>/bin/gpg_agent_start.sh</string> |
</array> | </array> | ||
<key>RunAtLoad</key> | <key>RunAtLoad</key> | ||
Line 209: | Line 210: | ||
</plist> | </plist> | ||
</syntaxhighlight> | </syntaxhighlight> | ||
− | * | + | * Move back to your home directory and create a sub directory named '''bin''' where to save the start script for GPG: |
− | : '''mkdir''' /Users/< | + | : '''mkdir''' /Users/<user name>/bin |
− | * | + | * Create the start script: |
: '''/Applications/TextEdit.app/Contents/MacOS/TextEdit''' gpg_agent_start.sh | : '''/Applications/TextEdit.app/Contents/MacOS/TextEdit''' gpg_agent_start.sh | ||
<syntaxhighlight lang="bash"> | <syntaxhighlight lang="bash"> | ||
Line 223: | Line 224: | ||
export GPG_TTY=`tty` | export GPG_TTY=`tty` | ||
</syntaxhighlight> | </syntaxhighlight> | ||
− | * | + | * Make the file executable: |
: '''chmod''' 700 gpg_agent_start.sh | : '''chmod''' 700 gpg_agent_start.sh | ||
− | * | + | * Update the terminal configuration in order for all commands to know about the agent. The standard terminal uses a '''bash''' shell then the file to update is the bash configuration file: |
: ''cd'' | : ''cd'' | ||
: '''/Applications/TextEdit.app/Contents/MacOS/TextEdit''' .bash_profile | : '''/Applications/TextEdit.app/Contents/MacOS/TextEdit''' .bash_profile | ||
Line 236: | Line 237: | ||
</syntaxhighlight> | </syntaxhighlight> | ||
− | + | The configuration parameters for gpg-agent reside in the /'''Users/<user name>/.gnupg/gpg-agent.conf''' file. Some are worth mentioning. Among them is '''default-cache-ttl''' responsible for the '''amount of time a password is kept in the cache'''. When the period expires the password entry is removed and asked for again to the user when needed. The standard lifetime of a password is 600 seconds or 10 minutes. To increase the period to 1 hour update line: | |
default-cache-ttl 600 | default-cache-ttl 600 | ||
in | in | ||
default-cache-ttl 3600 | default-cache-ttl 3600 | ||
− | + | then restart the gpg-agent daemon. | |
− | + | Users of the OsX 10.4 release or earlier '''cannot use the gpg-agent service''' as it was introduced in release 2.0 of GPG. | |
− | == | + | == Conclusions == |
− | + | This paper provides a brief description of the MacosX optimized versions of GNU Privacy Guard. The installation and the basic operation of the program were described. For more information you are encouraged to read the manual and the many articles available on the net and in this very same website. Were You interested in our offerings or simply looking for more information, please refer to our [[studiosg:About|contacts]] page. Thank You. | |
− | + | To contact me or leave me your feedback, Please e-mail at ''studiosg [at] giustetti [dot] net''. | |
− | + | External links | |
---- | ---- | ||
− | * [https://www.gnupg.org/index.it.html | + | * [https://www.gnupg.org/index.it.html GNU Privacy Guard home page] |
− | * [http://macgpg.sourceforge.net/it/index.html GPG | + | * [http://macgpg.sourceforge.net/it/index.html GPG 1.4 for MacOsX] |
− | * [https://gpgtools.org GPG versione 2.0 | + | * [https://gpgtools.org GPG versione 2.0 for MacOsX] |
− | * [https://sourceforge.net/projects/gpgosx | + | * [https://sourceforge.net/projects/gpgosx Another version of GPG 2.0 for MacOsX] |
---- | ---- | ||
− | {{ | + | {{footer_en | link_page=gpg_e_macosx}} |
Revision as of 10:50, 2 July 2018
Welcome to Simone Giustetti's wiki pages.
Languages: English - Italiano
GPG for MacOsX
Gnu Privacy Guard is a cryptographic software suite for personal use running on a wide variety of architectures among them the Macintosh family of operating systems. Three distinct versions of GPG can run on the Mac:
- MacGPG is a port of the 1.4 development branch of GPG. Development has come to a halt and packages are meant for old versions of OsX, providing support for legacy installations.
- GPGOsX is a port of the 2.1 stable branch of GPG. All of the new functionality of the 2.0 and recent 2.1 releases are included.
- GPGTools is an alternate port of the 2.0 stable branch of GPG. GPGTools includes many an integration to the standard software as the Apple Mail plug-in and a native GUI.
Both GPGOsX and GPGTools support recent OsX releases only. The minimum required version for both programs is 10.6 or 10.7. MacGPG is rather suitable for old architectures and as such is ideal for owners of PowerPC Macs, who will have to accustom themselves to the command line interface because no graphical one is provided.
Installing
The install procedures slightly differ for each software. You are invited to visit the home page of each one where you'll find updated information and detailed instructions. Some links to web pages detailing the GPGTools installation procedure are available below:
Key Pair and Configuration
The above linked pages contain information about key pair creation. GPG uses a key pair to encrypt and decrypt files. The key pair is fundamental to GPG and encryption strength heavily depends on it. Please consult the program documentation for more in depth information. The basic concepts about encryption and GPG internals will be summarized below:
- GPG uses asymmetric cryptography also known as public key cryptography.
- Asymmetric cryptography requires a key pair: a public key, used to encrypt information, and a private key needed to decrypt data.
- A copy of the public key should be delivered to whoever wishes to send you encrypted e-mails or files.
- The private key is secret and should never be shared with anyone.
- Information encrypted with the public key can be decrypted with the private one only.
- The private key can be protected using a passphrase. If stolen, a protected key cannot be used by unauthorized people who do not know the passphrase.
The key pair is the building block for GPG to work and as such should be created soon after the installation to allow the program to work. Key length is a sensitive matter and frequent subject to discussion. A longer key grants a stronger security in theory, but using longer keys involves some disadvantages to be taken into account. GPG supports a maximum key length of 4096 bit, but still you are recommended to set the standard value of 2048 bit. The standard length is a good compromise between security and performances and it grants use of external devices like smart cards and such. The GPG FAQ includes a discussion of key length where advantages of using more than 2048 bits are weighed against disadvantages.
The procedure for key generation is described below. Although some versions of GPG for Mac can be administered through a GUI, I'll use the command line interface because it is the only one common to all three programs.
- Start a terminal.
- Run command gpg --gen-key providing all of the requested information as in the example below:
hostname:~ user1$ gpg --gen-key gpg (GnuPG) 1.4.9; Copyright (C) 2008 Free Software Foundation, Inc. This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Please select what kind of key you want: (1) DSA and Elgamal (default) (2) DSA (sign only) (5) RSA (sign only) Your selection? 1 DSA keypair will have 1024 bits. ELG-E keys may be between 1024 and 4096 bits long. What keysize do you want? (2048) Requested keysize is 2048 bits Please specify how long the key should be valid. 0 = key does not expire <n> = key expires in n days <n>w = key expires in n weeks <n>m = key expires in n months <n>y = key expires in n years Key is valid for? (0) 0 Key does not expire at all Is this correct? (y/N) y You need a user ID to identify your key; the software constructs the user ID from the Real Name, Comment and Email Address in this form: "Heinrich heine (Der Dichter) <heinrichh@dusseldorf.de>" Real name: StudioSG Email address: studiosg@giustetti.net Comment: sg_test_03 You selected this USER-ID: "StudioSG (sg_test_03) <studiosg@giustetti.net>" Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O You need a Passphrase to protect your secret key. We need to generate a lot of random bytes. It is a good idea to perform some other action (type on the keyboard, move the mouse, utilize the disks) during the prime generation; this gives the random number generator a better chance to gain enough entropy. We need to generate a lot of random bytes. It is a good idea to perform some other action (type on the keyboard, move the mouse, utilize the disks) during the prime generation; this gives the random number generator a better chance to gain enough entropy. gpg: key CE95C1E9 marked as ultimately trusted public and secret key created and signed. gpg: checking the trustdb gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model gpg: depth: 0 valid: 2 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u pub 1024R/CE95C1E9 2016-03-22 Key fingerprint = 4313 91CC F222 161E 3B19 54CE AC09 5248 CE95 C1E9 uid StudioSG (sg_test_03) <studiosg@giustetti.net> sub 2048g/1C97007E 2016-03-22
The procedure requires to provide a unique identifier and some more personal information used to distinguish keys. To get a list of saved keys use the command: gpg --list-keys:
hostname:~ user1$ gpg --list-keys /home/user1/.gnupg/pubring.gpg ----------------------------- pub 1024D/CE95C1E9 2016-03-22 uid StudioSG (sg_test_03) <studiosg@giustetti.net> sub 2048g/1C97007E 2016-03-22
During key creation you can provide an optional passphrase for the private key. You are encouraged to always use a passphrase, which safeguards users in case the device where thee keys are saved is stolen. A passphrase too short or too easy cold be discovered by a brute force attack. Please use a passphrase longer than 8 characters containing letters, numbers and special characters to defend against such attacks.
GPG standard behavior can be customized setting proper values for the program options. Configuration options are saved in text files in MacOsX and can be edited recurring to any text editor. Every configured user has his or her personal copy of the configuration files, which are located in the home directory. The standard GPG configuration file for any user is /Users/<user name>/.gnupg/gpg.conf. For example, the configuration file of a hypothetical user1 user is: /Users/user1/.gnupg/gpg.conf. The dot preceding the .gnupg directory name means that the directory is a hidden one. To list a hidden directory when inspecting the content of its father one use option -a of command ls:
- ls -la
To read or update your own configuration file:
- /Applications/TextEdit.app/Contents/MacOS/TextEdit /Users/<user name>/.gnupg/gpg.conf
The file is fully commented, but still refer to the program manual for a description of all the options contained therein. Standard values are suitable for almost all private or professional uses. Please set different values only when you are certain of the outcome.
GPGOsX and GPGTools users should replace command gpg with gpg2 when using the command line interface instead of the graphical one.
Key Pair Back-up
The key pair is mandatory to open encrypted files: its loss could prove to be catastrophic as currently available processors are not powerful enough to decrypt files without. A whole document archive cold be lost for want of a key. It is a good idea to keep a safety copy of both keys stored in a safe place, different from the machine where they were created. All keys are stored inside directory /Users/<user name>/.gnupg in the form of binary files. A safe and easy way to generate a copy of the key pair consists of creating a password protected compressed archive of the directory:
- zip -er key_backup.zip /Users/<user name>/.gnupg
The zip command will ask the user to provide a password for the archive, then to confirm the provided value by retyping it. The resulting archive, key_backup.zip, can be opened only by providing the password. The zip version shipping with OsX 10.4 or earlier releases does not support cryptography. Users should remove the -e option or the program will return error "(encryption not supported)" and fail:
- zip -r key_backup.zip /Users/<nome utente>/.gnupg
How-to Encrypt and Decrypt Files
Commands to encrypt and decrypt files with GPG vary with the program installed on your Mac. Please refer to the documentation of the specific program. Below are some links to the web pages of GPGTool:
The command line interface is uniform for all of the three programs. You can retrieve information and some examples in the GPG documentation, where commands and related options usage is explained. The base encryption command is:
- gpg --encrypt <file>
GPG will ask you to provide the unique identifier for the public key of the file recipient. The key will be used to encrypt the file as in the example below:
hostname:~ user1$ gpg --encrypt st_test01.pdf You did not specify a user ID. (you may use "-r") Current recipients: Enter the user ID. End with an empty line: StudioSG Current recipients: 2048g/1C97007E 2016-03-22 "StudioSG (sg_test_03) <studiosg@giustetti.net>" Enter the user ID. End with an empty line: hostname:~ user1$
The encrypted file retains the name of the original one but a different extension: .gpg.
You can provide a list of recipients one for each line. An empty line of text marks the archive end. A list of saved keys available to encrypt files can be retrieved recurring to the --list-keys option:
hostname:~ user1$ gpg --list-keys /Users/user1/.gnupg/pubring.gpg ----------------------------- pub 1024D/CE95C1E9 2016-03-22 uid StudioSG (sg_test_03) <studiosg@giustetti.net> sub 2048g/1C97007E 2016-03-22
Many files can be encrypted at once recurring to the --multi option. You'll have to provide a recipients list for each file. This could prove to be a lot of work and GPG provides option -r to simplify it. Using -r the recipient list can be added to the command line. In the example below three documents are encrypted using the key of recipient StudioSG:
hostname:~ user1$ ls -la total 48 drwx------ 3 user1 user1 4096 Mar 18 18:50 . drwx------ 17 root admin 4096 Mar 18 18:37 .. -rw------- 1 user1 user1 7737 Mar 18 18:50 st_test01.pdf -rw------- 1 user1 user1 7844 Mar 18 18:50 st_test02.pdf -rw------- 1 user1 user1 7932 Mar 18 18:50 st_test03.pdf hostname:~ user1$ gpg -r StudioSG --multi --encrypt st_test0* hostname:~ user1$ ls -la total 72 drwx------ 3 user1 user1 4096 Mar 18 18:50 . drwx------ 17 root admin 4096 Mar 18 18:37 .. -rw------- 1 user1 user1 7737 Mar 18 18:50 st_test01.pdf -rw------- 1 user1 user1 7378 Mar 18 18:50 st_test01.pdf.gpg -rw------- 1 user1 user1 7844 Mar 18 18:50 st_test02.pdf -rw------- 1 user1 user1 7487 Mar 18 18:50 st_test02.pdf.gpg -rw------- 1 user1 user1 7932 Mar 18 18:50 st_test03.pdf -rw------- 1 user1 user1 7574 Mar 18 18:50 st_test03.pdf.gpg
A file is decrypted with the --decrypt option of the gpg command. GPG will prompt the user for a password and, once inserted, will output the "clear text" content of the encrypted file on the standard output. To save a decrypted version of the file the --output option and the name of the saved file are needed:
- gpg --output <decrypted file> --decrypt <encrypted file>
hostname:~ user1$ gpg --output st_test01.pdf --decrypt st_test01.pdf.gpg You need a passphrase to unlock the secret key for user: "StudioSG (sg_test_03) <studiosg@giustetti.net>" 2048-bit ELG-E key, ID 1C97007E, created 2016-03-22 (main key ID CE95C1E9) gpg: encrypted with 2048-bit ELG-E key, ID 1C97007E, created 2016-03-22 "StudioSG (sg_test_03) <studiosg@giustetti.net>" hostname:~ user1$ ls -la total 56 drwx------ 3 user1 user1 4096 Mar 18 18:50 . drwx------ 17 root admin 4096 Mar 18 18:37 .. -rw------- 1 user1 user1 7737 Mar 18 18:50 st_test01.pdf -rw------- 1 user1 user1 7378 Mar 18 18:50 st_test01.pdf.gpg -rw------- 1 user1 user1 7487 Mar 18 18:50 st_test02.pdf.gpg -rw------- 1 user1 user1 7574 Mar 18 18:50 st_test03.pdf.gpg
GPG-AGENT
Gpg-agent is a daemon that stores in an internal cache all of the user provided passphrases then forwards them to all programs asking for one later. You basically have to insert any password only once and not each time a document is opened. The time saving is considerable for the staff of an office that needs to read and handle large amounts of documents every day.
The daemon must be up and running to store passwords and the environment must be properly configured in order for programs to know of the daemon existence and to query it when needed. To start gpg-agent automatically in MacOsX you have to configure a launch agent:
- Open the terminal window.
- Move to the launch agent root directory:
- cd ~/Library/LaunchAgents
- Create a file containing the gpg-agent configuration:
- /Applications/TextEdit.app/Contents/MacOS/TextEdit org.gnupg.gpg-agent.plist
- Populate the file with the XML formatted gpg-agent configuration:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Label</key>
<string>org.gnupg.gpg-agent</string>
<key>ProgramArguments</key>
<array>
<string>/Users/<user name>/bin/gpg_agent_start.sh</string>
</array>
<key>RunAtLoad</key>
<true/>
</dict>
</plist>
- Move back to your home directory and create a sub directory named bin where to save the start script for GPG:
- mkdir /Users/<user name>/bin
- Create the start script:
- /Applications/TextEdit.app/Contents/MacOS/TextEdit gpg_agent_start.sh
if test -f $HOME/.gpg-agent-info && \
kill -0 `cut -d: -f 2 $HOME/.gpg-agent-info` 2>/dev/null; then
GPG_AGENT_INFO=`cat $HOME/.gpg-agent-info`
export GPG_AGENT_INFO
else
eval `/usr/local/bin/gpg-agent --daemon --write-env-file $HOME/.gpg-agent-info`
fi
export GPG_TTY=`tty`
- Make the file executable:
- chmod 700 gpg_agent_start.sh
- Update the terminal configuration in order for all commands to know about the agent. The standard terminal uses a bash shell then the file to update is the bash configuration file:
- cd
- /Applications/TextEdit.app/Contents/MacOS/TextEdit .bash_profile
export GPG_TTY=$(tty)
if [[ -f "${HOME}/.gpg-agent-info" ]]; then
. "${HOME}/.gpg-agent-info"
export GPG_AGENT_INFO
fi
The configuration parameters for gpg-agent reside in the /Users/<user name>/.gnupg/gpg-agent.conf file. Some are worth mentioning. Among them is default-cache-ttl responsible for the amount of time a password is kept in the cache. When the period expires the password entry is removed and asked for again to the user when needed. The standard lifetime of a password is 600 seconds or 10 minutes. To increase the period to 1 hour update line:
default-cache-ttl 600
in
default-cache-ttl 3600
then restart the gpg-agent daemon.
Users of the OsX 10.4 release or earlier cannot use the gpg-agent service as it was introduced in release 2.0 of GPG.
Conclusions
This paper provides a brief description of the MacosX optimized versions of GNU Privacy Guard. The installation and the basic operation of the program were described. For more information you are encouraged to read the manual and the many articles available on the net and in this very same website. Were You interested in our offerings or simply looking for more information, please refer to our contacts page. Thank You.
To contact me or leave me your feedback, Please e-mail at studiosg [at] giustetti [dot] net.
External links
- GNU Privacy Guard home page
- GPG 1.4 for MacOsX
- GPG versione 2.0 for MacOsX
- Another version of GPG 2.0 for MacOsX
Languages: English - Italiano