Linux File Encyrption Using GPG

Encryption is a dangerous munition, or at least it was according to US export regulations between the second world war and the twenty first century. Though ridiculous as it may sound today, strong encryption is under attack once again by the US government, with the likes of ISIS and Boko Haram as the frightening face of the new anti-encryption campaign. To be fair, the US government isn't attacking all encryption, rather they're attacking encryption that works. What they're seeking is a world in which encryption is broken in a very specific and controlled way, such that government agencies can get access to the encrypted data while still locking out other adversaries. This, of course, is fundamentally stupid.
As a response to such an absurd policy direction, I'm writing this guide to show you a reliable way to encrypt files. While the proposals of the US government aren't directed so much at file encryption as they are for encryption of messages, these are things that I've written about several times before. Thus, I thought I'd pivot slightly with this guide and focus on encrypting other kinds of data reliably. This will be the first of a two-part series on file encryption focusing on encrypting data with GPG. Later we will focus on Tomb file encryption.

GPG? Isn't That For Email?

GPG is an encryption toolset that is best known for encrypting email, and while it is magnificent in this regard (usability aside), it's also equally capable at encrypting files. Moreover, GPG is also usually associated with asymmetric encryption, that is encryption using separate public and private keys, but it also has the capability to encrypt files symmetrically using a password. Today we'll learn how to encrypt files using the symmetric side of GPG, though there are definitely legitimate use cases for each.

But why would we use GPG for file encryption?

There are several pros and cons to using GPG for file encryption. The benefits are that it is usually installed by default on just about any Linux distribution, and it's rock-solid reliable. The cons are that it doesn't hide file size, and can be (in some regard) hard to use at first for beginners. It also doesn't work on directories on its own, requiring another utility called tar, though this is also installed by default on just about every distribution.

Step 1: Preparing The Data

(If you are only encrypting one file, skip this step)
Typically when we want to encrypt data it involves more than one file, and because of this we need to first aggregate all the different files we want to encrypt into one clump. For this we use a classic tool called Tar. Tar (Tape ARchive) essentially takes multiple files and welds them together, and also provides the ability to apply compression in the process, such as GZIP and XZ, to reduce the file-size. We always want to compress our files before encrypting them, otherwise the data will be too random (as compression relies on patterns).
Here is an example that will create an archive called archive.tar.xz using three text files, with XZ compression being applied in the process.

tar -cJf archive.tar.xz file-1.txt file-2.txt file-3.txt

The -c flag is what signals tar to create an archive, the -J flag signals the use of XZ compression on the data, and the -f flag signals the file you want to create and must always be the last flag used. XZ compression will result in very small file-sizes, but can be slow. If you wish to use gzip compression instead, which will be much faster but will result in larger file-sizes, then use the -z flag instead of -J, and label your file archive.tar.gz instead of archive.tar.xz.

Step 2: GPG Encryption

Now that the data has been aggregated to only one file, we can use GPG to encrypt it. First, however, we may want to change the default encryption algorithm that GPG uses. To do this, we must edit the gpg.conf file and add a line at the end.

nano ~/.gnupg/gpg.conf

Now simply type the following in at the very end of the file, then save and exit (CTRL+X, Y, then Enter)

cipher-algo AES256 

What this does is set the default algorithm to be AES-256, which is a gold-standard for symmetric encryption.
With this finally set, and with the data aggregated into a single file, we can start encrypting our files!

gpg -c archive.tar.xz

Here, the -c flag tells GPG to use symmetric encryption, which means you'll have to input a password. Make sure that the password is strong. I strongly recommend using Diceware, as it allows you to use incredibly strong passwords that are easy to remember. The file that GPG will output will be named archive.tar.xz.gpg, in other words it will be the original filename with '.gpg' tagged onto the end.

Step 3: Cleaning Up

The file ending in '.gpg' will be the encrypted file that you can send or upload online without worrying (assuming you used a strong password). If, however, you don't want any trace of the original files on your computer, you'll need to do a bit of cleanup. I've already written a quick guide on secure file deletion, so give that a read for a more in depth explanation. Nevertheless, the command you'll want to use to securely erase the unenecrypted data from your disk is the shred command.

shred -u archive.tar.xz file-1.txt file-2.txt file-3.txt

What this does is overwrites the data on the disk for all of our original, unenecrypted files. The -u flag will signal shred to then remove the files after overwriting them. If everything goes well, you now have a GPG encrypted archive of your encrypted files.

Step 4: Decryption

Decrypting the files takes about as long as encrypting them. First, you'll want to use GPG to decrypt the archive, then tar to uncompress and unpack it.

gpg -d archive.tar.xz.gpg
tar -xf archive.tar.xz

Here, the -d flag tells GPG to decrypt the data. This will leave you with the compressed archive, archive.tar.xz, which the second command will decompress and unpack, leaving you with your original data.

And You're Done

That may seem like quite a bit of work, but after getting the hang of it, which doesn't take long, it is actually a very quick process. I personally use this method for when I work with data on Tails, as it allows me to encrypt and decrypt data without having to install any other software, and without having to go online.
But what are your favourite methods for file encryption? Leave a comment down below.

Using Tor Browser for I2P

While I2P is a fantastic network, there is definitely one thing it lacks when compared to Tor: a purpose-built browser. While Tor users are given the gift of the Tor Browser, I2P users are forced to scavenge for a browser and add-ons that fit their security and anonymity needs. Fortunately, with just a few tweaks the Tor Browser can be configured to work with both Tor and I2P. This tutorial will cover exactly how to do just that.

Why The Tor Browser?

If you don’t already know, the Tor browser isn’t just a standard version of Firefox. Instead, it is a custom-built browser based on Firefox ESR (Extended Support Release), the more mature and stable version of Firefox without the flashy bells and whistles. The Tor Project team makes a range of changes to the browser that range from removing identifiers that would otherwise give the browser a unique fingerprint (you can test your browser’s fingerprint here), to ensuring that there isn’t any evidence of your browsing session left on your computer after the browser is closed. As well, the Tor Project adds a few add-ons to the browser that help increase privacy, security, and anonymity, such as NoScript, HTTPS-Everywhere, as well as the Tor Button. All in all, this same setup that makes the Tor Browser perfect for Tor makes it equally suitable for I2P.

Adding I2P Support To The Tor Browser

Assuming that you have already installed I2P, the first step to setting up this I2P browser is to download the Tor Browser, extract it, and run it (no installation is necessary). If you don’t have I2P installed yet, stop now and go to the I2P website to download and install it first.
Next, the way that we will configure the browser to work with I2P is through the use of an add-on called FoxyProxy. Using the Tor Browser, navigate to the FoxyProxy page on Mozilla’s website and install the add-on. After doing so, you will be prompted to restart the browser to complete the installation.
After restarting, download this configuration file for FoxyProxy. I’ve mirrored it here to make it accessible, but originally it was the product of KillYourTV. With that downloaded, press CTRL+SHIFT+A, and open the preferences for FoxyProxy. Go to File > Import Settings, on the Preferences panel and import the configuration file that you just downloaded.
This may cause the browser to crash, but after re-opening it FoxyProxy will have a complete rule-set for how it handles traffic such that any requests to either the clearnet (techno-jargon for the regular internet) or to Tor hidden services will travel through the Tor network, but any requests to a domain ending in .i2p will travel through the I2P network. In other words, you are ready to browse I2P.

Security Considerations

While you could start browsing right now, there is one last optional modification you may wish to make. Click the onion on the top left of the Tor Browser and select Privacy and Security Settings.... This will allow you to adjust the security slider. For the utmost security and anonymity on both Tor and I2P, set the security slider to the maximum level, which disables a number of features in favour of security at the cost of usability, such as Javascript. Alternatively, select whichever setting you are most comfortable with (I find Medium-High to be a good compromise).

Another quick security consideration to be aware of is that with this setup you are relying on both the anonymity of Tor and I2P. If either is broken, you are at risk of being deanonymized, which could be of little consequence, or of life-altering consequence. If your threat model is towards the latter, this configuration may not be for you. Instead, a dedicated browser that only connects to I2P (not Tor) will be the more secure choice. However, that is outside the scope of this tutorial.