Simple password based AES-256 symmetric encryption using gpg:
Try it:
# Make a file
echo 'pkgs.org is a distro search engine for packages!' > 1-toencrypt.txt
# Encrypt
gpg -cao 2-encrypted.txt --cipher-algo AES256 --no-symkey-cache 1-toencrypt.txt
# Decrypt
gpg -o 3-unencrypted.txt --no-symkey-cache 2-encrypted.txt
Result:
├─ 1-toencrypt.txt
├─ 2-encrypted.txt
└─ 3-unencrypted.txt
Break down:
# Make a file containing a secret
echo 'pkgs.org is a distro search engine for packages!' > toencrypt.txt
# Encrypt toencrypt.txt using AES256
gpg -cao encrypted.txt --cipher-algo AES256 --no-symkey-cache toencrypt.txt
# -c | --symmetric, Encrypt with a symmetric cipher using a passphrase.
# -a | --armor, use ASCII "armored" output instead of binary (useful for Email, Web POST, ect)
# -o | --output <file>, output file (default: input file name with ".asc" appended)
# --cipher-algo <algorithm>, which algorithm to use (default: AES128)
# Bonus: See which algorithms `gpg` supports by using `gpg --version`
# --no-symkey-cache, disable gpg's default behavior of caching passwords
# Enter password at prompts
# Output encrypted file
cat encrypted.txt
-----BEGIN PGP MESSAGE-----
jA0ECQMCBXVoK9eD6ar/0nYBBz0B2EX0Z7R6UaOjjwDUNl3TublbeCy7rlJ7j6+t
Nqmvbm1wgmqsY/eY8171wMDInaa1M/VAoRFSIDRTAkx798ymbbsx/CUJakRH3Kll
kpWG1UfyDqUgWACOgpQxvjZyA4qhlruvYuI7IXeb0KEskFUEMdeQ
=33Fs
-----END PGP MESSAGE-----
# Unencrypt
gpg -o unencrypted.txt --no-symkey-cache encrypted.txt
# -o | --output <file>
# --no-symkey-cache, disable gpg's default behavior of caching passwords
# Enter password at prompt
# Output unencrypted file
cat unencrypted.txt
pkgs.org is a distro search engine for packages!
Bonus: Clearing gpg-agent
password cache
Without the --no-symkey-cache
argument above, passwords are cached by the gpg-agent
allowing decryption of those files without a password until the user logs out.
The password manager pass
also has gpg-agent
cache the master password in the same way so this might be useful to pass
users too.
To remove all cached passwords without having to logout, use the following command:
gpgconf --reload gpg-agent