In this guide we'll examine the Why and How of transitioning from a PGP managed personal encryption solution to a GPG encryption system. This entry will pertain exclusively to a Mac OS X system, but a later blog entry will describe the process in a Windows environment.
1. Why GPG? / Why Not PGP?
PGP Desktop bills itself as a "comprehensive set of encryption applications to protect sensitive data in email and instant messages and on disk or removable media"[1], and it certainly is. However, I chose to switch from PGP to GPG for the following reasons:
1. It is expensive: PGP Desktop Pro is currently $219.00 for a perpetual license[2].
2. It is annoying: One does not need to purchase a license to utilize the basic file encryption capabilities of PGP Desktop. The caveat is that a conspicuous reminder is displayed every time the user logs into OS X, and additional reminders rear their ugly head as a user interacts with the software.
3. It is overkill: A fully-licensed PGP Desktop comes with a lot of tools and utilities that stretch far beyond the scope of file encryption. For those whom this functionality is redundant or unwanted, this is not a feature.
2. Back Up Your Keychain
Make a copies of your secring.pkr and pubring.pkr keyring pair. These files are often found in ~/Documents/PGP.
3. Uninstall PGP Desktop
To uninstall PGP Desktop, drag the PGP Desktop and PGP Shredder applications to the Trash.
4. Install GnuPG for Mac (MacGPG)
The project macpgp.sourceforge.net contains the downloadable installation binaries for
MacGPG 2.0.10 (i386) and MacGPG 2.0.10 (PPC). Download the appropriate installer for your architecture and execute it to install MacGPG.
5. Install GPG Preferences
GPG Preferences allows you to set your GPG preferences, such as application path, keyring store path and backward-compatibility settings. It installs as a configuration panel under System Preferences: GPG Preferences 1.2.2
6. Install GPG Keychain Access
GPG Keychain Access is a gui interface for managing your GPG keyrings. It has a very similar look-and-feel to the keyring manager for PGP Desktop. Download and execute the installer for GPG Keychain Access: GPG Keychain Access 0.7.0.
7. Import Your Keychain
Next, Run GPG Keychain Access under Applications. The program will state that you do not have a private or public key. Click the Import button. Browse to the keyring pair that you backed up previously, and import it.
8. Install GPG File Tool
GPG File Tool is a gui interface for encrypting, decrypting and verifying encrypted files. It allows you to decrypt or verify files by opening them in the Finder. This is true for both files that were encrypted previously with PGP Desktop or from now on with GPG. Download and drag GPG File Tool to your Applications Folder: GPG File Tool 1.0.2.
9. Appendix: Command-line Scripts for Managing Encrypted Files
I have included a few scripts that I find useful for automatically encrypting and decrypting files.
The below script will recursively encrypt every file in a directory, and remove the originals:
#!/bin/sh
# encrypt.sh
# gpg encrypt files and remove originals.
# $1 specifies base directory to encrypt.
set -e
usage() {
echo "ERROR: $*"
echo "usage: "
echo " encrypt.sh DIRECTORY"
}
find_files() {
find . -type f ! -name "*.pgp" ! -name .DS_Store ! -name "*.gpg" ! -name "*.sda.exe"
}
[ $# -ne 1 ] && usage "Missing required directory argument." && exit
[ ! -d "$1" ] && usage "$1 is not a directory." && exit
cd "$1"
find_files | while read file ; do
[ -e "$file.gpg" ] && rm -f "$file.gpg"
echo "Encrypting: $file"
gpg -u user@domain.ext -r user@domain.ext --sign --encrypt "$file"
echo " Created: $file.gpg"
echo " Removing: $file"
rm -f "$file"
done
The below script will decrypt every file in a directory:
#!/bin/sh
# decrypt.sh
# gpg all files in a given directory. Does not recurse directory.
# $1 specifies directory contents to decrypt.
set -e
usage() {
echo "ERROR: $*"
echo "usage: "
echo " decrypt.sh DIRECTORY"
}
find_files() {
find . -maxdepth 1 -and -name "*.pgp" -or -name "*.gpg"
}
[ $# -ne 1 ] && usage "Missing required directory argument." && exit
[ ! -d "$1" ] && usage "$1 is not a directory." && exit
cd "$1"
find_files | while read file ; do
echo "Decrypting: $file"
[[ "$file" =~ ".pgp" ]] && decrypted_file="${file%.pgp}"
[[ "$file" =~ ".gpg" ]] && decrypted_file="${file%.gpg}"
echo "Decrypted file: $decrypted_file"
gpg -o "$decrypted_file" --decrypt "$file"
done
3 comments:
Hi,
I have PGP desktop on windows and need to encrypt/decrypt files from a CLI and don't have $1800 for PGP Corp's Command Line for Servers. So, I installed GnuPG and just can't figure this out.
The PGP Desktop GUI presents an window where I type in my secret key...I can't find an analogous method in the GnuPG CLI client.
I really don't want to be an expert in this, I just want to decrypt some files through the GnuPG CLI, can you help out?
Hi Joe,
I'd be happy to help. On step 8 of my blog entry I describe the program to install. It's called GPG File Tool. It gives you a GUI that is very similar to the PGP Desktop GUI. With it, you can simply double click on GPG or PGP encrypted files, and the GUI will prompt you for your secret key.
I also want to use secure public key email encryption.
How do I install PGP or GPG on Thunderbird ?
Any ideas?
Thanks,
Frank
Post a Comment