This fall, we are bringing you a major refresh of our website. Visit the beta now:

Try the beta
Indiana University

What is GPG, and how do I use it to encrypt files on Quarry and Mason at IU?

GNU Privacy Guard (GPG, also GnuPG), the GNU project's free alternative to PGP, is encryption software that's compliant with the OpenPGP (RFC4880) standard. Using GPG you can encrypt (and decrypt) files that contain sensitive data, such as electronic protected health information (ePHI) regulated by the Health Insurance Portability and Accountability Act (HIPAA) privacy and security rules. For more on GPG, see the GNU Privacy Guard web site.

At Indiana University, GPG is installed as a command-line application in the default user environments on the Quarry and Mason research clusters (i.e., you don't need to use Modules to add GPG to your user environment). To use GPG on Quarry or Mason, you create a unique encryption key, and then use that key to encrypt and decrypt your files. If you need help using GPG on Quarry or Mason contact the UITS Scientific Applications and Performance Tuning (SciAPT) team.

On this page:

Creating an encryption key

To create a unique key for encrypting and decrypting files on Quarry or Mason:

  1. Make sure you have a copy of gpg-agent running; on the command line, enter: gpg-agent -s --daemon --write-env-file --use-standard-socket
  2. On the command line, enter: gpg --gen-key
  3. You will see: gpg (GnuPG) 2.0.14; Copyright (C) 2009 Free Software Foundation, Inc. This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Please select what kind of key you want: (1) RSA and RSA (default) (2) DSA and Elgamal (3) DSA (sign only) (4) RSA (sign only) Your selection?

    Enter 1, and then press Enter (or Return) to select (1) RSA and RSA (default) .

  4. You will see: RSA keys may be between 1024 and 4096 bits long. What keysize do you want? (2048)

    Enter 1024.

  5. You will see: Requested keysize is 1024 bits Please specify how long the key should be valid. 0 = key does not expire <n> = key expires in n days <n>w = key expires in n weeks <n>m = key expires in n months <n>y = key expires in n years Key is valid for? (0)

    Enter a value to specify when your key should expire. For example, to set your key to expire in three weeks, enter 3w.

  6. You will be prompted to confirm your key's expiration date. If the correct date is displayed, enter  y .

  7. GPG will prompt you to enter your name, email address, and a comment; it will use this information to construct a user ID to identify your encryption key. When you've entered your information, you should see something like: You selected this USER-ID: "Full Name (comment) <username@indiana.edu>" Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit?

    If the information displayed is correct, enter  o to accept the user ID, or to correct errors or quit the process, enter the appropriate alternative.

  8. When you've accepted a user ID, GPG will prompt you to enter and confirm a passphrase. After you've confirmed your passphrase, GPG will begin generating your key. This process may take several minutes to complete. We need to generate a lot of random bytes. It is a good idea to perform some other action (type on the keyboard, move the mouse, utilize the disks) during the prime generation; this gives the random number generator a better chance to gain enough entropy.
  9. When it's finished, you will see something like: gpg: key 09D2B839 marked as ultimately trusted public and secret key created and signed. gpg: checking the trustdb gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model gpg: depth: 0 valid: 4 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 4u gpg: next trustdb check due at <expiration_date> pub 1024R/09D2B839 2013-06-25 [expires: <expiration_date>] Key fingerprint = 6AB2 7763 0378 9F7E 6242 77D5 F158 CDE5 09D2 B839 uid Full Name (comment) <username@indiana.edu> sub 1024R/7098E4C2 2013-06-25 [expires: <expiration_date>]

Back to top

Encrypting a file

You can use the key you created (until it expires) to encrypt files in your Quarry or Mason account. To encrypt a file, on the command line, enter the following (replacing user_id with the email address you specified when creating the user ID associated with your key, and ephi_file with the name of the file to encrypt):

gpg -e -r user_id ephi_file

GPG will create an encrypted version of the file you specified; the encrypted file will have a .gpg file extension (e.g., ephi_file.gpg). After confirming the encrypted version has been created, you can delete the original unencrypted file (ephi_file).

Back to top

Decrypting a file

To decrypt a .gpg file (e.g., ephi_file.gpg), on the command line, enter:

gpg ephi_file.gpg

GPG will prompt you for the passphrase associated with the key used to encrypt the file. When you enter the correct passphrase, GPG will recreate the original, unencrypted version of the file (e.g., ephi_file). This process does not delete or alter the encrypted version of the file (ephi_file.gpg).

Back to top