Recipe 7.11 Encrypting Files for Others

7.11.1 Problem

You want to encrypt a file so only particular recipients can decrypt it.

7.11.2 Solution

  1. Obtain a recipient's GnuPG public key. [Recipe 7.9]

  2. Add it to your GnuPG key ring. [Recipe 7.10]

  3. Encrypt the file using your private key and the recipient's public key:

    $ gpg -e -r recipient_public_key_ID myfile

To make the file decryptable by multiple recipients, repeat the -r option:

$ gpg -e -r key1 -r key2 -r key3 myfile

When you encrypt a file for a recipient other than yourself, you can't decrypt it! To make a file decryptable by yourself as well, include your own public key at encryption time (-r your_key_id).

7.11.3 Discussion

This is a classic use of GnuPG: encrypting a file to be read only by an intended recipient, say, Barbara Bitflipper. To decrypt the file, Barbara will need her private key (corresponding to the public one used for encryption) and its passphrase, both of which only Barbara has (presumably). Even if Barbara's private key gets stolen, the thief would still need Barbara's passphrase to decrypt the file.

By default, encrypted files are binary. To produce an ASCII file instead, suitable for including in a text message (email, Usenet post, etc.), add the -a (armor) option:

$ gpg -e -r Barbara's_public_key_ID -a filename

7.11.4 See Also


    Chapter 9. Testing and Monitoring