18 Signing and encrypting files | Contents |
You can use Gpg4win for signing and encrypting not just e-mails, butalso individual files. The principle is the same:
- You sign a file using your private certificate, toensure that the file cannot be modified.
- Then encrypt the file using a public certificate, toprevent unauthorized persons from seeing it.
Using the application GpgEX, you can sign or encrypt filesout of Windows Explorer - with both OpenPGP or S/MIME. This chaptershows you exactly how this works.
If you are sending a file as an e-mail attachment, e.g. GpgOL willautomatically look after signing and encrypting your file togetherwith your e-mail. You do not have to do anything else.
18.1 Signing and checking files
When signing a file, you are mainly concerned about making sure it isnot changed, rather than keeping it secret (Integrity).
Signing is very easy using GpgEX from the Windows Explorercontext menu. Select one or more files or folders and use the rightmouse key to select the context menu:
You will see the Sign and encrypt menu.
In the following window, select the option Sign:
If required, you can also use the option Output as text (ASCIIarmor). The signature file will receive the fileending .asc (OpenPGP) or .pem (S/MIME). Thesefile types can be opened with any text editor - you will however onlysee the numbers and letters you have already seen before.
If this option is not selected, the signature will be created with theending .sig (OpenPGP) or .p7s (S/MIME). Thesefiles are binary files, and they cannot be viewed in a text editor.
Then click on [Next].
In the following dialog - if not already selected by default -select your private (OpenPGP or S/MIME) certificate with which youwant to sign the file.
Now confirm your selection with [Sign].
Enter your passphrase in the pin entry dialog.
Once the signing process has completed successfully, the followingwindow appears:
You have now successfully signed the file.
A "separate" signature is always used to sign a file. That meansthat your file that is to be signed will remain unchanged and a secondfile with the actual signature will be created. To verify thesignature later on, you will need both files.
The example below shows which new file you will receive if you signyour selected file (here <dateiname>.txt) using OpenPGP orS/MIME. There are four possibler esulting file types:
- OpenPGP:
<filename>.txt -> <filename>.txt.sig
<filename>.txt -> <filename>.txt.asc (output as text/ASCII-armor)- S/MIME:
<filename>.txt -> <filename>.txt.p7s
<filename>.txt -> <filename>.txt.pem (output as text/ASCII-armor)
Checking a signature
Now check the integrity of the file that has just been signed, i.e.check that it is correct!
To check for integrity and authenticity, the signature file - hencethe file with the ending .sig, .asc,.p7s or .pem - and the signed original file(original file) must be in the same file folder. Select the signaturefile and select the entry Decrypt and check from the WindowsExplorer context menu:
You will see the following window:
Under Enter file, Kleopatra shows the full path to yourselected signature file.
The option Input file is a separate signature is activatedsince you have signed your original file (here: Signed file)with the input file. Kleopatra will automatically find the associatedsigned original file in the same file folder.
The same path is also automatically selected for the Ouputfolder. It only becomes relevant however once you are processing morethan one file simultaneously.
Confirm the operations with [Decrypt/Check].
Following a successful check of the signature, the following window appears:
The result shows that the signature is correct - therefore you can besure that the file's integrity has been preserved and therefore thefile has not been modified.
Even if only one character is added to the original file, or is deleted or modified, the signature will be shown as having been broken(Kleopatra displays the result as a red warning):
18.2 Encrypting and decrypting files
Files can be signed and encrypted just like e-mails. You shouldpractice it once more in the following section using GpgEX andKleopatra.
Select one (or more) file(s) and open the context menu using yourright mouse key:
Select Sign and encrypt again.
You will see the already familiar dialog from signing a file (see also section18.1).
In the top field, select the option Encrypt:
You should only change the encryption settings if this is required:
- Output as text (ASCII armor):
- When youactivate this option, you will obtain the encrypted file withthe file ending .asc (OpenPGP) or .pem(S/MIME). These file types can be opened with any text editor- but you will only see the mixture of letters and charactersyou have already seen before.
If this option is not selected, the system will create anencrypted file with the ending .gpg (OpenPGP) or.p7m (S/MIME). These files are binary files, sothey cannot be viewed with a text editor.
- Delete unencrypted original:
- If this option is activated,the selected original file will be deleted after encryption.
Click on [Next].
Who should the file be encrypted for? Select one or more recipientcertificates in the next dialog:
To make your selection, choose the required certificates in the topportion and press [Add]. You will see all selected certificatesin the lower dialog portion for review purposes.
Depending on the selected recipient certificate and its type (OpenPGPor S/MIME), your file is then encrypted using OpenPGP and/or S/MIME.So if you selected an OpenPGP certificate and an S/MIMEcertificate, you will receive two encrypted files. The possible filetypes for the encrypted files are found on the next page.
Now click on [Encrypt]: The file is encrypted.
After a successful encryption, the results window should looksomething like this:
That's it! You have successfully encrypted your file!
Similar to signing a file, the result will depend on the selectedencryption method (OpenPGP or S/MIME). An encryption of your originalfile (here <filename>.txt) can result in four possible filetypes:
- OpenPGP:
<filename>.txt -> <filename>.txt.gpg
<filename>.txt -> <filename>.txt.asc (for output as text/ASCII-armor)- S/MIME:
<filename>.txt -> <filename>.txt.p7m
<filename>.txt -> <filename>.txt.pem (for output as text/ASCII-armor)
You now forward one of these four possible encrypted files to your selected recipient. In contrast to signing a file, the unencrypted original file is of course not forwarded.
Decrypting a file
Now you can decrypt the previously encrypted file for test purposes.
To this end, you should also have encrypted to your own certificateduring the previous encryption process - otherwise you cannot decryptthe file with your private key (see Chapter14).
Select the encrypted file - hence one that ends with .gpg,.asc, .p7m oder .pem - and selectthe entry Decrypt and check in the Windows Explorer contextmenu:
If you like, you can still change the output folder in the followingdecryption dialog.
Click on [Decrypt/Check].
Then enter your passphrase.
The result shows that the decryption was successful:
You should now be able to easily read the decrypted file or use itwith a corresponding program.
In short
You have learnt how to do the following using GpgEX:
- sign files
- check signed files
- encrypt files
- decrypt files
Simultaneous encryption and signature
You have probably already noticed this option in the correspondingdialogs. If you select it, GpgEX will combine both tasks in one step.
Please ensure that signatures are applied first, before theencryption process.
The signature is therefore always encrypted at the same time. It canonly be viewed and checked by those who have successfully decryptedthe file.
If you want to sign and encrypt the file, you can only do itwith OpenPGP at this time.
© 31. August 2010, v3.0.0-beta1(last minor changes from 21. September 2010)
The Gpg4win Compendium is filed under theGNU Free Documentation License v1.2.
18 Signing and encrypting files | Contents |