'ZDNET Recommends': What exactly does it mean?
ZDNET's recommendations are based on many hours of testing, research, and comparison shopping. We gather data from the best available sources, including vendor and retailer listings as well as other relevant and independent reviews sites. And we pore over customer reviews to find out what matters to real people who already own and use the products and services we’re assessing.
When you click through from our site to a retailer and buy a product or service, we may earn affiliate commissions. This helps support our work, but does not affect what we cover or how, and it does not affect the price you pay. Neither ZDNET nor the author are compensated for these independent reviews. Indeed, we follow strict guidelines that ensure our editorial content is never influenced by advertisers.
ZDNET's editorial team writes on behalf of you, our reader. Our goal is to deliver the most accurate information and the most knowledgeable advice possible in order to help you make smarter buying decisions on tech gear and a wide array of products and services. Our editors thoroughly review and fact-check every article to ensure that our content meets the highest standards. If we have made an error or published misleading information, we will correct or clarify the article. If you see inaccuracies in our content, please report the mistake via this form.
How to encrypt a file on Linux (and when you should)
Your security and privacy have both become critically important. Businesses are not the only entities that have to keep sensitive information from prying eyes. You might have bank account details, contracts, wills, and other files on your desktop that should be locked behind a password, so only you can access them.
Also: The best Linux laptops you can buy
But how do you do this, if Linux is your operating system of choice? Believe it or not, it's actually pretty simple. I want to show you two different methods -- one using the command line and one that makes use of the built-in file manager -- so you too can protect those important documents.
You can do this with just about any type of file (text, .docx, .odt, PDF, .jpg, or you name it). One word of warning: Both methods do require using the command line. However, the GUI method only requires that you use the command line to install the required integration for the file manager.
Also: How to create hidden files in Linux (and what not to use them for)
With that said, let's get to the processes.
The command line method of encrypting files
What you need: The only thing you need for this is a running instance of Linux and a file to encrypt. That's it.
1. Open a terminal window and generate a GPG key
The first thing to do is open the terminal window from your desktop menu. Once it's open, you'll want to generate a GPG key with the command:
gpg --gen-key
You'll be asked to enter your real name and an email address, then type "O "to Okay the information. After that, you type/verify a passphrase for the key.
2. Change into the directory housing the file
With your key created, navigate to the folder housing the file to be encrypted. Let's say the file is in ~/Documents. Change to that directory with the command:
cd ~/Documents
3. Encrypt the file
We're going to use the gpg command to encrypt the file. For example, we'll encrypt the file zdnet_test with the command:
gpg -c zdnet_test
The -c option tells gpg the zdnet_test file is to be encrypted. You will then be asked to type and verify a password for the encrypted file.
Once you've encrypted the file, you'll notice there are two files: zdnet_test and zdnet_test.gpg. The file with the .gpg extension is the encrypted file. At this point, you can remove the initial test file with the command:
rm zdnet_test
4. Configure the password cache agent
Oddly enough, the GPG tool caches passwords. Because of this, you (or anyone who has access to your system) could decrypt the file without having to type the password with the command gpg zdnet_test. That's not safe. To get around this, we have to disable password caching for the GPG agent. To do this, create a new file with the command:
nano ~/.gnupg/gpg-agent.conf
In that file, paste the following lines:
default-cache-ttl 1 max-cache-ttl 1
Next, restart the agent with the command:
echo RELOADAGENT | gpg-connect-agent
Now, when you (or anyone) types the decrypt command, gpg zdnet_test, the password prompt will appear. Until that password is successfully entered, the contents of the file will remain encrypted.
The GUI (Graphical User Interface) method of encrypting files
This method is significantly more efficient.
1. Install the required software
Before you use the GUI method, make sure to take care of Steps 1 and 4 above. You only have to do this once. After that, you'll need to install a piece of software with the command:
sudo apt-get install seahorse-nautilus -y
If you're using a distribution based on RHEL or Fedora Linux, that command would be:
sudo dnf install seahorse-nautilus -y
Once installed, restart Nautilus with the command:
nautilus -q
2. Open the Nautilus file manager
Now, open the file manager and navigate to the folder containing our zdnet_test file. Right-click the file and select the "Encrypt" option.
My GPG key is listed and ready to be used.
3. Select your encryption method
You can now either select the GPG key you created earlier or just use a passphrase for the encryption. If you opt to go the key route, make sure to select the key you created and then click "OK." You won't be prompted for a passphrase if you go this route. But if you opt to just use a passphrase, you will be prompted to type and verify a new passphrase for the encrypted file.
My GPG key is listed and ready to be used.
4. Decrypt the file
With the file encrypted, you can then decrypt it by right-clicking the encrypted file and selecting "Open With Decrypt File." After this step, you'll be asked to name the decrypted file and click "Save." Then, for the encryption, you'll be prompted to either type the passphrase for your GPG key or the passphrase you added.
Decrypting a file within Nautilus.
Whichever method you choose, I would highly recommend you test (using a test file) to make sure it works as expected before you actually encrypt an actual file you want to protect.
Once you have the process down (and it works as expected), you should then be safe to remove the unencrypted file. If you leave the unencrypted file on your drive, it can be accessed by anyone who can log into your desktop.
Also: Pop!_OS has a complicated name but it makes using Linux so easy
And that's how you encrypt and decrypt a file on the Linux operating system without having to install more complicated volume encryption tools.