How to create compressed encrypted archives with tar and gpg

There are many reasons why you may want to create compressed encrypted file archives. You may want to create an encrypted backup of your personal files. Another possible scenario is that you may want to privately share content with a friend or colleague over the web or through cloud storage. Tar.gz files, or compressed tarballs, are created using the tar command. These tarballs are pretty much the standard go-to format for archives on GNU/Linux, however they are not encrypted. In the above scenarios that we mentioned it is often desirable to have encryption in order to secure your data. This is where gpg comes in.

gpg is a very versatile cryptographic tool which allows you to encrypt files , encrypt e-mail, and verify the integrity of signed files.

In this tutorial you will learn:

  • to create compressed archives using tar
  • to create encrypted compressed archives by using tar with gpg in a pipeline
  • to create multiple individual encrypted archives of directories
  • a quick dirty method for copying these archives over a network by adding netcat to the pipeline
How to create compressed encrypted archives with tar and gpg

How to create compressed encrypted archives with tar and gpg

Software requirements and conventions used

Software Requirements and Linux Command Line Conventions
Category Requirements, Conventions or Software Version Used
System Distribution-independent
Software tar, gpg
Other Root privileges may be required depending on the permissions of the files and directories you want to archive
Conventions # – linux commands to be executed with root privileges either directly as a root user or by use of sudo command
$ – linux commands to be executed as a regular non-privileged user

Create Compressed archive

Before we discuss creating encrypted archives, let’s review how to create compressed tar archives in the first place. Assuming you have a directory named folder that you want to archive, enter the following command

$ tar -cvzf folder.tar.gz folder


The -c flag is used to create the archive, -v is used for verbose output so that we have visual feedback which lets us know this is happening and -z is used to compress the archive so that the life size is smaller.

In order to decompress and extract this archive later you would enter the following command.

$ tar -xvzf folder.tar.gz

the -x flag is used to extract the archive, -v is for verbose extracting, and -z is to decompress the archive.

Create an Encrypted Archive

Now that we have reviewed creating an archive with tar, let’s look at how we can create an encrypted archive by adding gpg to the mix. You may choose to use key based encryption, password based encryption or a combination of both. We have already looked at using key based encryption in a article How to Encrypt and Decrypt Individual Files With GPG, so we will look at password based encryption here. To create an encrypted compressed archive of a directory named folder enter the following command.

$ tar -cvzf - folder | gpg -c > folder.tar.gz.gpg

All of the tar flags are the same as in our previous example. The only difference is that instead of specifying a filename for our archive within the tar command we specify - so that we can pipe the output of the tar command into gpg. We then proceed to do just that and gpg‘s -c flag indicates that we want to encrypt the file with a symmetric cipher using a passphrase as we indicated above. Finally, we redirect the output to a file named folder.tar.gz.gpg with >. After entering this command you will be prompted to enter the passphrase that you want to use to encrypt the data. If you don’t like this behavior and prefer to specify the passphrase within the command you may add the --passphrase flag after -c as shown below.

WARNING
Specifying a passphrase on the command line using the –passphrase is less secure for multiple reasons. It will save the password in your bash history (or any other shell history file). Also, if you are on a multi-user system then other users may see your password be examining running processes. Even if you are the single user of a system, any software that is capable of examining currently running processes could potentially log your passphrase.


$ tar -cvzf - folder | gpg -c --passphrase yourpassword > folder.tar.gz.gpg

In order to decrypt, decompress and extract this archive later you would enter the following command.

$ gpg -d folder.tar.gz.gpg | tar -xvzf -

The -d flag tells gpg that we want to decrypt the contents of the folder.tar.gz.gpg file. We then pipe that to the tar command. The -x flag is used to extract the archive that is piped in from gpg, -v is for verbose extracting, -z is to decompress the archive and -f - specifies that the file being unarchived is being piped in.

Create multiple individual encrypted archives of directories

The above examples assume that we want to create a single encrypted archive based on a single directory. What if we have a directory filled with multiple subdirectories, but we want to create a separate encrypted archive for each directory? We can use a bash for loop to help us accomplish that. Simply cd to the directory that contains the subdirectories you want to create individual archives for and enter the following command.

$ for i in * ; do tar -cvzf - "$i" | gpg -c --passphrase yourpassword > "$i".tar.gpg; done

Encrypting netcat archive transmissions over the network.

In a Tips & Tricks with Netcat command article we showed you how to use netcat to transfer directories from one computer to another over the network. In that article we noted that such a method of transferring data was not secure because it lacked encryption.Gpg can be used to add a layer of encryption to the process. Let’s assume that the computer you want to copy the archive from has the hostname host1, the computer that you want to copy the data to has the hostname host2, and the directory we want to transfer is named folder.

Enter the following on host1

$ tar -cvzf - folder | gpg -c | nc -l 6666


After entering this command you will be prompted to enter the passphrase that you want to use to encrypt the data.

Now, on host2 enter the following command

$ nc host1 6666 | gpg -d | tar -xvzf -

After entering this command you will be prompted to enter the passphrase that you chose in the previous step. You should now have the folder directory in it’s entirety in the current working directory of host2.

The above example will get the job done if you need to copy encrypted data over the network, but using scp from the OpenSSH suite is a much better option if it is either installed on your system or you have the necessary privileges to install it. Feel free to keep this trick in your back pocket if you are ever in a situation for which that is not the case.

Conclusion

In this article we discussed how to make compressed tar archives, how to encrypt them, how to create multiple individual encrypted archives of directories and we also learned a quick and dirty method for copying encrypted archives over a network by adding netcat to the pipeline. If nothing else, it is evident that by combining these GNU/Linux tools together we achieve results that are greater than the sum of their parts.



Comments and Discussions
Linux Forum