In today’s digital world, ensuring the confidentiality of your sensitive data is more important than ever. Whether you’re backing up documents, transferring files, or protecting personal information, encrypting your files is a critical security step. In this article, we’ll explore how to securely encrypt and decrypt any file using the Linux terminal — leveraging robust, open-source tools like gpg and openssl.
🔧 Symmetric Encryption with gpg
The simplest and most effective method for encrypting files locally is symmetric encryption, where the same password is used for both encryption and decryption.
🔒 Encrypt a File with a Password
gpg -c myfile.txt
You’ll be prompted to enter a passphrase. The resulting file will be myfile.txt.gpg.
🔓 Decrypt the File
gpg -o myfile_decrypted.txt -d myfile.txt.gpg
You’ll be prompted for the same passphrase to decrypt the file.
✅ Best For: Local file protection or sharing with someone you trust enough to share a password with.
🔐 Asymmetric Encryption (Using Key Pairs)
For secure communication or file exchange between users, asymmetric encryption is recommended. This method uses a pair of keys: a public key for encryption and a private key for decryption.
Step 1: Generate a Key Pair
gpg --full-generate-key
Choose:
Key type: RSA and RSA
Key size: 4096 bits (recommended)
Expiration: Set if desired
User information: Name and email
Step 2: List Available Keys
gpg --list-keys
Step 3: Encrypt a File for a Specific User
gpg -e -r "User Name or Email" myfile.txt
This command will create myfile.txt.gpg, encrypted with the recipient’s public key.
Step 4: Decrypt the File
gpg -d myfile.txt.gpg > myfile_decrypted.txt
The recipient’s private key must be available on the system to decrypt.
✅ Best For: Secure communication and file exchange between multiple parties.
🔧 Alternative: Using openssl
For those who prefer OpenSSL, here’s how to use AES-256 encryption:
You’ll be asked to provide the same password for decryption.
🛡️ Security Tips
Use strong, unique passphrases — at least 12+ characters with a mix of letters, numbers, and symbols.
Avoid storing passphrases in plaintext.
When sharing files, prefer asymmetric encryption over symmetric if possible.
Back up your private keys in a secure location.
📦 Conclusion
Encrypting files via the Linux terminal is both powerful and straightforward with tools like gpg and openssl. Whether you’re an individual protecting personal data or a business sharing confidential documents, these methods help ensure your information stays safe.
Bitwarden is an open-source password manager that helps you store, manage, and share your login credentials securely. You can use it personally or as a team/organization.
To install Bitwarden on your server use next steps:
DKIM (DomainKeys Identified Mail) is an E-mail authentication method designed to detect spoofing of email messages
DKIM technology combines several existing anti-phishing and anti-spam methods to improve the classification and identification of legitimate email
Instead of a traditional IP address, DKIM adds a digital signature associated with the organization’s domain name to identify the sender of the message. The signature is automatically verified at the recipient’s end, after which whitelists and blacklists are applied to determine the sender’s reputation.
DKIM is configured for each domain, so you will have the option to enable it when you create a domain, as shown in the figure below.
Once the domain has been created, you must now create a text (TXT) record for the domain using its DKIM public key.
Using SSH and the command you need to get the DKIM public key.
v-list-mail-domain-dkim USER DOMAIN [FORMAT]
Which will take the name of the user in which the domain was created and the domain itself as arguments, you can get private and public keys
The bottom part of the output will be the public key of the DKIM domain.
mail._domainkey – entered in the Host field.
"v=DKIM1; k=rsa; p=PUBLIC_KEY"
NOTE: the key must be a single line – if there are line breaks, you must copy the key into notepad and remove them to make one long line.
SPF (Sender Policy Framework) is an extension for the SMTP e-mail sending protocol.
SPF allows the owner of a domain, in a TXT record corresponding to the domain name, to specify a list of servers authorized to send e-mail messages with return addresses in that domain. Mail transfer agents that receive mail messages can query SPF information with a simple DNS query, thus verifying the sender’s server. SPF allows you to specify servers and IP addresses that are allowed to send mail from your domains. This feature is designed to block outgoing unwanted messages.
The SPF record is written in the TXT record of the domain. Actually you need to add a TXT record and put the SPF record in its value. In the SPF record you have to specify the server IP from which the messages will be sent. Instead of 111.11.11.111, write the IP address of your server:
"v=spf1 +a +mx +ip4:111.11.11.111 ~all"
DMARC (Domain-based Message Authentication, Reporting, and Conformance) — a standard that adds an additional layer of email verification and protection against phishing and spoofing.
DMARC allows a domain owner to specify, via a TXT record, the verification rules for messages and the actions that should be performed by mail systems when receiving a message on behalf of the domain. The main purpose of DMARC is to help recipient mail servers recognize fake emails and decide how to handle them.
The DMARC system defines:
Verification Policy (p parameter), which indicates what to do with emails that fail authentication (e.g., none for gathering reports, quarantine for moving to spam, or reject to deny delivery).
Addresses for Reports (rua and ruf parameters), which specify where the data on checks and failures should be sent for analysis by the sender.
DMARC works in tandem with SPF and DKIM, allowing determination of whether messages are authentic. If a message fails SPF and/or DKIM checks, the DMARC policy will decide whether to block it, mark it as spam, or simply send a report to the domain owner.
In the Hestia panel, select the domain for which you want to set up the DMARC policy and go to the DNS Records section.
_dmarc – entered in the Host field.
"v=DMARC1; p=quarantine; pct=100"
Entered in the Value field, you can leave the double quotes for convenience.
The error “The repository is not updated and the previous index files will be used. GPG error: https://nginx.org/packages/mainline/debian bullseye InRelease: The following signatures were invalid” suggests that the GPG key for the Nginx repository is either missing, expired, or invalid. Here’s how to fix it in Debian 11 GNU Linux (Bullseye):
1. Remove Old Nginx GPG Keys
Old or conflicting keys can cause issues, so remove them first:
Ensure your /etc/apt/sources.list.d/nginx.list contains the correct repository entry:
echo "deb [signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] https://nginx.org/packages/mainline/debian bullseye nginx" | sudo tee /etc/apt/sources.list.d/nginx.list
4. Update Package Lists
Now, refresh the package lists:
sudo apt update
If the update runs without errors, you can proceed with installation:
sudo apt install nginx
To fix error “The repository is not updated and the previous index files will be used. GPG error: https://packages.sury.org/apache2 bullseye InRelease: The following signatures were invalid” use commands:
This article will show how to grow a partition on your Linux partition to fill the entire disk using growpart. This is useful if you have resized a virtual machine disk, or moved to a larger disk on your desktop or laptop Linux system.
Step 1: Listing and Identifying Storage Devices
To expand the filesystem on your resized disk, you’ll need to first locate the disk using the lsblk command, execute it by running:
lsblk
And you will see output similar to the following listing storage devices and the partitions on them:
Above, you can see that disk sda has a size of 50 gigabytes, but that the volume containing the root partition (sda3) is only 29.5 gigabytes – there is unused space on the storage device.
There may be multiple entries in the output from lsblk – you’ll need to identify the disk you have resized by the size and utilization – it should be apparent which disk has unused space. Usually on single-disk machines, the first and only storage device will be named sda.
You will also need to know the name of the partition your wish to grow – in this case sda3 – usually identified by it having the root mount point of /.
Step 2: Installing growpart
growpart is a utility that makes it super easy to grow a partition. It’s part of the cloud-guest-utils package. Note that while this package is intended to work on cloud-hosted virtual machines, the growpart utility also works just fine on physical machines.
On Debian and Ubuntu, run:
sudo apt install cloud-guest-utils
On Arch, run:
pacman install cloud-guest-utils
On RedHat, run:
yum install cloud-utils-growpart -y
Step 3: Grow your Partition
Once growpart is available, growing a partition to use the entire remaining disk space is as simple as running:
sudo growpart /dev/sda 3
You’ll need to specify the correct partition name above, replaceing sda 3 (note the space! the device and partition number are separated when using growpart) if necessary. growpart is executed with no additional parameters – if the size parameter is not specified, it will default to the available size of the partition.
Now that the partition has been expanded, the file system must be also using resize2fs:
sudo resize2fs /dev/sda3
Note that the space has disappeared in the device path again.
You will see output similar to:
Confirming the change. Once this final step is done, reboot:
If using systemd-resolved as your DNS resolver (i.e. the hosts line of your /etc/nsswitch.conf file includes the word resolve and/or /etc/resolv.conf contains the line nameserver 127.0.0.53), then this command will flush its cache:
This will encode the video to H.264 video and AAC audio, using the default quality. To change the quality for the video, use a different CRF value, where lower means better, e.g. 20 or 18. For audio, 100% is the default quality. Increase the value for better quality.
For the AppleTV specifically, this is what Apple says it supports:
H.264 video up to 1080p, 30 frames per second, High or Main Profile level 4.0 or lower, Baseline profile level 3.0 or lower with AAC-LC audio up to 160 kbit/s per channel, 48 kHz, stereo audio in .m4v, .mp4, and .mov file formats
So, you could use the following command to force the 30 Hz frame rate and High profile:
