Secure your sensitive data against extortion with DIY encryption

Photo by Michael Dziedzic on Unsplash

If you’re not encrypting your archived data, you’re really opening up yourself to ransomware plus extortion attacks that threaten to publish your sensitive data. With a simple but strong encryption DIY system and storing your secret passphrase separately, even if your system is compromised by hackers, they won’t be able to decrypt your files.

Gnu Privacy Guard (official side) is one of the best encryption software out there. You can even achieve symmetric and asymmetric encryption. Best of all, it often comes pre-installed in Ubuntu and even in my Windows Ubuntu (WSL). The weakest link is complexity of passphrase, but by generating and storing your passphrase using an online password manager you can easily eliminate this weakness.

Note that at first I tried openssl because it is very easy to use but it turns out that it is buggy and less secure (buggy as in decryption may fail!).

Managing secret passphrases

The simplest way for an individual is to write down the secret passphrases on paper and file it some place secure. Alternatively, use a password manager such as Lastpass and store the password there. The vault will be protected by your master password plus 2FA, and because it is encrypted locally and online there is very little chance an attacker can get at it (unless they steal your phone, computer and fingers).

Single file

Single file encryption

For (a pdf file) vim file_to_encrypt.pdf , we see that the file is nice and orderly to start with:

file_to_encypt_pdf looks very orderly before encryption

To encrypt use this :

gpg -c --output out_file_name.pdf.gpg --force-mdc --s2k-mode 3 --s2k-count 65011712 file_to_encrypt.pdf
  • --force-mdc: force the use of encryption with appended manipulation code (doc)
  • --s2k-mode n : sets how passphrases are mangled. The parameter n specifies the number of times to which a salt is added to passphrases. If n is 0 a plain passphrase will be used. One iteration is the default. (doc)
  • --s2k-count n : Specify how many times the passphrases mangling for symmetric encryption is repeated. This value may range between 1024 and 65011712 inclusive. The default is inquired from gpg-agent. Note that not all values in the 1024–65011712 range are legal and if an illegal value is selected, GnuPG will round up to the nearest legal value. This option is only meaningful if — s2k-mode is set to the default of 3. In other words, this option will keep salting, hashing and joining your passphrase until it reaches the specified byte count. This increases the hashing time from microseconds to fractional seconds. Why would we slow it down? So that an attacker trying to brute force your passphrase would take many orders of magnitude longer to generate the brute force tables, which makes it unfeasible for the attacker. For you, the user, the delay is unnoticeable (doc and explanation)

Using vim out_file_name.pdf.gpg to view the file, the encrypted file now looks like this, which no longer has the ordered structure but is suitably jumbled:

Single file decryption

To decrypt:

gpg --output decrypted_file_name.pdf --decrypt out_file_name.pdf.gpg
decrypted_file_name.pdf is restored to its original form

Folder Encryption

gpg only works on single files, so you need to collect the target files or folders into a single file before you can encrypt it. Note that once encrypted, you cannot see the file structure. You can either 7-zip/Winzip the files together with compression, or use Linux’s tar to collect the files/directories into a single file first. We’ll use tar here.

First, we can check the disk usage of a directory using du . Here I used a 2 GB directory called data containing a computer game’s binary files.

$ du -s data
folder “data” occupies about 2 GB

Gathering files with compression

Now we run the tar command, using a time command to monitor duration:

$ time (tar cfz data.tar data)
  • option c instructs to ‘create’ an archive
  • option f means that the next parameter is the filename to create
  • option z means to apply compression
tar with compression took 2min 4s real time.
du -s data.tar

We see that the binary data (from a computer game) that I compressed didn’t compress very well, still occupying about 1.8 GB, and this took a little over 2 minutes. You can expect better compression if you’re compressing text-heavy files.

Gathering files without compression

Without compression, it is much quicker to tar . Here, we omit the option z to prevent compression:

$ time (tar cf data.tar data)
Skipping compression saves 2 minutes

Encrypting the tar file

We can measure the speed of encryption of the compressed 1.8 GB file:

$ time (gpg -c --output data_enc.gpg --force-mdc --s2k-mode 3 --s2k-count 65011712 data.tar)
Enter passphrase:_

(Note that you’ll be prompted for the secure passphrase. Here, I used a 50-character passphrase.)

Encrypting 1.8 GB took about 37 seconds

We see how fast the encryption is! 37 seconds for 1.8 GB suggests about 20 seconds per GB (assuming sufficient RAM).

Strangely, without the extra settings to retard the hashing speed, a run on the uncompressed 2 GB file achieves about 55 secs per GB (similar results from a few runs):

$ time (gpg -c --output data_enc.gpg data.tar)
Encrypting the uncompressed 2.0 GB

Decryption of tar file

Decrypting the compressed file

We can measure the speed of decryption, again providing the correct passphrase that you used during encryption:

$ time (gpg --output data_dec.tar --decrypt data_enc.gpg)
Decrypting 1.8 GB took about 1m 15 seconds.

Decryption and untar of the uncompressed file

Decrypting the non-compressed tar file (which after tar occupied about 1.8 GB) took just over a minute, at a rate of 38 seconds per GB as follows:

$ time (gpg --output data_dec.tar --decrypt data_enc2.gpg)
Decrypting 1.87 GB took 1m 8 seconds

Untar is quick:

$ time (tar -xf data_dec.tar data)
Untar only takes 13 seconds

Not using Linux?

Trying to encrypt with gpg on Windows 10? You can just install the WSL Ubuntu shell. The Ubuntu home directory can be viewed in windows explorer from command prompt using the environment variable wsl$like this > explorer \\wsl$\Ubuntu\home.


So we see that it is fairly quick to decrypt (38s/GB) and untar (6.3s/GB) a file. But when the file size is larger, is it still as quick?

Task duration to encrypt and decrypt. Duration for larger sizes are extrapolated from the 2 GB experiment.

For scientific RAW files of about 5–10GB, you can expect a ceiling of 20 minutes to encrypt and 7 minutes to decrpyt. This is not too bad for one file, but if we are dealing with dozens of such files we can expect the process to occupy the server for a whole day. The rate limiting step will be the HDD write speed. I was getting speeds of 50-100 MB/s on my older laptop with an SSD.


DIY en/decryption is simple enough to execute with a single command and works well for smaller files. When dealing with datasets that approach terabytes of data, encryption can still be done but note that it will take 1 day to encrypt 1 TB. However, decryption is much quicker and will only take under 2 hours for 1 TB.

Encryption of your sensitive data at rest is a great way to ensure that even if the data falls into bad hands, they will not be able to decrypt and use the data against you.



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store


HealthTech Scientist who wants to change the world by helping everyone discover their best selves. Once accused of making people think too much.