Search code examples
encryptioncryptographygnupg

gnupg - need to be able to decrypt, without being able to encrypt

What I need to do is this:

  • at my server: get a file and encrypt
  • at many remote devices, I need to decrypt the file (don't need to check autenticy/signature)

I can't give the remote devices the hability to encrypt!

What I did -- Step 1 -- key preparation:

  • at my notebook:
  • gpg --gen-key
  • gpg --armor --export KEYNUMBER > key.pub

  • gpg --armor --export-secret-key KEYNUMBER > key.priv

  • at my server:

  • gpg --import < key.pub

  • at remote devices

  • gpg --import < key.priv

What I did -- Step 2 -- encrypt the file:

  • at my server:

  • gpg --armor --encrypt --recipient KEYNUMBER < file.orig > file.asc

  • at remote devices

  • gpg --decrypt < file.asc > file.out

All works OK this way. As I wished.

But, If I do at remote devices "gpg --armor --encrypt --recipient KEYNUMBER < file.orig > file.asc" this generates sucessfully. I don't want the remote device to be able to encrypt. It is supposed only to decrypt.

Any hints about how to solve this?

Thanks,

Solution

  • You should ask yourself why you don't want the remote device to be able to encrypt. On the one hand you say that you don't need authentication, but OTOH you probaly want to achieve some kind of authentication by ensuring that only the server is able to encrypt. So if you need authentication and integrity protection, use the mechnisms that are designed for it, namely digital signatures. If you don't need authentication, don't worry about the devices being able to encrypt messages.