GnuPG allows you to encrypt and sign your data and communications; it features a versatile key management system, along with access modules for all kinds of public key directories. GnuPG, also known as GPG, is a command line tool with features for easy integration with other applications. A wealth of frontend applications and libraries are available. GnuPG also provides support for S/MIME and Secure Shell (ssh).
Thanks to the knowledge of GPG, you have the option of sending encrypted messages via any e-mail or service that allows communication in such a way that nobody but the recipient can read the message on the way. Cool right?
Sometimes users are afraid of complicated commands. If someone has concerns about the use of several commands, then can use the graphical frontends available for almost every operating system.
Each user must have two keys, public and private to be able to encrypt and decrypt messages.
The easiest way to understand the process is to look at the picture below
image source: Open PGP
So you have to create your private and public key and then learn how to share your public key, decrypt and encrypt messages. Additionally, it is also worth knowing how to sign the messages and check the signatures of others. At the beginning it seems complicated, as soon as you get it you’ll see how simple it is.
Just run a command:
and follow instructions on the screen.
Specify the kind of key you want, or press Enter to accept the default RSA and RSA.
Enter the desired key size. Recommend the maximum key size of 4096.
Enter the length of time the key should be valid. Continue without any date then key doesn’t expire.
Verify that your selections are correct.
Enter your user ID information.
Type a secure passphrase. You will use this password to encrypt and decrypt messages.
Sometimes during generating, import or export you can have some errors so best solutions is to restart gpg agent
gpgconf --kill gpg-agent
List GPG keys for which you have both a public and private key.
gpg --list-secret-keys --keyid-format
Example of output:
From the list of GPG keys, copy the GPG key UID you’d like to use. In this example, the GPG key UID is
The public key is the key that you share with others so that they can encrypt the message for you. You can view and copy or export it in several ways. Try each option and compare the results to understand how each option works.
Print the GPG key UID, in ASCII armor format.
gpg --armor --export 3BB5C34231531BA2
Copy your GPG key, beginning with
-----BEGIN PGP PUBLIC KEY BLOCK----- and ending with
-----END PGP PUBLIC KEY BLOCK----- and share with others.
You can also export your public key to file (binary file).
gpg --export 3BB5C34231531BA2 > /tmp/my-public-key
or to a file as text
gpg --armour --export 3BB5C34231531BA2 > /tmp/my-public-key-text
You can also use email address or user name instead of UID.
gpg --export email@example.com > /tmp/my-public-key
gpg --export user > /tmp/my-public-key
It is worth taking a copy of the private key and storing it, eg on an encrypted disk. Export is useful for transferring the key to another device. Never share your private key with anyone.
Export to binary file:
gpg --export-secret-key --armour > /tmp/my-private-key
Export to text file:
gpg --export-secret-key > /tmp/my-private-key-text
Easy like this:
gpg --import my-private-key
gpg --import any-public-key
If the key already existed, the import will fail saying ‘Key already known’. You will have to delete both the private and public key first.
To delete the public key
gpg --delete-keys firstname.lastname@example.org
To delete the private key
gpg --delete-secret-keys email@example.com
Example of sending key to public key directory.
gpg --keyserver "hkp://keyserver.ubuntu.com" --send-key 3BB5C34231531BA2
Retrieving the key from the server
gpg --keyserver "hkp://keyserver.ubuntu.com" --recv-keys 3BB5C34231531BA2
If you want to see “Fingerprints” to ensure that somebody is really the person they claim (like in a telephone call). This command will result in a list of relatively small numbers.
After import key verify it by displaying fingerprint and contact with owner to compare fingerprint.
For several reasons you may want to revoke an existing key. For instance: the secret key has been stolen.
Create revoke certificate:
gpg --gen-revoke firstname.lastname@example.org
It will look like this:
-----BEGIN PGP PUBLIC KEY BLOCK-----
If you import it like a normal key then it revoke the one for which it was generated.
gpg --import /tmp/revoke_cert
Signing a key means expressing that you have checked that the user really belongs to that key. You should only sign a key as being authentic when you are ABSOLUTELY SURE that the key is really authentic!!!
gpg --edit-key email@example.com
we will enter the interactive mode, then write
Based on the available signatures and “ownertrusts” GnuPG determines the validity of keys. Ownertrust is a value that the owner of a key uses to determine the level of trust for a certain key. The values are:
1 = Don't know
You can check results:
save changes and quit:
We set the trust for the key on its own and it is personal information. This means that it is not exported with the key. It is even stored in a separate file.
Trusting a key means that you will accept signatures from it.
Determining key trust:
gpg --edit-key firstname.lastname@example.org
in interactive mode write:
1 = I don't know or won't say
save changes and quit:
Encryption of a text file (binary)
gpg -r recipent --encrypt /tmp/message.txt --output /tmp/message.gpg
recipent is the name of someone’s public key. Check your public key list
gpg --list-keys. To see the signatures as well type
gpg --list-sigs. This file is ready to send to your recipient.
To make it possible to copy the content, for example, to send it by e-mail
gpg -r recipent --encrypt /tmp/message.txt --armour --output /tmp/message.gpg
now you can open the file or display its contents in the console
Copy your encrypted message, beginning with
-----BEGIN PGP MESSAGE----- and ending with
-----END PGP MESSAGE----- and send by email or communicator.
Decrypting the message:
gpg --decrypt /tmp/message.gpg
You will be asked for the password for your private key and you will see the decrypted message when you enter it.
Signing a message:
gpg --sign /tmp/message.txt --armour --output /tmp/message.sig
veryfing the signature:
gpg --verify /tmp/message.sig
and veryfing and decrypting with help
gpg --decrypt /tmp/message.sig
to sign in a text form for people without gpg
gpg --clearsign /tmp/message.txt --output /tmp/message.sig
signing without modification of the text file with the signature in a separate file
gpg --detach-sig /tmp/message.txt --output /tmp/message.sig
then you verify with two files
gpg --verify /tmp/message.sig /tmp/message.txt
You can use symmetric encryption to encrypt a file without having a key with a one-time password.
gpg --symmetric /tmp/message.txt --armour --output /tmp/message-sym.gpg
Then provide the password with a separate secure channel other than the message itself.
There are several graphical interfaces for the GPG. Here are some examples.
- Windows - Gpg4win
- MacOS - GPG Suite
- Android - OpenKeychain
- Linux - Seahorse as key manager and Geany editor with GeanyPG plugin.
Full list of frontends and software support GPG can be found here.