You can encrypt or sign files using private and public keys with GnuPG. Learn all needed commands with this tutorial.

Table of Contents

Introduction

GnuPG uses public-key cryptography to secure communications. In a public-key system, each user has a pair of keys consisting of a private key and a public key. The private key needs to keep secret. The public key may be given to anyone with whom the user wants to communicate.

To use GnuPG to communicate with someone securely, both will need to create a keypair. The sender of the document uses the public key of the recipient to encrypt the document. The recipient will use their private key to decrypt the file.

If you want to sign a document, you use your private key to do it. The recipient will use your public key to verify the signature.

In order to use GnuPG we use the gpg command. You can install a graphical app, like Kleopatra.

Generate a key pair

You can use one of these two commands:

gpg --gen-key
  • You only need to type a name and email for your key. Then, type a password and generate randomness by moving the mouse or by typing on the keyboard.
gpg --full-generate-key
  • You can configure more settings with this command. Set the encryption algorithm, the key size, and the key expiration date. Then, type the same info as in the previous command (name, email). You can add a comment. Type a password and generate randomness with the mouse or keyboard.

You can list your public keys with:

gpg --list-keys

List your secret (private) keys:

gpg --list-secret-keys

Export a public key

To send your public key, you need to export it.

gpg --output john.gpg --export john@example.com
  • You can use the key ID or any part of the key ID or user ID (in this case, the email) in order to identify the key.
  • Once executed, you can share the .gpg file with the recipient or recipients.
  • Add --armor after gpg to export the key as a text file.

Send public key to keyserver

gpg --send-keys <keyIDs>

Import a public or private key

You can import a public or private key to your keyring with the --import option:

gpg --import tom.gpg
  • Add the path of the key (tom.gpg)

You can also import a key from a keyserver. Run gpg --search-keys <names> to search for a public key (<names> are usually email addresses) and gpg --recv-keys <keyIDs> to import the key.

Export a private key

If you need to copy your private key to another place, run:

gpg --armor --output john_priv.gpg --export-secret-keys john@example.com
  • --armor creates a plain text file.

Encrypt a file

Now, you can encrypt a file using the recipient’s public key.

gpg --output encryptedfile.pgp --encrypt --recipient tom@example.com file.doc
  • Add a name for the encrypted file (encryptedfile.pgp), any part of the public key ID or user ID (tom@example.com) and the path of the file you want to encrypt (file.doc).

You can also encrypt files without using public-key cryptography, using a password (by default it uses the AES-128 cipher algorithm):

gpg --output encryptedfile.pgp --symmetric file.doc

To encrypt a message, use --armor:

gpg --encrypt --recipient tom@example.com --armor file.txt
  • This will create file.txt.asc, a text file with the message encrypted.

Decrypt a file

To decrypt a file that was encrypted using your public key, run:

gpg --output file.doc --decrypt encryptedfile.pgp
  • Add the name for the decrypted file (file.doc) and the path of the file you want to decrypt (encryptedfile.pgp).

You can decrypt a message the same way:

gpg --output file.txt --decrypt file.txt.asc

If --output parameter is not used, decrypted data outputs to STDOUT (and gpg processing info to STDERR).

Sign a file

You can sign a file using your private key:

gpg --output signedfile.gpg --sign file.doc
  • You can specify the private key with the -u option (-u john@example.com).
  • This will create a binary version of the file. If you don’t want to modify the original file, you have two options:
    • Clearsigned documents (it will add an ASCII-armored signature around the file content, useful for texts): 
      gpg --clearsign file.txt
    • Detach the signature: 
      gpg --output signedfile.gpg --detach-sig file.doc
  • You can encrypt and sign a file using --encrypt and --sign.

Verify (and decrypt) a signed file

In order to verify and/or decrypt a file, first you need to import the public key of the person who signed the file.

To check the signature, run:

gpg --verify signedfile.gpg
  • If you are using a detached signature, add the signature and the file (in this order).

To check the signature and decrypt the file:

gpg --output decryptedfile.doc --decrypt signedfile.gpg

Delete keys from keyring

To delete a public key:

gpg --delete-keys tom@example.com

To delete a private (secret) key:

gpg --delete-secret-keys john@example.com

If you have any suggestion, feel free to contact me via social media or email.