You can encrypt or sign files using private and public keys with GnuPG. Learn all needed commands with this tutorial.

Table of Contents


GnuPG uses public-key cryptography to secure communications. In a public-key system, each user has a pair of keys consisting of a private key and a public key. The private key needs to keep secret. The public key may be given to anyone with whom the user wants to communicate.

To use GnuPG to communicate with someone securely, both will need to create a keypair. The sender of the document uses the public key of the recipient to encrypt the document. The recipient will use their private key to decrypt the file.

If you want to sign a document, you use your private key to do it. The recipient will use your public key to verify the signature.

In order to use GnuPG we use the gpg command.

Generate a key pair

You can use one of these two commands:

gpg --gen-key
  • You only need to type a name and email for your key. Then, type a password and generate randomness by moving the mouse or by typing on the keyboard.
gpg --full-generate-key
  • You can configure more settings with this command. Set the encryption algorithm, the key size, and the key expiration date. Then, type the same info as in the previous command (name, email). You can add a comment. Type a password and generate randomness with the mouse or keyboard.

You can list your public keys with:

gpg --list-keys

Export a public key

To send your public key, you need to export it.

gpg --output john.gpg --export [email protected]
  • You can use the key ID or any part of the key ID or user ID (in this case, the email) in order to identify the key.
  • Once executed, you can share the .gpg file with the recipient or recipients.

Import a public or private key

You can import a public or private key to your keyring with the --import option:

gpg --import tom.gpg
  • Add the path of the key (tom.gpg)

Export a private key

If you need to copy your private key to another place, run:

gpg --output john_priv.gpg --export-secret-keys --armor
  • --armor creates a plain text file.

Encrypt a file

Now, you can encrypt a file using the recipient’s public key.

gpg --output encryptedfile.gpg --encrypt --recipient [email protected] file.doc
  • Add a name for the encrypted file (encryptedfile.gpg), any part of the public key ID or user ID ([email protected]) and the path of the file you want to encrypt (file.doc).

You can also encrypt files without using public-key cryptography, using a password (by default it uses the AES-128 cipher algorithm):

gpg --output encryptedfile.gpg --symmetric file.doc

Decrypt a file

To decrypt a file that was encrypted using your public key, run:

gpg --output file.doc --decrypt [email protected] encryptedfile.gpg
  • Add the name for the decrypted file (file.doc), the key ID or any part of it ([email protected]) and the path of the file you want to decrypt (encryptedfile.gpg).

To decrypt files encrypted with a password (symmetric cipher):

gpg --output file.doc --decrypt encryptedfile.gpg

Sign a file

You can sign a file using your private key:

gpg --output signedfile.gpg --sign file.doc
  • You can specify the private key with the -u option (-u [email protected]).
  • This will create a binary version of the file. If you don’t want to modify the original file, you have two options:
    • Clearsigned documents (it will add an ASCII-armored signature around the file content, useful for texts):
      gpg --clearsign file.txt
    • Detach the signature:
      gpg --output signedfile.gpg --detach-sig file.doc
  • You can encrypt and sign a file using --encrypt and --sign.

Verify (and decrypt) a signed file

In order to verify and/or decrypt a file, first you need to import the public key of the person who signed the file.

To check the signature, run:

gpg --verify signedfile.gpg
  • If you are using a detached signature, add the signature and the file.

To check the signature and decrypt the file:

gpg --output decryptedfile.doc --decrypt signedfile.gpg

Delete keys from keyring

To delete a public key:

gpg --delete-keys [email protected]

To delete a private (secret) key:

gpg --delete-secret-keys [email protected]