GPG Tutorial

While there is a great deal of material online regarding gpg, it is pretty hard to find a brief tutorial that explains in layman terms how to set up gpg, how to encrypt and decrypt files. It is important to know what goes behind the scenes and how crypto works. Luckily, the documentation is pretty good and clear. But not brief.

I have decided to write a post, so one can always come back and see what command to use to perform a particular action. Eventually, these commands will be learned. For the reader: I assume you know what cryptography is, what it is used for, and have heard of gpg, etc.


If you don’t have gpg on your system — get it here
A good guide for Mac users here Windows solution — here


To generate public/private keypair:
gpg --gen-key

Enter appropriate values when promped. Opt for 4096-bit key length. Enter 0 so key does not expire if you wish so. To list keys that you have on a system:
gpg --list-keys
gpg --list-secret-keys


Save both your public and private keys somewhere safe! I recommend writing all your ~/.gnupg/ folder to a small-size usb-drive and keep it safe.


As this tutorial recommends:
Creating a revocation key/certificate
A revocation certificate must be generated to revoke your public key if your private key has been compromised in any way.
It is recommended to create a revocation certificate when you create your key. Keep your revocation certificate on a medium that you can safely secure, like a thumb drive in a locked box.
You can create a revocation certificate by :
gpg --output revoke.asc --gen-revoke $GPGKEY

The revocation key may be printed and/or stored as a file. Take care to safeguard your revocation key.
Anybody having access to your revocation certificate can revoke your key, rendering it useless.


If you need to create an ASCII version of your public key (to give it to a friend, for example), run this command:
gpg --output mykey.asc --export -a D8FC66D2

where “D8FC66D2” is your key-id


To upload your key to a keyserver, run:
gpg --send-keys --keyserver keyserver.ubuntu.com D8FC66D2


Encrypt file with symmetric key:
gpg -c file1.txt
gpg -ca file1.txt # for ascii-looking file

You will be prompted to enter passphrase. First command creates file1.txt.gpg Second command creates file1.txt.asc Make sure you keep original unencrypted file safe!


To decrypt:
gpg -d file1.txt.asc

This will output contents to standard output, so if you want to decrypt and write it to file:
gpg -o outputfile -d file1.txt.asc

Enter passphrase. Pay attention to the warning: message was not signed.


To encrypt and sign with your private key:
gpg -csa file1.txt

Enter passphrase for symmetric encryption and passphrase for your private key when prompted. This time warning is: message was not integrity protected.


To encrypt with public key:

gpg -ear your@email.com file1.txt

-e stands for ‘encrypt’
-r is whose public key you want to use. In example above, we encrypted to our own public key, so only we (or people who have out private key :) can decrypt the file. Use your friends email if you want to encrypt with her public key.
-a stands for — armor -> use ascii-looking format.


To decrypt with you private key:
gpg -o outputfile.txt -d file1.txt.asc
# or
gpg -d file1.txt.asc > outputfile.txt

Enter passphrase for you private key.


To import your friends public key (if she posted it on her website or has given it to you):
gpg --import KEYFILE


To trust the key:
gpg --edit key NAME

Type trust


To export a public key to an ascii text file, run:
gpg -a --export NAME > yourpublickey.gpg

To export a private (or secret) key to an ascii text file, run:
gpg -a --export-secret-keys NAME > yourprivatekey.gpg

To delete a public key from the local key ring:
gpg --delete-keys NAME

To delete a secret key from the local key ring:
gpg --delete-secret-key NAME

Keys are referred to by name or partial name. I normally type in the email associated with the key and it always works.


To integrity check and validate the file — create a digital signature. This makes sure that files were not modified:
gpg --ba -u your@email.com file1.txt

Now your friend can verify your signature:
gpg --verify file1.txt.asc


~/.gnupg/gpg.conf is your configuration file.
Look here for list of all the options.
For example, you can set which key to use by default, or encrypt to your own public key by default if to recipient is specified. You can enable/disable verbose console output messages and many other things.


Some more links to good tutorials and guides on gpg:

Originally published 4.27.2014

Vitaliy