GPG (GNU Privacy Guard), also known as GnuPG, provides the ability to encrypt data with shared secrets as well as with a public/private key pair. Either method of encryption (also known as symmetric or asymmetric encryption) ensures that the encrypted files can only be decrypted by the intended recipient. The public keys are intended to be just that, public, and there are many systems that broadcast these public keys for discovery purposes.
For reference, here is a list of a few well known gpg keyservers.
- https://keys.openpgp.org/ (note that this example uses hagrid instead of SKS, which is not decentralized meaning you will have to submit directly to this keyserver if you want your key to be discoverable) see this article for more information on SKS and hagrid
Generate a GPG key pair
After installing GPG, if your OS did not come with it already installed, you will first need to generate your own key pair. While not necessary if only encrypting a file for another user, it will be necessary to receive encrypted data or to sign data. To generate a key pair, run the following command:
After running the command, you will be given a few options to select from shown in the screenshot below.
The first question is: Please select what kind of key you want:
- RSA and RSA (default)
- DSA and Elgamal
- DSA (sign only)
- RSA (sign only)
Unless you have a narrowly focused use case, for all intensive purposes go with the default option, RSA and RSA for both signing and encryption.
The second question is: What keysize do you want?
2048, 3072 (the default), and 4096 are all safe options. Some modern systems prefer 4096 and some older hardware devices require 2048, so it really depends on your situation. For this example we will go with the default of 3072. Note that 1024 is no longer considered secure.
The third question is: Key is valid for?
- 0 = key does not expire
- <n> = key expires in n days
- <n>w = key expires in n weeks
- <n>m = key expires in n months
- <n>y = key expires in n years
It is always a best practice to not have key material laying around forgotten about or unprotected, so use wisdom in selecting an expiration for you key. Many times the pragmatic choice is to not have an expiration and to just revoke the key later if it will not be used any longer.
You will then be prompted to provide identity data including a name, email address, and any comments.
Key generation will proceed using entropy requiring the use of the keyboard or mouse in order to gain enough entropy. In addition to the key being generated, a revocation certificate will be generated along with your public and private key.
Note that the revocation certificate and private key MUST be kept secure.
You may specify a keyserver with an email address to discover a key. There are many different keyservers, and this example will use the commonly used MIT public key server located at pgp.mit.edu. Here is an example of searching the keyserver:
gpg --keyserver pgp.mit.edu --search-keys email@example.com
After discovering the keys, a list will be shown allowing you to select which key to import for later usage.
GPG refresh keys
Occasionally your local database of gpg keys may be out of date and need to be refreshed with a keyserver. You can ask gpg to update your copy. To do so, run the following command:
gpg --keyserver pgp.mit.edu --refresh-keys
gpg export public key
In addition to importing a key from a keyserver, you can also export your newly generated public key to the keyserver for discovery by other users. To export a gpg key, run the following command:
gpg --armor --output public.key --export firstname.lastname@example.org
The ascii public key is as follows:
-----BEGIN PGP PUBLIC KEY BLOCK----- mQGNBGEcA6gBDAC2CArfuZT2nScOUGHwHmp27YlX5MO5039GJ3Z6uWW1S7z3/apA eX5ZznFNuXxixvn0BC2DVjoT9XYzXYJOTtLl+s2ZOLrh2Uw3uvIlYAXl9yFbSRGZ 9YwvU5TAgFN2FHoGFSV3QMjaL5vUlQCpTQ3JekrcES3O3bNUo2i6oZjPUPTFb1Yg kYbJVs0wmY0tccq+BVky85hrfOHjjMoKuO05fMr1Oh8cuwN53NYk0Vu79wAUsdzh cs7c836OR7HqQTc6k/e9Uk3Pfb1s00rrm/DoqQec9iMUOaAJ/LqsqR31hlYXReXu cezATcWlGQ5Hb1b1MXnYzaCB65Fvv1z0bKJZIPLqYBPgALmqP4CDQiJL01ZGBgB1 ZmnoFQf91PDifs2oqf7TUu41Vv5fmusvgPCAI3J3c/onxxlB7J+2Y4V5bkLb38S4 MyNiR1i/bvcJKyLvUDfbnQtSBcK4xTMx+CTH1l3hvOE08ANlhmJ6c8SLC+ENOzKf zM78KCn4mZm8d0UAEQEAAbQfTWlzdGVyIFBLSSA8aW5mb0BtaXN0ZXJwa2kuY29t PokBzgQTAQoAOBYhBCkuhfQyJ+ya5JCSrJNC/vx7F4zgBQJhHAOoAhsDBQsJCAcC BhUKCQgLAgQWAgMBAh4BAheAAAoJEJNC/vx7F4zghoQL/2e3qgYNhy2uMTwVL/gr j20LyMr10qYz1a38dAUjwbtCZZMHsqYzx06uhzldUA1ifbsdCevHLEZ7YnLDLKUU T2dE1txjJPoRp7pPbwqB8op49HmQPC/4ohDFLn11uZqmebVKS12o7J1zW7IQdvrF psrke39mJLrqpxfhAtLfowCUvpuXdwk6eQhhZ2tm8ynoNXUDmOwG0ZR1/h8ScvQj oyEUOA4l8WmjvTcIZA31ysfUuPUUUE3rOPNeO/p4BBD6sFtlYcTRH4srrt/h/4Wh oRVicwtXAlAcsZ3vJdZV0ab5+zsT0qa2cvrMS+rzlRJ8TRTlY6FLglsTede1VHkT tfr2K1Nc/dJqvsUyTsaVXXxu1P4V7paoDTOM7qfbQIOt8JmfhtumWbXW5FVmw1vV i0joLx0T8j3Cz5jdaehLQy7rs/eTOVKzdwA+/M2Ojs8dBfZ/TTfyfDTrUnuIJJBw 6k/mide9qzjEqUvSh9hsqS9XUVCA/DnnxY9MaClfumN70rkBjQRhHAOoAQwAwwnS A04Qoxvlbpj3OWir0Q7Vbi1gNq3LbmnlzSRCeyvnBsGwarNuc2meCajdZR/BS5dN Kp48luhRL1C4rB6KGNJbrtS5K1ExxrGwAEzra7J34pYJZnZn0XDsby4kbGScgu0e H2nk3J+jlhfnF4y+5yIyM4ji6/BFxA9nt9NXN86xSjkGHq2uQ4UrACkxCKIDtz1S uZGflFxekvaCYPsnO0+KRKSsfqUDxw6APrBOwTWHAeYLlnsR3lcQqiHLXcNhbogl QNRuWYkImSY64qh+RmfDd4cUdotwyPgmOcBQoJfcsK9itPXIV0EFIt+vFt1Md+O+ Q28GRUxTlxkIO71GC0/VjP1/cH1EjQPvw3/vkjCi9d7P2BBoaJfPTit5WMHt9GkK jtEzRlJxfj8DVTvHy4IR0CHYikm64N8l3jxgUg/60Ef73GFPzlZO8sqhjOdl57ne odzShPW6f0bRfLJZsKFvGubq7s3JIJLUoDf5Hn/yZ8ZwYmnGB35q5iz0exXjABEB AAGJAbYEGAEKACAWIQQpLoX0MifsmuSQkqyTQv78exeM4AUCYRwDqAIbDAAKCRCT Qv78exeM4ImrC/4pMcpMUeI2heIP8hy8Nsvw3JyIJLM5wnQ0jjmbG9vSbor8rE1M Ark0igTynGRB1YJhc5P39BnMYumlH2dvxYSpaYS4/Sguqwt92gvlT5uoutCkOaly yPwqyN4PKwdnFev1vhG8w6qRo3LssmDuHdwQ6LmsYPzRIRGdzbf3YTlSzTZsf0S9 uB0Dp6KazJJkexH2vY5Y4ExMVFB2mEYpKUJjhOCSP6MhevzfxT/DrivIwwNs6uvC WBlwoXucfhO7k66woakIxRvALEZB5zCUjJWDBSXI4NEYqR+LyHXwD0Wkf8HdXy1i 0WQEBQwM2UMLLij716HWfsUQ1/py7rSOUDyFb9Qh+vUzNO79A3rH0fNGJwTrHo5v N2XFxEeM2ojUSZoKgW3OeW8U/+36OlW+WeClyv51eY1tWF0Iy+XrD9Yg6vsTkVyq lVHLYHW055fquK6suBwv+V25ChOqVu+tz1XWxt34zaVcPaeG89+qEnP00jUohUwe dfj2H8xKeU+SNMQ= =8buc -----END PGP PUBLIC KEY BLOCK-----
Note that if
--armor is not included, the output will be in binary.
Feel free to test gpg encryption with this public key from the key block here or from importing from the keyserver.
After exporting, it’s necessary to upload the key to the keyserver. If using the MIT keyserver, go to pgp.mit.edu and upload your public key using their form. Note that –armor must be used for an ascii representation of your file. Else it will be binary and not usable for text upload.
Alternatively, you may send your keys to the keyserver with the following command (providing the fingerprint as the identifier at the end)
gpg --send-keys --keyserver pgp.mit.edu key_fingerprint
GPG signing a recipient’s public key
This is a difference between gpg encryption and other methods of encryption. GPG has a built in method for signing trusted keys. Once you know a public key being used for encryption belongs to the person you think it does, you may sign it with the following command:
gpg --sign-key email@example.com
Before signing the key though, how do you know it can be trusted? If the intended recipient sent you the key directly, you can be sure, provided they are a trusted party. Else, you may ask the intended recipient to send you the fingerprint of the key. This can be retrieved by running the following command:
gpg --fingerprint firstname.lastname@example.org
Once you’ve determined the key is trusted and signed it, you will no longer be asked if you are sure you want to continue with encryption. If the key is not signed, you may still use it but will be prompted each time to ensure you do indeed want to encrypt data with that key. Signatures on a public key are generally a sign that the key is trusted and that you can also trust it, but beware that many SKS keyserver implementations have been abused with signatures that are essentially spam. Always reach out to the person to verify the fingerprint of their key before trusting it.
GPG import public key
Let us begin with an example of gpg encryption using the intended recipient’s public key. If you have the key file, simply use the –import option with the key file. For example:
gpg --import intended-recipient.key
After the key is imported, the key’s metadata will be shown to you including the email address, name, and key id.
If you do not have a copy of the recipient’s public key, you can get it from a keyserver documented above. If they have not uploaded their key to a keyserver, then they will have to make a way for you to get their public key.
After the key is imported, it is available to be used for encryption.
gpg encrypt file with public key
After importing keys, you are ready to encrypt. For this example, we will encrypt a file to be sent to the intended recipient. Here is an example of encrypting a file named message.txt:
gpg --encrypt -r email@example.com message.txt
-r is shorthand for
--recipient. The encrypted file will be named message.txt.gpg and is ready to be sent via email or some alternative means of communication securely. The only person that can decrypt the file will be the holder of the private key of firstname.lastname@example.org.
Note that the recipient may be an email or a specific key id. gpg will recognize which is which, and the case of multiple keys, just specifying the key id instead of the email may be most convenient. Note that this is true for all options and not just the encrypt option.
gpg encrypt file with shared secret or password
If it’s more convenient and you have a secure way to share a password, you may also simply gpg encrypt a file with the shared secret or password. You may also just be encrypting the file at rest and only you need to know the password. To encrypt a file with just a password, run the following command:
gpg --output message.gpg --symmetric message
gpg encrypt plain text
If you simply have a secret you want to encrypt without having to first create a file to copy it into, you can pipe the secret into your gpg command. Run the following command to encrypt plain text:
echo "secret text" | gpg --encrypt --armor -r email@example.com
Where “secret text” is the text to be encrypted.
These examples will demonstrate how to recover encrypted data by using the gpg decrypt commands.
gpg file decryption with shared secret or password
To decrypt a file encrypted with a password, run the following command:
gpg --decrypt message.txt.gpg
As you can see, the file was automatically recognized as being AES256 encrypted data being encrypted by a passphrase.ls
gpg file decryption with private key
The gpg encrypted file can now only be decrypted by the holder of the private key. To gpg decrypt the file with the private key, run the following command:
gpg --decrypt message.txt.gpg > message.txt
The message.txt file should now be plain text and hold the secret message sent by the person that encrypted it.
gpg on windows
GPG comes pre installed on many linux installations. If it isn’t already installed on your system, use you OS package manager to find the gpg package and install.
To install on Windows, you may use a graphical tool known as gpg4win that pairs closely with Kleopatra.
As you can see in the image above, the menu options are nearly one to one with the command line examples we covered previously in this article.
Sign/Encrypt: Click this option to sign or encrypt a file. Before continuing you must either have or know the location of the intended recipient’s public key being used for encryption.
Decrypt/Verify: Click this option to decrypt an encrypted file or verify a signature.
Import: Import a gpg public key from a file.
Export: Export your generated gpg keys.
Lookup on Server: Discover a gpg key on known keyservers.
As you can see, there is a multitude of use cases and examples for using gpg encryption. Shared keys or passwords are supported as well as a public/private key pair. If you would like to see more examples or have any questions please leave us a comment.