DEV Community

Cover image for Extensive Guide to Gnu Privacy Guard (GPG)
Emmanuella Sule
Emmanuella Sule

Posted on

Extensive Guide to Gnu Privacy Guard (GPG)

In this write-up, I'll take you on a tour of what a Gnu Privacy Guard is, what it is used for, how to get it installed, and explore some of its features. This is a detailed guide, so I encourage you to use the table of contents to navigate to the information you need easily.

Table of Content

  • What is GPG
  • Use Case
  • How it Works
  • Installing GPG
  • Getting your GPG key pair
    • Updating/Renewing a key Expiration date
    • Changing a key Passphrase
  • Exporting and Importing a key
    • Exporting your public key
    • Importing other's public key
    • Uploading your key to a key server
    • Searching/Retrieving a key from a key server
    • Exporting a private key
  • Encrypting messages
  • Decrypting messages
  • Deleting a key
  • Conclusion

What is GPG

Gnu Privacy Guard(GnuPG or GPG) is an Open Source version of the Pretty Good Privacy(PGP) Cryptographic software suite that is used for file encryption. GPG is based on the OpenPGP encryption standard which makes it compatible with PGP tools.

Use Case

One common use case of GPG is to encrypt files and email messages. GPG converts plain text into complex code of unreadable characters called ciphertext to ensure the secure transmission of information. GPG is also used to sign documents, and Git commits through digital signatures so that the authenticity of messages can be verified.

How It Works

GPG combines symmetric-key cryptography (Secret key) and asymmetric cryptography(Public + Private key) to provide high data protection.

A public and a private key make up a GPG key pair. The private key, which is to be kept secret, is used to decrypt files and sign messages. The public key can be made available to anyone and is used to verify signed messages(signature) or to encrypt messages.

Let's understand how GPG works with the following example:

Say Ammy and John want to share a secret message. Firstly, both of them have to generate their GPG key pair. Then they share their public key either by a key server so that each has the other public key in their Keyring ( a special file that stores a group of public keys used by a certificate authority). Ammy creates the message, encrypts it with John's public key, signs the message using her private key, and then sends it over to John. John receives the encrypted message, decrypts it using his private key, and then uses Ammy's public key to verify that the message is truly from Ammy.

Note that you can only decrypt a message which was encrypted using your public key.

Installing GPG

First, you have to install the GPG command line utility.

To verify if you have GPG, run the following command on your terminal:

gpg --version

If not, follow through the steps to get GPG on your specific OS.

GPG is installed by default on most distributions. If that's not the case, you can install it using your package manager.

for Debian/Ubuntu:

sudo apt install gnupg

The easiest way to install GPG on Mac is to use Mac Homebrew.

brew install gnupg

If you are a Windows user by now, you already know that Windows always tends to complicate things, doesn't it?

If you have GIT BASH installed, then you already have access to GPG. Launch GIT BASH and run the following command to get the version of gpg installed:

gpg --version

If you don't have GIT BASH installed, you can install Gpg4win (GNU Privacy Guard for Windows)

When installing Gpg4win, you can uncheck the other plugins/components if you intend to use the command line interface. Here is a video I find helpful.

Generate GPG Key Pair

To generate your GPG key pair, run the following command:

gpg --full-generate-key

This will start up an interactive question section that will be used to configure your key:

  1. Please select what kind of key you want: go with the default option(1)
  2. What keysize do you want? Choose 4096. choosing a higher bit reduces the risk of the key being compromised by hackers
  3. Key is valid for?: 1y ( means it expires after 1 year). It's a good idea to set one as it can be renewed easily. If your key gets compromised or your laptop gets stolen, you won’t have to worry much because the key will just expire on its own. You can also revoke your key as an option if this should happen
  4. Is this correct? y
  5. Real name: input your real name
  6. Email address:
  7. Comment: Optional comment that will be visible in your signature(you can skip this)
  8. Change (N)ame, ©omment, (E)mail or (O)kay/(Q)uit?: verify all information are correct and enter "O"
  9. Enter passphrase: Enter a secure Passphrase. Write this down somewhere, or use a password manager to save it.

At this point, gpg will generate your key using entropy. Entropy refers to the degree of unpredictability and randomness present within a system. To enhance the randomness of the generating key, gpg encourages you to perform some actions like moving your mouse, typing on the keyboard, etc.

Once your key is generated, you can view it by running the following command. If you have more than one key in your keyring, it will be shown:

gpg --list-keys

gpg list keys

From the preceding image, the pub section indicates the primary key. The primary key is the top-level key, and the certificate is identified by the Key ID of the primary key. The sub section indicates a subkey. A subkey is a key that is stored as a sub-component of another key.

6A303B4CA0B8AE457715DA82F3FAFC9F22F2713E is called the fingerprint.

Key ID, which is a shorthand method for referring to a particular key, is of two types, and both are derived from the fingerprint. The 'short' keyid is the low 32 bits, or last 8 hex digits, of the fingerprint and thus is 22F2713E. The 'long' keyid is the low 64 bits, or last 16 hex digits, of the fingerprint and thus is F3FAFC9F22F2713E.

You can also run the following command to get the short and long keyid:

gpg --list-keys --keyid-format=short
gpg --list-keys --keyid-format=long

Updating/Renewing a Key Expiration date

Take the following command if you wish to update your key expiration date:

gpg --edit-key key-id

This will start up an interactive question section:

  1. key 0: to choose which key to edit
  2. expire
  3. key is valid for (0): 2y
  4. Is this correct?: Y
  5. enter your passphrase.
  6. save

Repeat the preceding process to update the subkey expiration date, but this time, enter key 1.

Changing Key Passphrase

The following steps update your key Passphrase:

  • Run gpg --passwd F3FAFC9F22F2713E
  • Enter the current passphrase.
  • Enter a new passphrase.

Exporting and Importing a Key

GPG will be useless if we can't share our key with the people we wish to communicate with. Up next, we will look at how to export, import, and share GPG keys.

Exporting your Public Key

To export your public key from your keyring, run the following command:

gpg --export -armor key-id

The -amor or -a command-line option outputs the public key in ASCII format.

To export the public key to a file named public_key.asc, run the following:

gpg --export -a F3FAFC9F22F2713E > public_key.asc

If you call the ls -a statement, you will see the file in your current directory. Run cat public_key.asc to view the file. You can then share this file with a correspondent via email or another appropriate method so they can import it into their keyring.

Importing Other User's Public Key

To import a correspondent public key obtained as a text file, named jonh_publickey.asc to your keyring, run the following command:

gpg --import jonh_publickey.asc

Uploading your Key to a Key Server

Key servers are a good place to upload your public key and share it with others. These key servers are used to house people’s public keys from all over the world. There are many public key servers like Ubuntu, GnuPG, OpenPGP, and MIT key servers.

To send your public key to a certain key server from within GPG, run the following command:

gpg --keyserver <key-server> --send-keys <key-id>
gpg --keyserver --send-keys F3FAFC9F22F2713E

Searching / Retrieving a Key from a Key Server

You can search for people by name or email from a public key server, then import the keys that you find to your keyring.

To get a correspondent public key from a key server, you first search for their public key by name or email and then retrieve the public to your keyring:

gpg --keyserver <key-server> --search-keys <search_parameter>
gpg --keyserver --search-keys

If the search returns more than one key, you can specify the number(s) to indicate which key would be imported.

If you know the key ID of a correspondent, you can retrieve its public key from a certain key server:

gpg --keyserver <key-server> --recv-keys <digit-key-id>
gpg --keyserver --recv-keys F3FAFC9F22F2713E

Exporting a Private Key

If you want to use the same GPG key across different machines, you should export your private key as well as your public key. To do this, run the following command:

gpg --export-secrete-key -a > private_key.asc

You will need to enter a passphrase to export the private key. This passphrase will also be used while importing the private key.

Encrypting messages

If you have a message written in a file named message.txt you may want to encrypt it and send it to a correspondent. To encrypt a file, run the following command:

gpg -r F3FAFC9F22F2713E -a -e message.txt

The -e or --encrypt command option encrypts the file. The -r or --recipient option specifies the recipient key ID and the -a option outputs the file in ASCII format.

The file is encrypted with the public key of key ID F3FAFC9F22F2713E and will need the corresponding private key to decrypt the message. The output of the command is stored in a file named message.txt.asc. Again, use the ls -a statement to view this.

To encrypt a message for more than one person, run the following command:
gpg -r<key-id-1>-r<key-id-2> -a -efile.txt

Decrypting Messages

To decrypt a message in a file named reply.txt.asc, the -d or --decrypt command option is used. GPG will automatically select the appropriate private key to decrypt the message. You will also need the passphrase of the associated private key.

gpg -d reply.txt.asc

To decrypt and write the output to a file named reply.txt run the following command:

gpg -d reply.txt.asc > reply.txt

Signing and Verifying a File

As one of the uses of the GPG key pair, you can sign a message to approve it or verify a signature to check its authenticity. To sign a file and not necessarily encrypt it, use the --sign option. The output of the following command would be in a .gpg (binary) format:

gpg --sign message.text

To convert the output of a signature file to an ASCII format, use the --clearsign command option.

gpg --clearsign message.txt

To verify a signature, use the --verify option or --decrypt option( even though the file is not encrypted):

gpg --verify message.txt.asc
gpg --decrypt message.txt.asc

If you want to encrypt and also sign a file, run the following command:
gpg --sign -r F3FAFC9F22F2713E -a -e message.txt

Detached Signing
Until now, we have only encountered signatures that are embedded into the file along with the message. However, it is also possible to have a detached signature file that is separate from the message file. This type of signature is called a detached signature.

They're most common for verifying software to ensure that nobody has tampered with the application other than the actual developer(s) who've signed it.

To create a detached signature, the --detach-sign or -b command option is used
gpg --detach-sign message.txt


There are two ways to verify a detached signature:

1) When the original file(message file) has the same name as the signature file; If the signature file has the same filename as the message file but ends in either .asc (ASCII Armoured) or .gpg (raw binary), then you can simply pass the signature's name to gpg, and it will auto-detect the message filename.

gpg --verify message.txt.asc

2) When the signature file and the message file have different names or are located in different directories, it is important to provide gpg with the names of both files. Place the signature's file name after --verify, and then the original filename after that. 

gpg --verify message.txt.asc message.txt

Deleting a Key

If you wish to remove a correspondent public key or private key from your keyring, run the following commands:

To remove the private key:

gpg --delete-secrete-key key-id

To remove a public key:

gpg --delete-key key-id

Revoking a GPG Key

If your GPG key pair gets compromised or you lose access to your secret key, you would want to revoke or nullify the key.

From GPG 2.1 and above, a revocation certificate is created by default when you create a GPG key pair. For every key pair created using this version, an ASCII armored revocation certificate is generated and saved in a file located in the openpgp-revocs.d directory. This directory can be found within the GnuPG home directory. Each certificate is named after the fingerprint of the corresponding key.

To revoke your key, import the revocation certificate
gpg --import revoke-certificate-name.rev

It is advisable to back up this revocation certificate in a secure and separate location in case your computer gets stolen.

Before I conclude, I just want to point out that there are various different ways to specify a correspondent ID to GPG. The following are some various ways to do so:

  • Using the Key ID in its short format.
  • Using the key ID in its long format.
  • Using the Fingerprint.
  • Using the user's email address.


Wow! You now have the knowledge and skills needed to successfully generate your GPG key pair and start using it. Note that this is not an exhaustive guide to GPG features. Instead, it offers a concise introduction to some of the fundamental aspects of the tool. I encourage you to explore the GPG [manpage].(

If you find this article helpful, please Like/share so it reaches others.
Connect with me on:

Reference Links

Cover image from  Infosec Images

Top comments (0)