Linux terminal window on a laptop
Fatmawati Achmad Zaenuri/

Protect your privacy with the Linux gpg command. Use world-class encryption to keep your secrets safe. We’ll show you how to use gpg to work with keys, encrypt files, and decrypt them.

GnuPrivacy Guard (GPG) allows you to securely encrypt files so that only the intended recipient can decrypt them. Specifically, GPG complies with the OpenPGP standard. It is modeled on a program called Pretty Good Privacy (PGP). PGP was written in 1991 by Phil Zimmerman.

GPG relies on the idea of two encryption keys per person. Each person has a private key and a public key. The public key can decrypt something that was encrypted using the private key.

To send a file securely, you encrypt it with your private key and the recipient’s public key. To decrypt the file, they need their private key and your public key.

You’ll see from this that public keys must be shared. You need to have the public key of the recipient in order to encrypt the file, and the recipient needs your public key to decrypt it. There is no danger in making your public keys just that—public. In fact, there are Public Key Servers for that very purpose, as we shall see. Private keys must be kept private. If your public key is in the public domain, then your private key must be kept secret and secure.

There are more steps involved in setting up GPG than there are in using it. Thankfully, you usually need only set it up once.

Generating Your Keys

The gpg command was installed on all of the Linux distributions that were checked, including Ubuntu, Fedora, and Manjaro.

You don’t have to use GPG with email. You can encrypt files and make them available for download, or pass them physically to the recipient. You do need to associate an email address with the keys you generate, however, so choose which email address you are going to use.

Here is the command to generate your keys. The --full-generate-key option generates your keys in an interactive session within your terminal window. You will also be prompted for a passphrase. Make sure you remember what the passphrase is. Three or four simple words joined together with punctuation is a good and robust model for passwords and passphrases.

gpg --full-generate-key

You will be asked to pick an encryption type from a menu. Unless you have a good reason not to, type 1 and press Enter.

You must choose a bit-length for the encryption keys. Press Enter to accept the default.

You need to specify how long the key should last. If you are testing the system, enter a short duration like 5 for five days. If you are going to keep this key, enter a longer duration like 1y for one year. The key will last 12 months and so will need renewing after one year. Confirm your choice with a Y.

You must enter your name and your email address. You can add a comment if you wish.

You will be prompted for your passphrase. You will need the passphrase whenever you work with your keys, so make sure you know what it is.

gpg passphrase window

Click the OK button when you have entered your passphrase. You’ll see this window as you work with gpg, so make sure you remember your passphrase.

The key generation will take place, and you will be returned to the command prompt.

Generating a Revocation Certificate

If your private key becomes known to others, you will need to disassociate the old keys from your identity, so that you can generate new ones. To do this, you will require a revocation certificate. We’ll do this now and store it somewhere safe.

The --output option must be followed by the filename of the certificate you wish to create. The --gen-revoke option causes gpg to generate a revocation certificate. You must provide the email address that you used when the keys were generated.

gpg --output ~/revocation.crt --gen-revoke

You will be asked to confirm you wish to generate a certificate. Press Y and hit Enter.  You will be asked for the reason you are generating the certificate. As we’re doing this ahead of time, we don’t know for sure. Press 1 as a plausible guess and hit Enter.

You can enter a description if you wish. Press Enter twice to end your description.

You will be asked to confirm your settings, press Y and hit Enter.

The certificate will be generated. You will see a message reinforcing the need to keep this certificate safe.

It mentions someone called Mallory. Cryptography discussions have long used Bob and Alice as the two people communicating. There are other supporting characters. Eve is an eavesdropper, Mallory is a malicious attacker. All we need to know is we must keep the certificate safe and secure.

As a minimum, let’s remove all permissions apart from ours from the certificate.

chmod 600 ~/revocation.crt

Let’s check with ls to see what the permission are now:

ls -l

That’s perfect. No one apart from the file owner—us—can do anything with the certificate.

Importing Someone Else’s Public Key

To encrypt a message so that only the recipient can decrypt it, we must have the recipient’s public key.

If you have been provided with their key in a file, you can import it with the following command. In this example, the key file is called “mary-geek.key.”

gpg --import mary-geek.key

The key is imported, and you are shown the name and email address associated with that key. Obviously, that should match the person you received it from.

There is also the possibility that the person you need a key from has uploaded their key to a public key server. These servers store people’s public keys from all over the world. The key servers synchronize with one another periodically so that keys are universally available.

The MIT public key server is a popular key server and one that is regularly synchronized, so searching there should be successful. If someone has only recently uploaded a key, it might take a few days to appear.

The --keyserver option must be followed by the name of the key server you wish to search. The --search-keys option must be followed by either the name of the person you are searching for or their email address.  We’ll use the email address:

gpg --keyserver --search-keys

Matches are listed for you and numbered. To import one, type the number and press Enter. In this case, there is a single match, so we type 1 and press Enter.

The key is imported, and we are shown the name and email address associated with that key.

Verifying and Signing a Key

If you have been handed a public key file by someone known to you, you can safely say it belongs to that person. If you’ve downloaded it from a public key server, you may feel the need to verify that the key belongs to the person it is meant to.

The --fingerprint option causes gpg to create a short sequence of ten sets of four hexadecimal characters. You can ask the person to send you the fingerprint of their key.

You can then use the --fingerprint option to generate the same fingerprint sequence of hexadecimal characters and compare them. If they match, you know that the key belongs to that person.

gpg --fingerprint

The fingerprint is generated.

When you’re satisfied that the key is genuine and is owned by the person it is supposed to be associated with, you can sign their key.

If you don’t do this, you can still use it to encrypt and decrypt messages from and to that person. But gpg will ask you every time whether you wish to proceed because the key is unsigned. We’ll use the aptly named --sign-key option and provide the email address of the person, so that gpg knows which key to sign.

gpg --sign-key

You’ll see information about the key and the person, and will be asked to verify you really want to sign the key. Press Y and hit Enter to sign the key.

How To Share Your Public Key

To share your key as a file, we need to export it from the gpg local key store. To do this, we’ll use the --export option, which must be followed by the email address that you used to generate the key. The --output option must be followed by the name fo the file you wish to have the key exported into. The --armor option tells gpg to generate ASCII armor output instead of a binary file.

gpg --output ~/dave-geek.key --armor --export

We can take a look inside the key file with less.

less dave-geek.key

The key is shown in all its glory:

You can also share your public key on a public key server. The --send-keys option sends the key to the keyserver. The --keyserver option must be followed by the web address of the public key server. To identify which key to send, the fingerprint for the key must be provided on the command line. Note there are no spaces between the sets of four characters.

(You can see the fingerprint for your key by using the --fingerprint option.)

gpg --send-keys --keyserver 31A4E3BE6C022830A804DA0EE9E4D6D0F64EEED4

You’ll get confirmation that the key has been sent.

Encrypting FIles

We’re finally ready to encrypt a file and send it to Mary. The file is called Raven.txt.

The --encrypt option tells gpg to encrypt the file, and the --sign option tells it to sign the file with your details. The --armor option tells gpg to create an ASCII file. The -r (recipient) option must be followed by the email address of the person you’re sending the file to.

gpg --encrypt --sign --armor -r

The file is created with the same name as the original, but with “.asc” appended to the file name. Let’s have a look inside it.

less Raven.txt.asc

The file is completely illegible, and can only be decrypted by someone who has your public key and Mary’s private key. The only person to have both of those should be Mary.

We can now send the file to Mary confident that no one else can decrypt it.

Decrypting Files

Mary has sent a reply. It is in an encrypted file called coded.asc. We can decrypt it very easily using the --decrypt option. We are going to redirect the output into another file called plain.txt.

Note that we don’t have to tell gpg who the file is from. It can work that out from the encrypted contents of the file.

gpg --decrypt coded.asc > plain.txt

Let’s look at the plain.txt file:

less plain.txt

The file has been successfully decrypted for us.

Refreshing Your Keys

Periodically, you can ask gpg to check the keys it has against a public key server and to refresh any that have changed. You might do this every few months or when you receive a key from a new contact.

The --refresh-keys option causes gpg to perform the check. The --keyserver option must be followed by the key server of your choice. Once the keys have been synchronized between the public key servers, it shouldn’t matter which one you choose.

gpg --keyserver --refresh-keys

gpg responds by listing the keys it checks and letting you know if any have changed and been updated.

Privacy is a Hot Topic

Privacy is never far from the news these days. Whatever your reasons for wanting to keep your information secure and private, gpg provides a simple means to apply incredibly strong encryption to your files and communications.

There are other ways to use gpg. You can get a plugin for Thunderbird called Enigmail. It hooks right into your gpg configuration to allow you encrypt email messages from inside Thunderbird.

RELATED: Best Linux Laptops for Developers and Enthusiasts

Profile Photo for Dave McKay Dave McKay
Dave McKay first used computers when punched paper tape was in vogue, and he has been programming ever since. After over 30 years in the IT industry, he is now a full-time technology journalist. During his career, he has worked as a freelance programmer, manager of an international software development team, an IT services project manager, and, most recently, as a Data Protection Officer. His writing has been published by,,, and Dave is a Linux evangelist and open source advocate.
Read Full Bio »