How to Properly Use GPG

Note: Any feedback on this entry's information is appreciated.


GPG stands for GNU Privacy Guard. According to Wikipedia, it's a free-software replacement for OpenPGP.

People should care about GPG because it's used to:

GPG works by generating a keypair which is composed of:

To encrypt a message, you'll need the recipient's public key. Once the message has been encrypted, it will be decrypted only by the recipient's private key. To allow the recipient to verify it was you, not an impostor, who sent the message, you can sign the message (this is explained in Encrypt Text).

Note: This assumes you're using a terminal. If you need or prefer a GUI, you can find resources elsewhere.

Generate a Key Pair

To generate a keypair, you must run gpg --gen-key or gpg --full-gen-key. Follow the steps on the screen and keep the default options.

After you're done, run gpg -k to see a list of all the keys on your keyring. Here is an example of what you're looking at:

pub   rsa4096 DATE [SC]
uid           [trust] Your Name <>
sub   rsa4096 DATE [E]

Import Public and/or Private Keys

Before you can send someone a message, you must obtain their public key. You must either ask them for the key, download it if they link to it, or search for their keys on a keyserver. You can also import your own public and private keys if needed.

If you asked or got the recipient's public key, run the following command:

gpg --import name-pub.asc

If you want (or prefer) to search for their public key, run the following command:

gpg --search-keys

gpg: data source:
(1)     Person Name <>
4096 bit RSA key FINGERPRINT, created: DATE

If the output is what you expected, run the following command:

gpg --receive-keys FINGERPRINT

To verify that the newly imported key is in your keyring, run gpg -k.

Encrypt Text

Here is what I do to encrypt messages. This may not be the "correct" or best way to do this, but I opt for this because it's pretty easy for me to remember.

echo "My message here." | gpg --armor --encrypt --sign --user MY_FINGERPRINT --recipient RECIPIENT_FINGERPRINT | xclip

The message will automatically be inserted into your clipboard thanks to xclip. You can now simply send the content to the recipient.

Decrypt Text

If a message was encrypted using your public key, you should simply be able to run the following command:

echo "whole mess of text here lmao" | gpg --decrypt

If, however, it gives you an error, you can just specify what key to use like so:

echo "whole mess of text here lmao" | gpg --decrypt --user FINGERPRINT

Export Public and/or Private Keys

There will be some cases where you'll have or want to export keys, most commonly your own public key so others can send you encrypted messages.

To export a public key, run the following command:

gpg --export --armor FINGERPRINT

To export a private key, run the following command:

gpg --export-secret-keys --armor FINGERPRINT

Note: Exporting private keys will prompt you to input the key's password. This is expected behavior.

Delete Public and/or Private Keys

If you ever need to delete a key from your keyring, run the following commands:

# Delete public key only
gpg --delete-keys FINGERPRINT

# Delete private key only
gpg --delete-secret-keys FINGERPRINT

# Delete public and private keys
gpg --delete-secret-and-public-key FINGERPRINT



Homepage | Blog Page