For what is GPG used?

GPG stands for GNU Privacy Guard, GPG or GnuPG. It is used to encrypt a file, apply digital signature to it, provide higher security, and more. You can install GPG with gpg or gnupg2 package.

Generating keys

First step in using GPG is to generate pair of private/public keys, just like with SSH. GPG uses typical asymmetric keys, where public key is shared with everyone, and private key is safe with you. Private key is called secret key.

# gpg --gen-key

GPG asks for three questions, such as full name, email address, and passphrase. The email and passphrase must be remembered because passphrase allows you to use your private key. Basically, email and passphrase are used to unlock your private key.

Important step while generating keys, is that GPG needs random strokes of mouse and keyboard to generate key (its just weird). To do this step faster, before issuing gpg –gen-key command, use rngd -r /dev/urandom and then run gpg –gen-key command. This utility will generate that randomness and make the process faster.

After the keys are generated, they are stored in a file. That file is called keyring, inside ~/.gnupg/ directory. Keyring is same as authorized_hosts file with SSH.

Exporting public key

Again, similar situation with SSH, once we generated private (secret) key, and public key, they are placed on our keyring. Now, you must share that public key with someone else, in order for him to encrypt your file.

# gpg --export >

After this is done, you can share this file with anyone and he will be able to encrypt files, and we will be able to decrypt them with our private key. While sending a file to your friend, you may run to a problem where it won’t send. Regenerate new public key, but add –armor option to generate key in ASCII format.

Importing keys

When you receive public key from someone, that key is used to encrypt file for someone else. Also, that public key must be added to our own keyring before using it. This is called importing, and it’s done with this command:

# gpg --import

After we added their public key to our keyring, we can encrypt files with it. To view our keyring keys, use this command:

# gpg --list-keys

Encrypting and decrypting data

Someone sent us his public key. We have public key on our keyring and now we can encrypt files with that public key. You do this with this command:

# gpg --out encryptedFile --recipient --encrypt originalFile.txt

In the example above, we first say the name of encrypted file, then who will receive it, and which file needs to be encrypted. Now, the person who gets this encrypted file can only decrypt it with his own private or secret key. He uses this command to decrypt it:

# gpg --out mynewfile.txt --decrypt encryptedFile

Straightforward command, decrypt file called encryptedFile and give it a name “mynewfile.txt“.

Signing messages and verifying signatures

When you encrypt a file, and send it through a network, it may become corrupted. To verify this, we can digitally sign gpg encrypted files. In a nut shell, there is time stamp and it certifies the file. If the file is modified in any way, gpg will alert file’s receiver.

To sign a file, use —sign option, or when you want to send it as ASCII, then use —clearsign switch. To encrypt digital signature, gpg uses your private key and asks for passphrase that will protect this signature. Encrypting the file:

# gpg --out encryptedFile --recipient --encrypt secret.txt

Then, to digitally sign it, you this command:

# gpg --out signedEncryptedFile --sign encryptedFile

When recipient gets this encrypted and signed file, he can verify it with gpg –verify signedEncryptedFile

Decrypting digitally signed file

Once we get the file, we must verify it to make sure it is not corrupt, then decrypt it, and finally reveal what we got inside. First, let’s verify this signed and encrypted file that we got called signedFile. If it is correct, make it new file called “encrypted.gpg”

# gpg --out encrypted.gpg --verify signedFile

After the file is verified, decrypt file with this command:

# gpg --out decrypted.txt --decrypt encrypted.gpg

We told gpg to use encrypted.gpg file, and decrypt it in new decrypted file called “decrypted.txt” which could be read easily now.

Revoking a key

If your private key has been stolen or compromised, revoke your public key:

  1. Generate a revocation certificate
  2. Import revocation certificate into your keyring
  3. Make revocation certificate available for anyone who has your public key.

To generate revocation certificate use the following command:

# gpg --out key-revocation.asc --gen-revoke

After we get revocation certificate called key-revocation.asc, we can import it in our keyring with:

# gpg --import key-revocation.asc

7 thoughts on “Understanding GPG

  1. Thank you for any other excellent post. The place else may just anyone get that kind of info in such an ideal manner of writing?
    I have a presentation subsequent week, and I am at the look for
    such information.

  2. Hi there! This is my 1st comment here so I just wanted to give a
    quick shout out and say I genuinely enjoy reading through your blog posts.
    Can you recommend any other blogs/websites/forums that cover the
    same topics? Many thanks!

  3. Howdy! This blog post could not be written much better!
    Looking through this post reminds me of my previous roommate!
    He always kept talking about this. I most certainly will send this information to him.

    Pretty sure he’ll have a very good read. I appreciate you for sharing!

Leave a Reply