Linux: GNU GPG Usage Guide
The GNU GPG (GNU Privacy Guard) encryption tool can help protect your data from prying eyes. This guide will walk you through the basics of using GPG to create and manage encryption keys, encrypt and decrypt files, and exchange secure messages.
This guide is complemented by the following articles:
- Linux: GNU GPG Usage Guide (English) or Linux: Guia de Uso do GNU GPG (Brazilian Portuguese)
- IBM Sterling: Guide to Using PGP Native for Secure Data Exchange on IBM Sterling B2Bi
- IBM Sterling: Guide to Using PGP Native for Secure Data Exchange on IBM Sterling Filegateway
What is GNU GPG?
GNU Privacy Guard, often abbreviated as GPG, is an open source implementation of the PGP (Pretty Good Privacy) encryption standard. It offers a solid and reliable method for encrypting and digitally signing data. GPG uses a combination of public and private keys to guarantee the confidentiality and authenticity of your messages and files.
Getting Started with GPG
Creating your Key Pair
The basis of GPG is the key pair: a public key and a private key. The public key is used for encryption while the private key is used for decryption.
To create your key pair, we will use the command below, enter the values in bold
gpg --full-generate-key
gpg (GnuPG) 2.3.3; Copyright (C) 2021 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Please select what kind of key you want:
(1) RSA and RSA (default)
(2) DSA and Elgamal
(3) DSA (sign only)
(4) RSA (sign only)
(14) Existing key from card
Your selection? 1
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (3072) 2048
Requested keysize is 2048 bits
Please specify how long the key should be valid.
0 = key does not expire
<n> = key expires in n days
<n>w = key expires in n weeks
<n>m = key expires in n months
<n>y = key expires in n years
Key is valid for? (0) 2y
Key expires at Sun 14 Sep 2025 12:39:48 PM PDT
Is this correct? (y/N) y
GnuPG needs to construct a user ID to identify your key.
Real name: Darth Vader Email address: [email protected] Comment:
You selected this USER-ID:
"Darth Vader <[email protected]>"
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O
Provide a passphrase to secret key
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
gpg: key 2559F227B6467805 marked as ultimately trusted
gpg: directory '/home/darthvader/.gnupg/openpgp-revocs.d' created
gpg: revocation certificate stored as '/home/darthvader/.gnupg/openpgp-revocs.d/8E518A1F4F7E8CC13867B82F2559F227B6467805.rev'
public and secret key created and signed.
pub rsa2048 2023-09-15 [SC] [expires: 2025-09-14]
8E518A1F4F7E8CC13867B82F2559F227B6467805
uid Darth Vader <[email protected]>
sub rsa2048 2023-09-15 [E] [expires: 2025-09-14]
Listing your Public Keys
To view the keys you created or imported, use the following command:
# gpg --list-keys
gpg: checking the trustdb
gpg: marginals needed: 3 completes needed: 1 trust model: pgp
gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: next trustdb check due at 2025-09-14
/home/darthvader/.gnupg/pubring.kbx
------------------------
pub rsa2048 2023-09-15 [SC] [expires: 2025-09-14]
8E518A1F4F7E8CC13867B82F2559F227B6467805
uid [ultimate] Darth Vader <[email protected]>
sub rsa2048 2023-09-15 [E] [expires: 2025-09-14]
Listing your Private Keys
To view the keys you created or imported, use the following command:
[root@moth1 ~]# gpg --list-secret-keys
/home/darthvader/.gnupg/pubring.kbx
------------------------
sec rsa2048 2023-09-15 [SC] [expires: 2025-09-14]
8E518A1F4F7E8CC13867B82F2559F227B6467805
uid [ultimate] Darth Vader <[email protected]>
ssb rsa2048 2023-09-15 [E] [expires: 2025-09-14]
Exporting your Public Key
You may need to share your public key with others so they can encrypt messages or files for you. To export your public key, run the following command:
gpg --armor --export [email protected] > darthvader.pubkey.asc
checking
cat darthvader.pubkey.asc -----BEGIN PGP PUBLIC KEY BLOCK----- mQENBGUEsxgBCADXsgnK555XrHYh5hEtlmc7QFsCCs6n6kVoiHiXvifiAS8ZHW5m .. -----END PGP PUBLIC KEY BLOCK-----
This command exports your public key in ASCII-armored format, which is a human-readable version of the key.
Importing a Public Key
To import another person/partner's public key, save the key in a file (e.g. key_publica_partner.asc) and use the following command:
gpg --import chave_publica_parceiro.asc
This will add their key to your keychain, allowing you to encrypt messages/files for them.
Encrypting and Decrypting Files
Encrypting a File
To encrypt a file using GPG, you will use the recipient's public key. Suppose you want to encrypt a file called meu_secreto.txt for a recipient with the email address [email protected] . Run:
gpg --encrypt --recipient [email protected] --output meu-arquivo.txt.gpg meu-arquivo.txt
This will create an encrypted file called my-file.txt.gpg.
Decrypting a File
To decrypt an encrypted file, you will need your private key and the password associated with it. Run the following command:
gpg --decrypt meu-arquivo.txt.gpg > meu-arquivo.txt
You will be asked to enter your password and upon successful entry, the decrypted file my_secret.txt will be created.