Table of Contents Link to heading

What is GPG?
How Does GPG Work?
Why Use GPG?
Install GPG and Generate a GPG Keypair
Manage Your GPG Keypair
GPG Cryptography
- Encrypt Messages with GPG
- Decrypt Messages with GPG
Import Another User’s GPG Key

What is GPG? Link to heading

GNU Privacy Guard (GPG) is one of the most widely used tools for securing emails, files, and other digital communications, especially in an era where privacy is constantly under threat, strong encryption is no longer optional—it’s essential. Built on the OpenPGP standard, GPG offers powerful encryption capabilities while remaining free and open-source.

However, encryption is only as strong as the key management practices behind it. Poorly handled keys can lead to data leaks, unauthorised access, and even identity compromise. In this post, we’ll explore the fundamentals of GPG cryptography, how it ensures secure communication, and the best practices for managing encryption keys effectively. Whether you’re an IT professional, a security enthusiast, or just getting started with encryption, understanding GPG and key management will strengthen your digital defences.

How Does GPG Work? Link to heading

GPG operates on two fundamental principles of cryptography:

Public-Key Cryptography: Each user has a pair of keys: a public key that can be shared openly and a private key that must be kept secret. The public key is used to encrypt messages, while the private key decrypts them, ensuring that only the intended recipient can read the content.
Symmetric Encryption: For bulk data encryption, GPG uses a symmetric key generated for each session. This symmetric key is then encrypted with the recipient’s public key, combining speed with strong security.

By leveraging these techniques, GPG enables secure communication even over potentially insecure channels.

Why Use GPG? Link to heading

GPG offers several advantages:

Data Confidentiality: Messages and files are encrypted, making them unintelligible to unauthorised parties.
Authentication: Digital signatures verify the identity of the sender, ensuring the message’s authenticity.
Integrity: Cryptographic checks prevent tampering and ensure the content remains unchanged during transmission.

Install GPG and Generate a GPG Keypair Link to heading

To begin using GPG for cryptography, you’ll need to install the GPG software and generate your keypair.

sudo apt install gpg -y
gpg --full-generate-key

After generating your keypair, you can list the long form of the GPG keys for which you have both public and private keys:

gpg --list-secret-keys --keyid-format=long

Example output:

/home/netadmin/.gpg/pubring.kbx
-------------------------------
sec 4096R/3AA5C34371567BD2 2016-03-10 [expires: 2025-04-19]
uid duke <dukemai@gmail.com>
ssb 4096R/4BB6D45482678BE3 2016-03-10

Manage Your GPG Keypair Link to heading

Backup Your GPG Keys Link to heading

Protect your keypair by backing it up securely:

gpg --export --armor <fingerprint> --output pubkey.asc
gpg --export-secret-keys --armor <fingerprint> --output privkey.asc

A fingerprint can be the long form of the GPG key ID or the associated email address (e.g., dukemai@gmail.com).

Archive your private keys:

tar zcvf private-keys.tgz privkey.asc

Encrypt the archive with a master password:

openssl aes-256-cbc -salt -pbkdf2 -in private-keys.tgz -out private-keys.tgz.enc

Note

The encrypted file private-keys.tgz.enc can be publicly shared, as it is secured by the master password.

Restore the GPG Keys Link to heading

If you need to restore your backup, use the following commands to also decrypt the private key:

wget -P private-keys.tgz.enc &&
openssl aes-256-cbc -salt -pbkdf2 -in "$HOME/.gpg/private-keys.tgz.enc" -out "$HOME/.gpg/private-keys.tgz" -d &&
tar zxvf "$HOME/.gpg/private-keys.tgz" -C "$HOME/.gpg" &&
rm "$HOME/.gpg/private-keys.tgz"

Import Your Keypairs Link to heading

To import your backed-up keypair:

gpg --import pubkey.asc
gpg --allow-secret-key-import --import privkey.asc

If necessary, trust the keys:

gpg --edit-key <fingerprint>

GPG Cryptography Link to heading

Encrypt Messages with GPG Link to heading

Encrypt a file or message using your GPG key:

gpg --armor --sign --encrypt --recipient <name> path/to/file
gpg -a -s -e -r <name> path/to/file

The output file will have the same name as the input file but with an .asc extension.

Decrypt Messages with GPG Link to heading

Decrypt an encrypted file:

gpg --decrypt path/to/file.asc
gpg -d path/to/file.asc

Import Another User’s GPG Key Link to heading

To import another user’s key, you can retrieve it directly from a key server:

gpg --recv-keys <keyID>

Or search for their key using:

gpg --search-keys <name>