Get-started with GPG

Introduction

From GnuPG Official Website

GnuPG is a complete and free implementation of the OpenPGP standard as defined by RFC 4880 (also known as PGP).

A GPG key (GNU Privacy Guard key) is a cryptographic key used for:

1. Encrypting and decrypting data – to ensure confidentiality.
2. Signing data and verifying signatures – to ensure authenticity and integrity.

How it works (simple breakdown)

• You generate a GPG key pair: one public, one private.
• You:
  • Encrypt with the recipient’s public key → only they can decrypt (with their private key).
  • Sign with your private key → others can verify it’s from you (with your public key).
  • Combined → only recipient can decrypt and also verify it’s from you.

Common GPG commands

Generate a new key

gpg --full-gen-key

Or, for quickstart:

gpg --gen-key

List your keys

To list keys in your public key ring:

gpg --list-keys

To list keys in your secret key ring:

gpg --list-secret-keys

Export your public key

gpg --export --armor --output public-key.asc user-id

Import someone else’s key

gpg --import public-key.asc

Encryption and decryption

Encrypt a file

gpg --encrypt --recipient [email protected] file.txt

Only recipient, with his/her private key, can decrypt file.txt.

Decrypt file

gpg --output file.txt --decrypt file.txt.gpg

Maintenance

Backup your private key

gpg --export-secret-keys --armor --output private-key.asc user-id

Import backed up private key

gpg --import private-key.asc

Signatures

Signatures are created using sender’s private key and are then verified using sender’s public key.

Sign a file

gpg --sign file.txt

Generated file.txt.sig contains both the compressed content of the original file file.txt and the signature in a binary format, but the file is not encrypted.

Clearsign a file or message

gpg --clearsign file.txt

Here both the content of the original file file.txt and the signature are stored in human-readable form in file.txt.sig.

Make a detached signature

gpg --detach-sig file.txt

Here the signature is stored in file.txt.sig, but the contents of file.txt are not stored in it.

Verify a signature

gpg --verify file.txt.sig

Where file.txt.sig is the signed file containing the signature you wish to verify.

Verify detached signature

When verifying detached signature, both data file and the signature file must be present.

gpg --verify file.txt.sig

Note: file.txt must be present in the same directory.

Tips

• Use the OpenKeychain for similar purpose on Android.
• The nautilus-scripts has a set of actions including encryption related scripts to be available on Nautilus.

---

References

• https://wiki.archlinux.org/title/GnuPG
• https://vhs.codeberg.page/post/moving-gpg-keys-privately/