DevOps Blog

A Beginner's Guide to GnuPG: Encrypting and Signing Your Files and Emails

What is GnuPG?

GnuPG is a free and open-source implementation of the OpenPGP standard, which allows you to encrypt and sign data securely. It works on Windows, macOS, and Linux, making it a versatile tool for protecting your communications.

Installation

Before we begin, make sure you have GnuPG installed:

  • Linux (Debian/Ubuntu):
    sudo apt install gnupg
  • macOS (via Homebrew):
    brew install gnupg
  • Windows:
    Download from Gpg4win.

Once installed, verify it’s working:

gpg --version

1. Generating Your Key Pair

GnuPG uses public-key cryptography, meaning you have a private key (kept secret) and a public key (shared with others).

To generate a new key pair:

gpg --full-generate-key

Follow the prompts:

  1. Choose RSA and RSA (default).
  2. Set a key size (2048 or 4096 bits for stronger security).
  3. Set an expiration date (or leave it blank for no expiration).
  4. Enter your name and email.
  5. Set a passphrase (this protects your private key).

Once done, list your keys:

gpg --list-keys

2. Exporting and Sharing Your Public Key

To let others send you encrypted messages, they’ll need your public key. Export it with:

gpg --export --armor your-email@example.com > public_key.asc

The --armor flag saves it in readable ASCII format.

You can share public_key.asc or upload it to a keyserver:

gpg --keyserver hkps://keys.openpgp.org --send-keys YOUR_KEY_ID

3. Encrypting and Decrypting Files

Encrypt a File for a Recipient

To encrypt a file (secret.txt) for someone else (using their public key):

gpg --encrypt --recipient their-email@example.com secret.txt

This creates secret.txt.gpg.

Decrypt a File Sent to You

To decrypt a file:

gpg --decrypt secret.txt.gpg > decrypted.txt

You’ll be prompted for your passphrase.

4. Signing and Verifying Files

Sign a File (Prove Authenticity)

gpg --sign --armor --output signature.asc document.txt

This creates a detached signature (signature.asc) that others can verify.

Verify a Signed File

gpg --verify signature.asc document.txt

If the signature is valid, you’ll see a confirmation.

5. Encrypting & Signing Emails

Many email clients (Thunderbird, Outlook with plugins) support GnuPG. For CLI users:

  • Encrypt + Sign an Email:
    gpg --encrypt --sign --armor --recipient friend@example.com email.txt
  • Decrypt an Email:
    gpg --decrypt encrypted_email.asc

Conclusion

GnuPG is an essential tool for securing your digital communications. With just a few commands, you can:
Generate and manage encryption keys
Encrypt and decrypt files
Sign and verify documents

For more advanced usage (key revocation, subkeys), check the official GnuPG docs.

Have questions? Drop them in the comments below!