🔐 GPG: A Complete Guide to Key Generation, Encryption, and Signing

GPG (GNU Privacy Guard) is a powerful tool for creating cryptographic keys, encrypting and decrypting data, and digitally signing content. This tutorial will guide you through generating GPG keys, exporting and managing them, and using GPG to encrypt, decrypt, and sign messages.

📦 Prerequisites

• Linux (Debian/Ubuntu)

  1
  sudo apt update
  2
  sudo apt install gnupg

• MacOS

  1
  brew install gnupg

• Windows

  Download and install:

  • GPG (Gpg4win): https://gpg4win.org/

🔑 Generating a GPG Key

To generate a GPG key, run the following command in your terminal:

1
gpg --full-generate-key

You’ll be prompted to answer a few questions:

• Key type: Choose 1 for RSA and RSA.
• Key size: Type 4096 (for strong security).
• Key expiration: Set it as you prefer (0 means it never expires).
• Name and email: Provide your name and email (this can be any identity).
  • Can use your Git identity (git config user.name, git config user.email).
• Passphrase: Set a secure passphrase to protect the key.

🔑 Listing your GPG Keys

To list your private keys (those you own):

1
gpg --list-secret-keys

To list your public keys (those you or others can share):

1
gpg --list-keys

Show your key fingerprint:

1
gpg --fingerprint <your_email_address or key_id>

🔑 Exporting your GPG Key

You can export your public key to share it with others or upload it to a key server.

1
gpg --armor --export <your_email_address or key_id> > public.key

⚠️ Export and Backup Your Private Key (Careful!)

Only do this if you absolutely need to (e.g., for transferring to another device). Protect this file as if it were your master password.

1
gpg --armor --export-secret-keys <your_email_address or key_id> > private-key.asc

To re-import it later:

1
gpg --import private-key.asc

💥 Creating a Revocation Certificate (If Compromised or Lost)

First, generate a revocation certificate (you should do this right after creating the key):

1
gpg --output revoke-cert.asc --gen-revoke <your_email_address or key_id>

If you lose control of your key or forget the passphrase, you can use this file to revoke the key.

To apply the revocation:

1
gpg --import revoke-cert.asc

Then, delete the key:

1
gpg --delete-secret-key <your_email_address or key_id>

(Optional) Delete the public key as well:

1
gpg --delete-key <your_email_address or key_id>

🔐 Encrypt and Decrypt Messages

Encrypt a message:

1
gpg --output message.txt.asc --encrypt --armor --recipient <recipient_email_address> message.txt

Decrypt a message:

1
gpg --decrypt --output message.txt < encrypted-message.txt.gpg

✍️ Signing and Verifying Messages

Sign a File (Creates ASCII-armored Signed File)

1
gpg --output message.txt.asc --sign --armor message.txt

Detached Signature

1
gpg --output message.txt.asc --detach-sign --armor message.txt

Verify a Signed File

1
gpg --verify message.txt.asc

Verify a Detached Signature

1
gpg --verify message.sig message.txt

Clearsign a Message (inline)

1
gpg --output message.txt.asc --clearsign --armor message.txt

☁️ Uploading Your Public Key to a Keyserver

Uploading your public key allows others to find it and send you encrypted messages or verify your signatures.

1
# Using keys.openpgp.org
2
gpg --send-keys --keyserver hkps://keys.openpgp.org <your_email_address or key_id>
3

4
# Or Ubuntu’s keyserver
5
gpg --send-keys --keyserver keyserver.ubuntu.com <your_email_address or key_id>

💡 Tips

• Always back up your GPG keys securely.
• Use a password manager to store your passphrase.
• Upload your public key to a keyserver if you want others to find and use it:

  1
  # Upload your key to a public keyserver
  2
  gpg --keyserver hkps://keys.openpgp.org --send-keys <your_key_id>

📘 Resources

• GnuPG Official Documentation
• DigitalOcean GPG Guide
• GitHub GPG Guide
• keys.openpgp.org