October 8, 2019
What is GPG
GPG (GNU Privacy Guard) is the open source utility - the implementation of OpenPGP protocol used for signing and encrypting data. The protocol utilizes both public-key and symmetric cryptography which ensures the confidentiality and integrity of the data, and also provides the services for key management and discovery.
The verbose documentation can be found in the 20 year old GPG Handbook. This page is a quick summary of the most commonly used commands.
Key management functions
Creating a keypair
OpenPGP private/public key pair is created using the command:
$ gpg --gen-key
During the process you will need to provide the
Real name (full name),
Email address, (optionally) a
Comment and a
Passphrase to secure the access to your Private Key (Secret Key).
The public key will be stored in your OpenPGP keychain, most likely in
The private key will be used to
decrypt data and must NOT be disclosed, while the public key can be freely distributed and will be used to
verify the data signed by you and to
encrypt the data which needs to be securely transferred to you.
The GPG keys that are stored in the GPG keychain are listed using command:
$ gpg --list-keys
Exporting a public key
To export the public key from the keychain to the ASCII-armored file, use command:
$ gpg --armor --output <FILENAME>.asc --export <User ID>
gpg -a -o <FILENAME>.asc -e <User ID> as a shorthand.
Email address is used as the Key ID.
.asc extension is used for ASCII-armored GPG data. Binary GPG data is usually stored in
Uploading a public key to a OpenPGP key server
The public key can be exported to the OpenPGP keyserver for easier discovery and sharing:
$ gpg --keyserver <KEYSERVER> --send-keys <KEY HEX FINGERPRINT>
gpg --keyserver keyserver.ubuntu.com --send-keys 0x01CECB1C27D919EEC25DDAA56948635145E59E2
Retrieving and importing a public key
To import the public key from the file to the keychain use command:
$ gpg --import <FILENAME>.asc
To import the public key from the keyserver by searching it, use command:
$ gpg --keyserver <KEYSERVER> --search-key <KEY FINGERPRINT or USER ID>
gpg --keyserver keyserver.ubuntu.com --search-key 0x01CECB1C27D919EEC25DDAA56948635145E59E24 or
$ gpg --keyserver keyserver.ubuntu.com --search-key firstname.lastname@example.org.
Backing-up the private key
The list of private keys can be retrieved by the command:
$ gpg --list-secret-keys
sec section contains the cryptography algorithm, expiration date and the key ID.
The following commands exports the ASCII-armored private key (secret key) with the id
<KEY ID> to the file
$ gpg --armor --output <FILENAME>.asc --export-secret-keys <KEY ID>
gpg -ao <FILENAME>.asc --export-secret-keys <KEY ID> as a shorthand.
The file can then be backed up, and imported to another machine via the aforementioned key import command:
$ gpg --import <FILENAME>.asc
Data encryption and decryption
To encrypt the file, use the following command:
$ gpg --encrypt --recipient <RECIPIENT USER ID> <FILENAME>
gpg -e -r <RECIPIENT USER ID> <FILENAME> as a shorthand.
This will encrypt the
<FILENAME> file using the key of a user with a
<RECIPIENT USER ID>. The recipient’s public key needs to be imported to the keychain beforehand. The USER ID is usually a user’s email.
<FILENAME>.gpg will be created with the encrypted data. The
--output <FILENAME> can be used to override the file name. The
--armor key can be used to create the ASCII-armored version of the file. In such case the default file extension will be
The encryped file is decrypted by the owner of the private key using the following command:
$ gpg --output <DECRYPTED OUTPUT FILE NAME> --decrypt <ENCRYPTED FILE NAME>
gpg -o <DECRYPTED OUTPUT FILE NAME> -d <ENCRYPTED FILE NAME> as a shorthand.
You will be asked to provide the Passphrase of your private key to decrypt the file.
Signing ang verifying data
ASCII-armored signature of the file
<FILENAME> is generated using a command:
$ gpg --sign --armor <FILENAME>
gpg -sa <FILENAME> as a shorthand.
This will generate a signature file
The signature can be verified using a command:
$ gpg --verify <SIGNATURE FILE>