GnuPG (more commonly known as GPG) is an implementation of a standard known as PGP (Pretty Good Privacy). It uses a system of "public" and "private" keys for the encryption and signing of messages or data.
Private keys are the first half of a GPG key which is used to decrypt messages that are encrypted using the public key, as well as signing messages - a technique used to prove that you own the key. As the name implies, this part of the key should never be shared.
Public keys are the second half of a key which is used to encrypt messages for the owner of the private key. As the name implies, this part of the key is safe to give out to the public, as it can only be used to encrypt messages or data for the private key owner.
You can download GnuPG (including graphical versions for those uncomfortable with command line) for various platforms, including Windows and macOS / OSX from the GnuPG Website.
On most Linux distributions, GnuPG is included by default as the command line utility
gpg, or is available in your package manager.
For our usage examples, we only cover the command line version of GPG. If you're using a GUI version, you should be able to find guides online on how to use them.
To use GPG to send and receive messages securely, first you must generate a key pair.
After creating a key pair, you'll want to export the public key to share with others.
# List the keys you own (have the private key for) $ gpg -K --fingerprint sec rsa4096 2019-03-02 [SC] [expires: 2021-03-01] 9ECF 1199 8AD7 A743 7353 BC57 0E66 E4DE A98A 4921 uid [ultimate] John Doe <email@example.com> ssb rsa4096 2019-03-02 [E] [expires: 2021-03-01] # Take the last 8 characters of that string of random letters and numbers and remove the space $ gpg -a --export A98A4921 > john_doe.asc
In the above example, the public key was exported to
john_doe.asc, you should open the file in a text editor such as Notepad, and make sure the first line shows:
-----BEGIN PGP PUBLIC KEY BLOCK-----
This is to make sure you haven't accidentally exported your private key.
Next, you'll want to import the public key of the person/organization you want to send and encrypted message to.
The below example imports the Privex Support key (key ID 2E83 3D27 B0E0 1433) from a key server.
gpg --recv-keys 2E833D27B0E01433
DISCLAIMER: The Privex Support key is occasionally rotated. For the latest key fingerprint, you should check the Contact Us page
Now, write your message in a plain text editor such as Notepad (Windows) or Textedit (Mac). You may want to put your public key at the end of the message if you want it to be sent encrypted, otherwise you'll have to send your public key as an attachment or unencrypted text in the message.
Let's assume you saved your message as
message.txt. Now let's encrypt it for Privex Support.
gpg -a -r 2E833D27B0E01433 -e message.txt
The above command should've encrypted the file
message.txt for the public key with the ID 2E833D27B0E01433 (Privex Support), and outputted the encrypted version as
Now just open up the .asc file, you should see it starts with
-----BEGIN PGP MESSAGE-----
Simply copy and paste the contents of this file (including the BEGIN and END lines) into an email or other form of message, and make sure you've included your public key in some form - either in the encrypted message, or sent in plain text with the message (e.g. pasted at the end, or attached to an email). Finally, send the message.
To decrypt a message sent to you, assuming it's saved as
reply.txt.asc, simply run the following command, gpg will automatically select the correct private key to decrypt the message and output it to the terminal.
$ gpg -d reply.txt.asc gpg: encrypted with 4096-bit RSA key, ID 0E66E4DEA98A4921, created 2019-03-02 "John Doe <firstname.lastname@example.org>" hello world
If you want to save the message / data instead of outputting it to the terminal, use shell redirection. The below example outputs the message to
$ gpg -d reply.txt.asc > reply.txt gpg: encrypted with 4096-bit RSA key, ID 0E66E4DEA98A4921, created 2019-03-02 "John Doe <email@example.com>" $ cat reply.txt hello world