What is GPG / PGP and how do I use it?

What is GPG / PGP

GnuPG (more commonly known as GPG) is an implementation of a standard known as PGP (Pretty Good Privacy). It uses a system of "public" and "private" keys for the encryption and signing of messages or data.

Understanding public vs. private keys

Private keys are the first half of a GPG key which is used to decrypt messages that are encrypted using the public key, as well as signing messages - a technique used to prove that you own the key. As the name implies, this part of the key should never be shared.

Public keys are the second half of a key which is used to encrypt messages for the owner of the private key. As the name implies, this part of the key is safe to give out to the public, as it can only be used to encrypt messages or data for the private key owner.

You can download GnuPG (including graphical versions for those uncomfortable with command line) for various platforms, including Windows and macOS / OSX from the GnuPG Website.

On most Linux distributions, GnuPG is included by default as the command line utility gpg, or is available in your package manager.

For our usage examples, we only cover the command line version of GPG. If you're using a GUI version, you should be able to find guides online on how to use them.

Generating a key pair and exporting the public key

To use GPG to send and receive messages securely, first you must generate a key pair.

gpg --generate-key

After creating a key pair, you'll want to export the public key to share with others.

# List the keys you own (have the private key for)
$ gpg -K --fingerprint
sec   rsa4096 2019-03-02 [SC] [expires: 2021-03-01]
    9ECF 1199 8AD7 A743 7353  BC57 0E66 E4DE A98A 4921
uid           [ultimate] John Doe <johnd@example.com>
ssb   rsa4096 2019-03-02 [E] [expires: 2021-03-01]

# Take the last 8 characters of that string of random letters and numbers and remove the space
$ gpg -a --export A98A4921 > john_doe.asc

In the above example, the public key was exported to john_doe.asc, you should open the file in a text editor such as Notepad, and make sure the first line shows:

-----BEGIN PGP PUBLIC KEY BLOCK-----

This is to make sure you haven't accidentally exported your private key.

Importing a public key from a key server

Next, you'll want to import the public key of the person/organization you want to send and encrypted message to.

The below example imports the Privex Support key (key ID 2E83 3D27 B0E0 1433) from a key server.

gpg --recv-keys 2E833D27B0E01433

DISCLAIMER: The Privex Support key is occasionally rotated. For the latest key fingerprint, you should check the Contact Us page

Encrypting and sending your message

Now, write your message in a plain text editor such as Notepad (Windows) or Textedit (Mac). You may want to put your public key at the end of the message if you want it to be sent encrypted, otherwise you'll have to send your public key as an attachment or unencrypted text in the message.

Let's assume you saved your message as message.txt. Now let's encrypt it for Privex Support.

gpg -a -r 2E833D27B0E01433 -e message.txt

The above command should've encrypted the file message.txt for the public key with the ID 2E833D27B0E01433 (Privex Support), and outputted the encrypted version as message.txt.asc

Now just open up the .asc file, you should see it starts with

-----BEGIN PGP MESSAGE-----

Simply copy and paste the contents of this file (including the BEGIN and END lines) into an email or other form of message, and make sure you've included your public key in some form - either in the encrypted message, or sent in plain text with the message (e.g. pasted at the end, or attached to an email). Finally, send the message.

Decrypting an encrypted message sent to you

To decrypt a message sent to you, assuming it's saved as reply.txt.asc, simply run the following command, gpg will automatically select the correct private key to decrypt the message and output it to the terminal.

$ gpg -d reply.txt.asc

gpg: encrypted with 4096-bit RSA key, ID 0E66E4DEA98A4921, created 2019-03-02
      "John Doe <johnd@example.com>"
hello world

If you want to save the message / data instead of outputting it to the terminal, use shell redirection. The below example outputs the message to reply.txt:

$ gpg -d reply.txt.asc > reply.txt

gpg: encrypted with 4096-bit RSA key, ID 0E66E4DEA98A4921, created 2019-03-02
      "John Doe <johnd@example.com>"

$ cat reply.txt

hello world