GnuPG (GNU Privacy Guard) is a tool for encrypting and signing data. It is a completely free implementation of the OpenPGP standard (defined by RFC4880), which is also known as GPG. I myself prefer the command line over any GUI for GnuPG, because it is typically faster to execute stuff without having to move the mouse. This post contains a brief overview of the most important commands you probably have to use when working with GnuPG.

Generating GPG Keys

$ gpg --gen-key

You will be asked what kind of key you want, simply proceed with the instructions that are given to you.


Listing GPG Keys

Listing public keys:

$ gpg --list-keys

Listing private keys:

$ gpg --list-secret-keys

Exporting GPG Keys

To export a public key into a file called public.asc:

$ gpg --export -a "User Name" > public.asc

To export a private key into a file called private.asc:

$ gpg --export-secret-key -a "User Name" > private.asc

Back ’em up!

Importing GPG Keys

To import a public key from a file called public.asc:

$ gpg --import public.asc

To import a private key from a file called private.asc:

$ gpg --allow-secret-key-import --import private.asc

Trusting GPG Keys

Once you have imported the person’s public key, you must now set the trust level of the key. This also prevents GPG from warning you every time you encrypt something with the recently imported public key.

Respectively specify the other person’s name or email in the command and proceed with the instructions that are given to you:

$ gpg --edit-key joe

Deleting GPG Keys

To delete a public key:

$ gpg --delete-key "Real Name"

To delete private key:

$ gpg --delete-secret-key "Real Name"

Generating Fingerprint

$ gpg --fingerprint

Encrypting Data

To encrypt a file named file.txt for a single individual, specify that individual as a recipient.

$ gpg --encrypt --recipient joe file.txt

The encrypted file is going to have the .gpg extension. In this case file.txt.gpg will be created after executing the command, which you can send to the receiver.

To encrypt a file so that only you yourself can decrypt it, then specify yourself as the recipient.

$ gpg --encrypt --recipient 'My Name' file.txt

To encrypt a file so that both you and the other person can decrypt the file, specify both you and the other person as recipients.

$ gpg --encrypt --recipient joe --recipient 'My Name' file.txt

To encrypt a file for a group of individuals, define the group in your GPG configuration file (see below), and then specify the group as a recipient.

$ gpg --encrypt --recipient journalists filename.txt

There’s a shorter version to accomplish the things we have done above:

$ gpg -e -r journalists file.txt

Decrypting Data

$ gpg --decrypt file.txt.gpg

A new decrypted file without the .gpg extension will be created, in this case file.txt. Additionally omit --decrypt if you are working with a binary.

Groups for GPG

You can summarize individuals to single groups by editing your GPG configuration (e.g. in ~/.gnupg/gpg.conf). To get back to the example above, we create a group called journalists containing several individuals:

group journalists = joe tom donald

Add this line to your GPG configuration file.