Simple GPG Tutorial
A simple guide to using GPG for encryption
Create a new key pair
gpg --full-generate-keyIt will ask you for:
- Key type → choose RSA and RSA (option 1)
- Size → 4096 bits (recommended)
- Expiration →
0for no expiration, or1yfor 1 year - Name, email and passphrase
Export your public key (to share)
# List your keys
gpg --list-keys
# Export in ASCII format (armored)
gpg --armor --export you@email.com > my_public_key.ascShare the my_public_key.asc file with whoever you want.
Export your private key (to move to another PC)
# Export private key
gpg --armor --export-secret-keys you@email.com > my_private_key.asc
# On the other PC, import it:
gpg --import my_private_key.ascKeep this file very safe. Never share it.
Encrypt a message with another user's public key
First import their public key:
gpg --import other_persons_public_key.ascThen encrypt:
# Encrypt a file
gpg --armor --encrypt --recipient other@example.com file.txt
# Result: file.txt.asc (only they can read it)To encrypt plain text directly:
echo "Secret message" | gpg --armor --encrypt --recipient other@example.comDecrypt a message (encrypted with your public key)
# Decrypt a file
gpg --decrypt file.txt.asc
# Or save the result
gpg --decrypt file.txt.asc > decrypted_file.txtIt will ask for your passphrase. GPG will automatically use your private key.
Sign a file with your private key (digital signature)
There are three ways to sign, depending on your use case:
Method 1 — Clearsign (readable text + signature at the end)
gpg --clearsign document.txt
# Result: document.txt.ascThe content remains fully readable without GPG. The signature is appended at the bottom, like FreeBSD security advisories. Best for: announcements, documents, text files.
Method 2 — Detached signature (signature in a separate file)
gpg --armor --detach-sign document.pdf
# Result: document.pdf + document.pdf.sig (two separate files)The original file is untouched. Best for: binaries, PDFs, ISOs, or any file where you can't modify the content.
Method 3 — Binary sign (signature embedded, not human-readable)
gpg --sign document.txt
# Result: document.txt.gpg (single blob, not readable directly)Everything is packed into one file. Best for: when readability doesn't matter and you want a single output file.
Encrypt AND sign at the same time
gpg --armor --encrypt --sign \
--recipient other@example.com \
--local-user you@email.com \
file.txtVerify any signature
# Verify a clearsign file
gpg --verify document.txt.asc
# Verify a detached signature
gpg --verify document.pdf.sig document.pdfSigning method comparison
| Method | Command | Output | Best for |
|---|---|---|---|
| Clearsign | gpg --clearsign file.txt | file.txt.asc | Text docs, announcements |
| Detached | gpg --armor --detach-sign file.txt | file.txt + file.txt.sig | Binaries, PDFs, ISOs |
| Binary sign | gpg --sign file.txt | file.txt.gpg | Single blob, no readability needed |
Additional useful commands
| Command | Description |
|---|---|
gpg --list-keys | List stored public keys |
gpg --list-secret-keys | List private keys |
gpg --delete-key EMAIL | Delete a public key |
gpg --fingerprint EMAIL | Show a key's fingerprint |
gpg --send-keys --keyserver keyserver.ubuntu.com KEYID | Publish key to a keyserver |
Typical flow summary
[You] [Other user]
│ │
├─── Export your public key ────────►│
│ ├─── Sends you their public key
│◄── Import their public key ────────┘
│
├─── gpg --encrypt (with their public key) ──► [encrypted message]
│◄── gpg --decrypt (with your private key) ─── [encrypted message]
│
├─── gpg --clearsign → readable text + signature at the bottom
├─── gpg --detach-sign → original file untouched + separate .sig file
└─── gpg --sign → single encrypted/signed blob
└─► Receiver verifies with your public key