GnuPG (gpg) — Encrypt, Sign, and Manage Keys
Practical guide to GnuPG — generate and manage keys, encrypt and decrypt files, sign and verify data, and use the OpenPGP web of trust.
GnuPG (gpg for short) is the free OpenPGP implementation and the standard tool for encryption and digital signatures on Linux, macOS and Windows. With a single key pair you encrypt files and email for specific recipients, sign releases or Git commits, and verify the authenticity of other people's data through the web of trust. This guide takes you from key generation through export, import and keyservers all the way to everyday encryption and decryption. Always protect your private key with a strong passphrase — it is the master key to everything you encrypt.
Key Generation
gpg --full-generate-key — Generate a new key pair with full options; pick a modern algorithm such as ECC (Ed25519) or RSA with at least 3072 bits.
gpg --full-generate-keygpg --generate-key — Generate a key pair with defaults (quick).
gpg --generate-keygpg --quick-generate-key '<uid>' — Quick key generation with a User ID.
gpg --quick-generate-key 'John Doe <john@example.com>'Key Management
gpg --list-keys — List all public keys in the keyring.
gpg --list-keysgpg --list-secret-keys — List all private keys.
gpg --list-secret-keys --keyid-format longgpg --fingerprint <key-id> — Show the fingerprint of a key.
gpg --fingerprint john@example.comgpg --delete-key <key-id> — Delete a public key.
gpg --delete-key john@example.comgpg --delete-secret-key <key-id> — Delete a private key — irreversible, so make a backup first.
gpg --delete-secret-key john@example.comgpg --edit-key <key-id> — Edit key properties (trust, expire, etc.).
gpg --edit-key john@example.comExport & Import
gpg --export -a <key-id> > <file> — Export a public key in ASCII armor format.
gpg --export -a john@example.com > john-public.ascgpg --export-secret-keys -a <key-id> > <file> — Export a private key (for backup) — never share it and store it only in a safe, encrypted place.
gpg --export-secret-keys -a john@example.com > john-private.ascgpg --import <file> — Import a key from a file.
gpg --import colleague-public.ascgpg --keyserver <server> --send-keys <key-id> — Upload a public key to a keyserver.
gpg --keyserver keys.openpgp.org --send-keys ABCD1234gpg --keyserver <server> --recv-keys <key-id> — Download a key from a keyserver.
gpg --keyserver keys.openpgp.org --recv-keys ABCD1234gpg --search-keys '<query>' — Search for keys on a keyserver.
gpg --keyserver keys.openpgp.org --search-keys 'john@example.com'Encrypt & Decrypt
gpg -e -r <recipient> <file> — Encrypt a file for a recipient.
gpg -e -r john@example.com secret.txtgpg -e -r <recipient> -a <file> — Encrypt with ASCII armor output (text-safe).
gpg -e -r john@example.com -a secret.txtgpg -e -r <r1> -r <r2> <file> — Encrypt for multiple recipients.
gpg -e -r john@example.com -r jane@example.com secret.txtgpg -d <file> — Decrypt a file.
gpg -d secret.txt.gpg > secret.txtgpg -c <file> — Symmetric encryption (password-based, no keys needed).
gpg -c backup.tar.gzgpg -d <file>.gpg — Decrypt a symmetrically encrypted file.
gpg -d backup.tar.gz.gpg > backup.tar.gzSign & Verify
gpg -s <file> — Create a signed (binary) file.
gpg -s document.pdfgpg --detach-sign <file> — Create a detached signature file.
gpg --detach-sign release.tar.gzgpg --clearsign <file> — Create a clear-text signature (readable + signed).
gpg --clearsign message.txtgpg -se -r <recipient> <file> — Sign and encrypt a file.
gpg -se -r john@example.com secret.txtgpg --verify <signature> <file> — Verify a detached signature.
gpg --verify release.tar.gz.sig release.tar.gzgpg --verify <file> — Verify a signed file.
gpg --verify message.txt.ascCommon Patterns
echo '<text>' | gpg -e -r <recipient> -a — Encrypt text from stdin.
echo 'secret password' | gpg -e -r john@example.com -agpg --list-keys --keyid-format long — List keys with long key IDs (for Git signing).
gpg --list-keys --keyid-format longtar czf - <dir> | gpg -c -o <file> — Create an encrypted archive.
tar czf - secrets/ | gpg -c -o secrets.tar.gz.gpggpg -d <file>.gpg | tar xzf - — Decrypt and extract an encrypted archive.
gpg -d secrets.tar.gz.gpg | tar xzf -Conclusion
GnuPG has been the backbone of OpenPGP for decades and is the default wherever confidentiality and provable authenticity matter — from signed software releases to encrypted backups. The command line feels rough at first, but the handful of core commands for generating, encrypting and signing become second nature quickly. Secure your private key with a backup and a revocation certificate, and the same key pair will serve you for years.
Further Reading
- GnuPG — official documentation — manuals and howtos
- GNU Privacy Guard – Wikipedia