Using GPG to Encrypt and Decrypt Files on Linux [Hands-on for Beginners]

GnuPG, popularly known as GPG, is an extremely versatile tool, being widely used as the industry standard for encryption of things like emails, messages, files, or just anything you need to send to someone securely.

It’s easy to get started with GPG, and you can be on your way with using it in a matter of minutes.

In this tutorial, I’ll show you how to encrypt and decrypt files with GPG. This is a simple tutorial and you may try all of it to practice on your Linux system as well. This will help you practice the GPG commands and understand it when you are absolutely new to it.

Read the entire tutorial first and then start doing it on your own.

How does GPG work for encryption?

gpg encryption explained
GPG encryption

To start using GPG, you’ll first need to have a GPG key.

A GPG key is what you’ll use to encrypt (or decrypt) files later in the tutorial. It’s also what is used to identity you, with things like your name and email being tied to the key as well.

GPG keys work by using two files, a private key and a public key. These two keys are tied to each other, and are both needed to use all of GPG’s functionality, notably encrypting and decrypting files.

When you encrypt a file with GPG, it uses the private key. The new, encrypted file can then only be decrypted with the paired public key.

The private key is meant to be stored in a fashion stated directly in its name – privately, and not given out to anyone.

The public key on the other hand is meant to be given to others, or anyone you want to be able to decrypt your files.

This is where GPG’s main approach for encryption comes into play. It allows you to encrypt files locally and then allow others to be ensured that the files they received were actually sent from you. As the only way they’ll be able to decrypt the file is with your public key, which would only work if the file was encrypted using your private key in the first place.

This also works in the opposite direction! Other people can encrypt files using your public key, and the only way it’ll be able to be decrypted is with your private key. Thus allowing others to publicly post files without worry of people besides you being able to read them.

In other words, if a file was encrypted with a private key, it can only be decrypted with the corresponding public key. And if a file was encrypted with a public key, it can only be decrypted with the corresponding private key.

You are already using GPG without realizing

One of the most common example of using GPG is in Linux package manager, specially the external repositories. You add the public key of the developer into your system’s trusted keys. The developer signs the packages (generates a signature) with his/her private key. Since your Linux system has the public file, it understands that the package is actually coming from the trusted developer.

A number of encrypted services use some sort of GPG implementation underneath without you realizing it. But it’s better to not go in to those details right now.

Now that you are a bit familiar with the concept, let’s see how you can use GPG for encrypting a file and then use it to decrypt.

Encrypting and decrypting files with GPG

gpg encryption basic

This is a very simplistic scenario. I presume that you have just one system and you want to see how GPG works. You are not sending the files to other system. You encrypt the file and then decrypt it on the same system.

Of course, this is not a practical use case but that’s also not the purpose of this tutorial. My aim is to get you acquainted with GPG commands and functioning. After that, you can use this knowledge in a real-world situation (if need be). And for that, I’ll show you how you can share your public key with others.

Step 1: Installing GPG

GPG can be found in most distribution’s repositories out of the box.

On Debian and Ubuntu-based systems, install the gpg package:

sudo apt install gpg

If you use Arch based distributions, install the gnupg package with the pacman command:

sudo pacman -S gnupg

Step 2: Generating a GPG key

Generating a GPG key on your system is a simple one-command procedure.

Just run the following command, and your key will be generated (you can use the defaults for most questions as shown in the underlined sections below):

gpg --full-generate-key
gpg key generation
Generating GPG keys

Checking the GPG Key

You can then see that the private key and public key are both tied to each other by that ID shown under pub by using the –list-secret-keys and –list-public-keys commands respectively:

gpg list keys 1
Listing GPG keys

Step 3: Encrypting a file with GPG

Now that you’ve set up our GPG keys, you can start encrypting our files!

Use the following command to encrypt files:

gpg --encrypt --output file.gpg --recipient [email protected] file

Let’s go over what that command does real quick:

First you specified the –encrypt option. This simply tells GPG that we’ll be encrypting a file.

Next, you specified –output file.gpg. This can be anything, though it’s typically the name of the file you’re encrypting plus a .gpg extension (so message.txt would become message.txt.gpg).

Next, you type –recipient [email protected]. This specifies the email for a corresponding GPG key that actually doesn’t exist quite yet on this system.

Still confused?

The way this works is that the email you specify here must be tied to a public key on your local system.

Typically, this is going to be from the public GPG key of a different person, which is what you’re going to encrypt your file with. After such, the file will only be able to be decrypted with that user’s private key.

I’ll be using my previous GPG key with the [email protected] in this example. Thus, the logic would be that I am encrypting the file with the public key of h[email protected], which is then only going to be able to be decrypted with the private key of [email protected].

You’d only have the public key if you were encrypting a file for someone else, but since you’re encrypting the file for yourself, you have both keys on your system.

Lastly, you simply specify the file you’re going to encrypt. For this example, let’s use a file named message.txt with the following content:

We're encrypting with GPG!
gpg example message
Sample text file

Likewise, if the email was [email protected], the new GPG command would be as follows:

gpg --encrypt --output message.txt.gpg --recipient [email protected] message.txt
gpg example message encrypted
Encrypting file with GPG

If you then try to read the file, you’ll see that it looks like gibberish. That is expected because the file is encrypted now:

gpg example message encrypted gibberish
Reading the encrypted file generates gibberish text

Let’s now delete the unencrypted message.txt file so that you can see that the message.txt.gpg file actually decrypts just fine without the original file:

gpg message original deleted

Step 4: Decrypting the encrypted file with GPG

Lastly, let’s actually decrypt the encrypted message. You can do such using the following command:

gpg --decrypt --output file file.gpg

Going through the argument here, we first specify –decrypt, which tells GPG that you’re going to be decrypting a file.

Next, you enter –output file, which simply tells GPG what file you’ll be saving the encrypted form of our file to after you decrypt it.

Lastly, you enter file.gpg, which is just the path to your encrypted file.

Following the example, the command I’d use would be as follows:

gpg --decrypt --output message.txt message.txt.gpg
gpg message decrypt
Decrypting file with GPG

And voila, you’re done! That’s all there is to it when you want to encrypt and decrypt files with GPG.

The only other thing you may want to know is how to share your public keys with others so they can encrypt files before sending them to you.

Sending and receiving GPG Keys

To send someone a GPG key, you’ll first need to export it from your keychain, which is what contains all of your public and private keys.

To export a key, simply find the key ID in your keychain, and then run the following command, replacing id with the key’s ID and key.gpg with the name of the file you want to save to:

gpg --output key.gpg --export id
gpg key export
Export GPG public key

To import a key, simply give the output file (from the previous command) to the other user and then have them run the following command:

gpg --import key.gpg
gpg key import

To use the key normally though, you’ll need to verify the key so GPG properly trusts it.

This can be done by running the –edit-key command on the other user’s system, following by signing the key:

First run gpg --edit-key id:

gpg edit key prompt
GPG edit key

Next, run the fpr command, which will show the fingerprint for the key. The output of this command should be validated against the output on your own machine, which can be found by running the same –edit-key command on your system:

gpg edit key fingerprint 1
Fingerprint of GPG key

If everything matches up, just run the sign command and everything will be ready to go:

gpg edit key sign
Sign GPG key

That’s it! The other user can now start encrypting files with your public key just as you did earlier, ensuring they’ll only be readable by you when you decrypt them with your private key.

And that’s all the basics to GPG!

Wrapping Up

You’ve now gone over everything you need to start using GPG, including encrypting files for yourself and for others. As I mentioned earlier, this is just for understanding how GPG encryption and decryption process works. The basic GPG knowledge you just acquired can be taken to the next level when applied in real-world scenarios.

Need some help figuring out something still, or something just not working right? Feel free to leave any of it in the comments below.

About the author
Hunter Wittenborn

Hunter Wittenborn

Sole Linux user with Ubuntu running my desktops and servers. I do some music stuff in my free time, mainly with piano.

Become a Better Linux User

With the FOSS Weekly Newsletter, you learn useful Linux tips, discover applications, explore new distros and stay updated with the latest from Linux world

It's FOSS

Great! You’ve successfully signed up.

Welcome back! You've successfully signed in.

You've successfully subscribed to It's FOSS.

Success! Check your email for magic link to sign-in.

Success! Your billing info has been updated.

Your billing was not updated.