Use GPG to Encrypt and Sign Messages


GNU Privacy Guard (GnuPG or GPG) is a free software replacement for Symantec's PGP cryptographic software suite. GnuPG is compliant with RFC 4880, which is the IETF standards track specification of OpenPGP. Modern versions of PGP and Veridis' Filecrypt are interoperable with GnuPG and other OpenPGP-compliant systems.

GnuPG is part of the GNU project, and has received major funding from the German government.

We can use GPG to Encrypt and Sign messages.


Install from source code.

$ ./configure
$ make
$ make install

Install via system package control

# Debian / Ubuntu
$ sudo apt-get install gnupg
# Fedora / CentOS / RedHat
$ yum install gnupg

Install on OS X via Homebrew

$ brew install gnupg

Install GPG Tool application.

After install, get help information to run gpg --help command.

Generate a Key Pair

$ gpg --gen-key

This will take you through a few questions that will configure your keys.

  • Please select what kind of key you want: (1) RSA and RSA (default)
  • What keysize do you want? 4096
  • Key is valid for? 0
  • Is this correct? y
  • Real name: your real name here
  • Email address: [email protected]
  • Comment: Optional comment that will be visible in your signature
  • Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O
  • Enter passphrase: Enter a secure passphrase here (upper & lower case, digits, symbols)

Create a Revocation Certificate

You need to have a way of invalidating your key pair in case there is a security breach, or in case you lose your secret key. There is an easy way of doing this with the GPG software.

This should be done as soon as you make the key pair, not when you need it. This revocation key must be generated ahead of time and kept in a secure, separate location in case your computer is compromised or inoperable. Type:

$ gpg --gen-revoke [UserID]

List the keys with gpg --list-keys command, and delete keys with gpg --delete-key [UserID] command.

Export Your Public Key

$ gpg --armor --output public-key.txt --export [UserID]

Export Your Private Key

$ gpg --armor --output private-key.txt --export-secret-keys

Upload Your Public Key

$ gpg --send-keys [UserID] --keyserver hkp://

How To Verify and Sign Keys

While you can freely distribute your generated public key file and people can use this to contact you in an encrypted way, there is still an issue of trust in the initial public key transmission.

Verify the Other Person's Identity

How do you know that the person giving you the public key is who they say they are? In some cases, this may be simple. You may be sitting right next to the person with your laptops both open and exchanging keys. This should be a pretty secure way of identifying that you are receiving the correct, legitimate key.

But there are many other circumstances where such personal contact is not possible. You may not know the other party personally, or you may be separated by physical distance. If you never want to communicate over insecure channels, verification of the public key could be problematic.

Luckily, instead of verifying the entire public keys of both parties, you can simply compare the fingerprint derived from these keys. This will give you a reasonable assurance that you both are using the same public key information.

You can get the fingerprint of a public key by typing:

$ gpg --fingerprint [UserID]

This will produce a much more manageable string of numbers to compare. You can compare this string with the person themselves, or someone else who has access to that person.

Import Other Users' Public Keys

GPG would be pretty useless if you could not accept other public keys from people you wished to communicate with.

You can import someone's public key in a variety of ways. If you've obtained a public key from someone in a text file, GPG can import it with the following command:

$ gpg --import name_of_pub_key_file

There is also the possibility that the person you are wishing to communicate with has uploaded their key to a public key server. These key servers are used to house people's public keys from all over the world.

A popular key server that syncs its information with a variety of other servers is the MIT public key server. You can search for people by their name or email address by going here in your web browser:

You can also search the key server from within GPG by typing the following:

$ gpg --keyserver  --search-keys [UserID]

Encrypt File

$ gpg --recipient [UserID] --output demo.en.txt --encrypt demo.txt

Decrypt File

$ gpg --decrypt demo.en.txt --output

Sign File

$ gpg --sign demo.txt

After execute that command, will generate demo.txt.gpg file with sign in binary encode, if you want to use ASCII format file, use clearsign params:

$ gpg --clearsign demo.txt

After execute that command, will generate demo.txt.asc file with sign in ASCII encode.

If you want to separate generated signature file and origion file, you can use the detach-sign parameters:

$ gpg --detach-sign demo.txt

After execute that command, will generate demo.txt.sig sign file with binary encode, if you want to use ASCII format sign file, add armor params:

$ gpg --armor --detach-sign demo.txt

Verify Sign

$ gpg --verify demo.txt.asc demo.txt

Use GPG Suite - GPG Keychain Encrypt E-mail on OS X

After GPG Suite installed will add OpenPGP services on system. You can add some shortcuts in System Preferences -> Keyboard -> Shortcuts like this:

Sign E-mail

In select all mail content and choose OpenPGP: Sign Selection in right click menu (or use shortcuts with your custom settings). Enter password and click OK button.

E-mail Encryption

After import other user's public key, select all mail content (also include sign selection if exists) and choose OpenPGP: Encrypt Selection (or use shortcuts with your custom settings). Select mail receivers and send it.

Decryption E-mail

Select code from ----BEGIN PGP MESSAGE---- to -----END PGP MESSAGE----- of mail content, and select OpenPGP: Decrypt Selection in right click menu (or use shortcuts with your custom settings).

0.00 avg. rating (0% score) - 0 votes