LinuxMule.com - What does GPG and PGP stand for and How to use them? Find out the GPG Commands

What is PGP and GPG and how to use them?

This page you will learn what PGP and GPG is and also how to use them in your both your work and daily life.

By Omkaram - Feb 18, 2024

So, what is PGP and GPG?

They are acronyms; PGP - stand for "Pretty Good Privacy" and GPG - stands for "GNU Privacy Guard"

If we ignore the history for a moment, both PGP and GPG are security based software tools whose sole purpose is to perform Encryption and Decryption on any data of your choice and transmit them over the internet by utilising what's known as Public-Private Key Cryptography (PPKC). First came PGP in the 1990s and it was created by security experts working for the company "Symantec". Over the time it gained popularity and was widely adopted.

If you are not sure what PPKC is, here is a quick refresher. In the world of PPKC, if two parties need to share data secretly with each other, the user who wants to receive the data will create a Public and Private keys just once, and then shares the Public key to the user who want to send the data. This way, the user who is sending the data can encrypt it using the public key and share the encrypted gibbirish to the receiver. Once the receiver gets the encrypted text, they can decrypt it using the private key he already has. The public private keys are long random looking bits of text which are mathematicall linked to each other. Without having the private key, the data which is encrypted using the public key is impossible to decrypt.

Now where does GPG come in?

GPG - GNU Privacy Guard, the name says it all. GPG is a software tool which was sort of created as a modern alternative but not as a replacement to PGP by the GNU Project working under FSF (Free Software Foundation) founded by Richard Stallman. While PGP is a proprietary solution, GPG is Opensource. Anyone can use it freely and it comes with the GNU coreutils seen in an GNU/Linux based operating systems.

GPG as most Unix based program is POISX complaint and offers a wide variety of program options which can be passed as program Arguements.

You can encrypt, decrypt, sign, verify, delete keys, list keys, publish keys to key servers etc

Enough about the history. If you goal is to become a system admin, a cautious journalist or even a softare dev, you need to learn GPG. There are not that many commands to learn. People think its complex to use, but it isn't. Now, let's try doing some cryptic operations using GPG

On your linux machine, first check if GPG is installed. Its highly unlikely to not have it in almost all Linux Distros because the parent Distro for 99% of them is Debian. And with Debian started everything.

Here are the tasks we would follow

Check GPG version
GPG Key generation
Export public and private keys
List keys
Show a key
Encrypt a text file
Decrypt the encrypted text file
Publish the key to the keyservers

Run the following commands

Check GPG version

$ gpg --version

You will get an output similar to the below


gpg (GnuPG) 2.2.27
libgcrypt 1.9.4
Copyright (C) 2021 Free Software Foundation, Inc.
License GNU GPL-3.0-or-later <https://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Home: /home/omkaram/.gnupg
Supported algorithms:
Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA
Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
        CAMELLIA128, CAMELLIA192, CAMELLIA256
Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2

This means you have GPG an the latest version which comes with the kernel. Notice the Home: /home/omkaram/.gnupg? That's where the keys will reside once we create them

GPG Key generation

The idea is to create your public and private keys in this step. You basically need to answer some questions like the Algorithm your keys are going to use, and we go for RSA by default, next tell how big the pub and private key going to be, typically we go with 2048 or whatever the default value it shows. Next we enter some personal details like your Name, email and location so that the KeyID which appears as a result of running the generate-keys command will be always indentified to you.

$ gpg --full-generate-key

You will get an output similar to the below. Observer that I have entered whatever the program needs


$ gpg --full-generate-key
gpg (GnuPG) 2.2.27; Copyright (C) 2021 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Please select what kind of key you want:
    (1) RSA and RSA (default)
    (2) DSA and Elgamal
    (3) DSA (sign only)
    (4) RSA (sign only)
    (14) Existing key from card
Your selection? 1
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (3072) 
Requested keysize is 3072 bits
Please specify how long the key should be valid.
            0 = key does not expire
          = key expires in n days
        w = key expires in n weeks
        m = key expires in n months
        y = key expires in n years
Key is valid for? (0) 0
Key does not expire at all
Is this correct? (y/N) y

GnuPG needs to construct a user ID to identify your key.

Real name: Venkatesh Omkaram
Email address: [email protected]
Comment: GPG key for my website
You selected this USER-ID:
    "Venkatesh Omkaram (GPG key for my website) <[email protected]>"

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
gpg: key 16ADB3D136BEF451 marked as ultimately trusted
gpg: revocation certificate stored as '/home/omkaram/.gnupg/openpgp-revocs.d/6463D33AD7F4D2CCD6F957F816ADB3D136BEF451.rev'
public and secret key created and signed.

pub   rsa3072 2024-02-23 [SC]
        6463D33AD7F4D2CCD6F957F816ADB3D136BEF451
uid                      Venkatesh Omkaram (GPG key for my website) <[email protected]>
sub   rsa3072 2024-02-23 [E]

Let's break this down a bit. The first line is the command I executed. Next GPG asks me to choose the algorithm. I can enter either 1 or press enter to go with default. Next, GPG asks for key size and I went with default by pressing enter. Next, it asked me for key validity. I personally don't want my keys to expire. Not that I won't misplace them, but its a hassle to generate new ones always. But its not a best practice to choose "key does not expire". Also, you need to know that while after publishing the keys to certain key servers, if the key has no expiry and you later want to expire them, some key servers won't allow that. The same case applies when the keys expired, but you can't delete them from the keyserver because they may have a policy to not delete the uploaded keys. Finally, GPG asks for Name, email and Comment and asks us to enter "o" for Okay.

The moment you press enter, GPG throws a pop up on your screen asking for a Passphrase. Now, this is a very important thing to remember. What a Passphare essentially is, it's a password protection enforced on each of your private keys present independently, so that hostile people would not be able to access your private keys even if they get copies of them when your machine is compromised. Ofcourse, no one can save you if the hackers placed a keylogger on your machine, but if thats not the case, then you are safe as long as your Passphrase is Strong.

Everytime you encrypt, decrypt or sign, the program will ask you to enter the passphrase. So don't lose it in anycase.

After the passphrase is entered, then the program asks you to move the mouse cursor to gain some bit entropy for key generation and voila! your keys are served.

What you essentially created is a public and private key stored in .gnupg folder under your home folder with a Fingerprint given to it. In my case the Long KeyId is 16ADB3D136BEF451 and the Fingerprint is 6463D33AD7F4D2CCD6F957F816ADB3D136BEF451. You can use either the Long KeyId or the Fingerprint while you are performing the rest of activities. If you notice, the Long KeyId is actually the last 16 Characters of the Fingerprint. Let's move to the next page.

Export public and private keys

We can export our pub and priv keys from the recently generated GPG pub key, but is it necessary? No. But should we do it? Yes. The reason we do it is for caution. We export the public key as a file so that it can be shared to someone else, so they can import our key directly on their machines without internet connection to fetch the pub key from the keyserver. Secondly, we export the private key so that if in case our system crashes and we lost our drives, we would still have the private key as a backup which can be imported onto our newer machines without any hassle and still be able to decrypt the data which was encrypted by the public key. Cool. Now let's do it for real. Run the below command.

$ gpg --export -a 6463D33AD7F4D2CCD6F957F816ADB3D136BEF451 > linuxmule.gpg.pubkey

Note: In the above I have used my Fingerprint for the account [email protected]. I can have any number of keys on my machine. Those all can be either mine, or even someone else or both. If it is your own, generated on the machine you are running, then that Key has both public and private keys in it. If it is someone else's key, then you can only get the public key but not the private key. In this case you have to replace it with your own ID

Now, I will see what's there in it by running cat on it.

$ cat linuxmule.gpg.pubkey

And result we get is

Note: You shouldn't be scared to share your public keys. Those are public.

Similarly, you can export the private keys by running this

gpg --export-secret-key -a 6463D33AD7F4D2CCD6F957F816ADB3D136BEF451 > linuxmule.gpg.privkey

And this is the key you must never share to anybody.

List keys

You can list all your keys, both self created and other people's by running the below

$ gpg --list-keys

I have 4 keys in my trustdb. Here is the output


gpg: checking the trustdb
gpg: marginals needed: 3  completes needed: 1  trust model: pgp
gpg: depth: 0  valid:   3  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 3u
gpg: next trustdb check due at 2026-02-11
/home/omkaram/.gnupg/pubring.kbx
--------------------------------
pub   rsa3072 2024-02-12 [SC] [expires: 2026-02-11]
      C04873203599812B6024C08298F586A9F3B0EE70
uid           [ultimate] Venkatesh Omkaram <[email protected]>>
sub   rsa3072 2024-02-12 [E] [expires: 2026-02-11]

pub   rsa4096 2024-02-12 [SC]
      BB3C72C74C08443203599812B6042CCEEDC819CF
uid           [ultimate] Venkatesh Omkaram (Use this for secure emails) <[email protected]>
sub   rsa4096 2024-02-12 [E]

pub   rsa3072 2024-02-23 [SC]
      6463D33AD7F4D2CCD6F957F816ADB3D136BEF451
uid           [ultimate] Venkatesh Omkaram (GPG key for my website) <[email protected]>
sub   rsa3072 2024-02-23 [E]

As you can see in the above, the first key was created for some email and it has an expiry. The second one has the same email, but this one has no expiry. And the third one has no expiry which we just created in this tutorial. And all of these keys are present in a file called /home/omkaram/.gnupg/pubring.kbx

Show a key

If you have a public or private exported key file with you. Then to show the specific key detail you can run the below.

$ gpg --show-key linuxmule.gpg.pubkey

$ gpg --show-key linuxmule.gpg.privkey

Encrypt a text file

Finally, let's encrypt a text file using our Fingerprint. The command is pretty self explanatory. The sample file has the word "Hello" in it.

$ gpg --encrypt --recipient 6463D33AD7F4D2CCD6F957F816ADB3D136BEF451 --output encrypted_file.gpg --armor sample.txt

The encrypted text will look as below if you cat the file

Decrypt the encrypted text file

Now, let's decrypt the encrypted_file.gpg. When you run the below command, GPG will ask you for the Passphrase choosen for this Fingerprint. The decrypted file output we need is named as "decrypted_file.txt"

$ gpg --decrypt --output decrypted_file.txt pgp_enc.gpg

Publish the key to the keyservers

We have successfully created the key, encrypted and decrypted some stuff and now its time to upload them to a free and popular server which hosts these keys for us. Other GPG users will actually look into these servers to find your Fingerprint, get your public key imported onto their machines and send encrypted emails to you.

Note: Once you push the keys to the server, there is no rolling back. It might stay there indefinitely. So be cautious here.

The key server I am using is https://keys.openpgp.org. You can go there an search by any known Fingerprints or by email if the owner made it visible.

$ gpg --keyserver hkp://keys.openpgp.org --send-keys 6463D33AD7F4D2CCD6F957F816ADB3D136BEF451

That's it guys. We are Done! The key is not uploaded to the keyserver and we can communicate with each other without NSA bothering us. Haha.

You can find my key here 6463D33AD7F4D2CCD6F957F816ADB3D136BEF451. I hope you enjoyed this tutorial. Have a nice day.

Page 1 of 2