PGP basics

· Sep 16, 2025
pgp gpg privacy security encryption

PGP (Pretty Good Privacy) is a system for encrypting and signing data using public-key cryptography. You generate a key pair: a public key you share, and a private key you keep secret.

If someone wants to send you a private message, they encrypt it using your public key. Only your private key can decrypt it. If you want to prove that a message came from you, you sign it using your private key. Anyone with your public key can verify the signature.

It’s widely supported via the GnuPG tool (gpg) on Linux, and also integrated into email clients like Thunderbird.

Setup

To generate a new key pair:

gpg --full-generate-key

Choose “RSA and RSA” (RSA for signing + RSA for encryption), 4096 bits, expiration 1y (you can extend or renew it later), a name, email, optional comment, and a strong passphrase. The result is a key ID tied to your identity.

Choose “RSA and RSA” (for both signing and encryption), set the key size to 4096 bits, and set the expiration to 1 year (can be extended or renewed later). You’ll be asked to enter a name, email address, and optionally a comment (e.g. “personal laptop” or “work key”). Finally, choose a strong passphrase to protect your private key.

Once complete, GPG will generate your key pair and assign it a unique key ID (and fingerprint), which will identify you to others.

To list your keys:

gpg --list-keys

This shows your key’s fingerprint, usage flags ([SC] for signing and certifying, [E] for encryption), and the associated user ID.

To export your public key:

gpg --armor --export your@email.com > pgp.txt

Replace the email with your actual one (or use your fingerprint or key ID). The --armor flag writes the key in ASCII format, so it can be published or copy-pasted.

You can also upload your key to a public keyserver https://keys.openpgp.org to make it easier for others to find and import it. You’ll receive an email from the keyserver asking you to confirm ownership. Once confirmed, others can fetch your key:

gpg --locate-keys your@email.com

It’s a good idea to back up your private key:

gpg --armor --export-secret-keys your@email.com > private.asc

Store it offline (encrypted USB, external drive, etc.). Do not leave this file on disk unprotected.

You should also pre-generate a revocation certificate:

gpg --output revoke.asc --gen-revoke your@email.com

This lets you revoke the key later (e.g. if it’s lost or compromised). To revoke the key from the keyserver, upload revoke.asc at keys.openpgp.org/upload. Anyone fetching your key will now see it marked as revoked

Sign a file

To sign a plaintext file while keeping it readable:

gpg --clearsign message.txt

This creates message.txt.asc, a readable copy of the original message with an appended signature block:

\-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

This is the original message.

\-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEE...
... (Base64 signature block)
\-----END PGP SIGNATURE-----

To verify a signed message:

gpg --verify message.txt.asc

If the signature is valid and the public key is known, GPG prints:

gpg: Signature made ...
gpg: using RSA key ...
gpg: Good signature from ...

You can also sign other files (binary or text) using --sign or --detach-sign. These create binary or separate signature files that are useful for packages, archives, or documents.

Encrypt a file

To send someone an encrypted file, you need their public key:

gpg --import theirkey.asc

Then encrypt a file that you want to send to them:

gpg --encrypt --armor -r their@email.com message.txt

This creates message.txt.asc, a Base64-encoded encrypted file. Only the recipient’s private key can decrypt it.

To decrypt a received file:

gpg --decrypt message.txt.asc

GPG will prompt for your passphrase and output the decrypted content.

You can also encrypt binary files (PDFs, images, etc.) without --armor, which produces a .gpg binary instead of ASCII.