Secure Communication With GnuPG

Now days with the increase in spying by organizations such as the NSA and reqular attacks against websites it’s more important than ever to secure your data and communication.

GnuPG is a free and open source OpenPGP implementation available on every major operating system that can provide strong encryption, before making use of GnuPG it’s important to understand some concepts.

Basic Concepts

Public Key

The public key is an encryption key that is intended to be publicly available, at the very least the sender will need your personal public key to perform encryption, public keys are also used to verify signatures so any unauthorized changes can be detected.

Secret Key / Private Key

The secret key is used to decrypt a message or file than has been encrypted by the matching public key, the secret key should as the name suggest be kept secret as it provides additional security on top of the passphrase, secret keys are also used to sign a file so persons with your public key can verify the file has not been changed.


A passphrase is used when performing decryption or signing a file, this generally follows the same rules as making a good password except it should be much longer, around 40-60 characters is considered typical which will be for all intents and purposes unbreakable.

Installing GnuPG

There are two main version usually installed stable and classic, these are run with the command ‘gpg2’ and ‘gpg’ respectively, in most cases you should always use the stable version of GnuPG, on Linux most distributions come with it already installed.

For Windows user the easiest way is to install gpg4win which can be downloaded with a graphical front end for easier use.

Using GnuPG

For this I’m going to assume you’re using the traditional command line and not a graphical front end, if you are you should check the documentation for your particular front end.

Generating a key pair

Generating a key pair (key pair being the public and secret key) is really simple, just run the following command:

gpg2 --gen-key

You will then be asked the following:

Please select what kind of key you want:
 (1) RSA and RSA (default)
 (2) DSA and Elgamal
 (3) DSA (sign only)
 (4) RSA (sign only)
Your selection?

In almost all cases you want option 1 which is considered by many to be the most secure, next you will be asked to specify the key size.

RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048) 

2048 bits should be the absolute minimum for good protection with 4096 being the optimal choice where speed or size isn’t a major concern, keep in mind slower machines may have trouble dealing with a large key.

Please specify how long the key should be valid.
         0 = key does not expire
        = key expires in n days
      w = key expires in n weeks
      m = key expires in n months
      y = key expires in n years
Key is valid for? (0)

You will then be asked for an expiry date, it’s a good idea to set this since it provide a clear indication to users that they should update their key, a key that has expired can still be used normally, although many key servers will remove expired keys.

GnuPG needs to construct a user ID to identify your key.

Real name: TestKey
Email address:
Comment: Test Key
You selected this USER-ID:
    "TestKey (Test Key) "

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? 

You will then be asked for your real name, email address and a comment to help identify the key, both for yourself and others.

Once this is done you will be asked for the passphrase, it’s a good idea to practice using the passphrase you have chosen before making the key since writing it down would defeat the purpose, there is also no way to recover a lost passphrase.

The key will then be generated, as GnuPG suggest you should move your mouse around randomly to help generate a truly random key.

gpg: key EA40ACC3 marked as ultimately trusted
public and secret key created and signed.

gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0  valid:   5  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 5u
pub   4096R/EA40ACC3 2015-11-08
      Key fingerprint = CA97 B246 2A38 A2EA 6A0D  0228 2CBE 7277 EA40 ACC3
uid       [ultimate] TestKey (Test Key) 
sub   4096R/C0523162 2015-11-08

This shows the keys were successfully generated, the key ID is EA40ACC3, it also shows the public key fingerprint which is used by the recipient to verify with you that the key they have received is correct, it also shows the key name, comment and email address along with the trust level, which for a newly generated key is ultimate (it’s your key you trust it fully), a subkey is also shown, this should not be confused with the secret key which is not shown here, GnuPG by default uses a separate subkey only for encryption with the ID here of C0523162.

Viewing your key pair

To view the public key again you can use:

gpg2 -k Test
pub   4096R/EA40ACC3 2015-11-08
uid       [ultimate] TestKey (Test Key) 
sub   4096R/C0523162 2015-11-08

To view the secret key:

gpg2 -K Test
sec   4096R/EA40ACC3 2015-11-08
uid                  TestKey (Test Key) 
ssb   4096R/C0523162 2015-11-08

In this case ssb is the matching secret subkey for the public subkey C0523162, if you run this command without Test it will show all keys in your keyring which is automatically generated the first time you run GnuPG.

Exporting and using a key server

It’s very very important you always have a secure backup of both your public and secret keys, to do this you can export them, to export the public key (public sub key is automatically included):

gpg2 --armor --export -o pub.asc Test

This exports the public Test key to the file pub.asc, the –armor option makes it output the key in plain text rather than binary, the result looks something like this:

Version: GnuPG v2


It’s very important you do not modify this in any way, this can now be stored or sent to whoever you want.

To export the secret key:

gpg2 --armor --export-secret-key -o sec.key Test

This should never be given to anyone but it’s also of critical importance that you have it safely stored, if you loose it you can never decrypt or sign again with the key.

Public keys are often stored on a public keyserver for convenience, to send your key to a keyserver (in this example I’m sending it to

gpg2 --keyserver --send-keys EA40ACC3

To get a key from the keyserver use:

gpg2 --keyserver --recv-keys EA40ACC3

It should be noted there is no way for you to delete the key from the server, some servers may delete keys that have expired or that have received a revocation certificate, this requires the secret key so it’s best done right after key creation.

gpg2 --output pub-revoke.gpg --gen-revoke EA40ACC3

To use this you import the revocation certificate and then send the key again to the keyserver.

gpg2 --import pub-revoke.gpg
gpg2 --keyserver --send-keys EA40ACC3

Importing Keys

Importing a key is very easy for both public and secret keys:

gpg2 --import pub.asc
gpg2 --import sec.asc

A key that is imported is by default untrusted, to change this you need to go into key editing mode:

gpg2 --edit-key test

This will show the usage of each key and subkey, S being Sign, C being create certificate, A being authentication and E being encryption.

You can get the fingerprint by typing ‘fpr’ you should always use this to verify any key sent to you.

You can switch between the public and secret keys by typing ‘toggle’.
To change the trust type ‘trust’ and answer the following question, ultimate trust should only be assigned to keys you are 100% sure of.
When you are done make sure you type ‘save’.

Encryption and Decryption

Encryption is the main purpose on GnuPG, this can be done two ways, encrypting a message or encrypting a file.
To encrypt a message use:

gpg2 --armor -r Test -e

You can now type your message, when finished hit ctrl + d, the encrypted message will now be given:

Version: GnuPG v2


To decrypt a message use:

gpg2 -d

Paste in the message and it should ask for the decryption key, if not try hit ctrl + d.
If the passphrase is correct you will see the original message.

Windows has a problem with not recognizing ctrl + d so this method as far as I can tell will not work.

Encrypting a file can be done like so:

gpg2 --armor -r Test -o test.txt.gpg -e test.txt

Since –armor outputs ASCII you can send the encrypted text in test.txt.gpg in an email as long as the recipient knows it’s a file and the intended file extension, or as an attachment.
To decrypt:

gpg2 -o test.txt -d test.txt.gpg

File Signing

Signing a file is a great way to ensure the recipient can verify that they have the correct unmodified file, this is similar in many ways to a file hash.
To sign a file do:

gpg2 --armor -u Test -b test.txt

This will create a test.txt.asc file which contains the file signature, this is known as a detached signature which is most often what you want, this should be included along with the file you are sending.

If you are sending an encrypted file you should generate your signature from the original file, under UNIX systems it’s common to sign a .tar archive before it gets compressed, for example with bzip2.
To verify the signature.

gpg2 --verify test.txt.asc


This may look like a lot of work but it’s really very simple once you’ve done it a few times, there are a bunch of friendly user interfaces such as GPA available so you don’t have to remember the commends, for quick reference you can type ‘gpg2 –help’, this guide doesn’t cover everything but it’s enough to get you started.

Online security is very important so it’s well worth taking the time to learn how to use encryption effectively.