HxHippy

GPG/PGP Encryption

GNU Privacy Guard for file encryption and email signing.

Last updated: 2025-01-15

GPG/PGP Guide

GPG (GNU Privacy Guard) provides encryption and digital signatures.

Key Management

Generate Key Pair

# Interactive generation
gpg --full-generate-key

# Recommended settings:
# - Algorithm: RSA and RSA
# - Key size: 4096
# - Expiration: 2y (can be extended later)
# - Real name: Your Name
# - Email: [email protected]
# - Passphrase: Strong, unique passphrase

List Keys

# List public keys
gpg --list-keys
gpg -k

# List private keys
gpg --list-secret-keys
gpg -K

# Show key fingerprint
gpg --fingerprint [email protected]

Export Keys

# Export public key
gpg --export --armor [email protected] > publickey.asc

# Export private key (KEEP SECURE!)
gpg --export-secret-keys --armor [email protected] > privatekey.asc

# Export to keyserver
gpg --send-keys --keyserver hkps://keys.openpgp.org KEYID

Import Keys

# Import public key
gpg --import publickey.asc

# Import from keyserver
gpg --keyserver hkps://keys.openpgp.org --recv-keys KEYID

# Verify and sign imported key
gpg --edit-key [email protected]
# > trust
# > sign
# > save

Encryption

Encrypt File

# Encrypt for recipient
gpg --encrypt --recipient [email protected] file.txt
# Creates: file.txt.gpg

# Encrypt with armor (ASCII output)
gpg --encrypt --armor --recipient [email protected] file.txt
# Creates: file.txt.asc

# Encrypt for multiple recipients
gpg --encrypt -r [email protected] -r [email protected] file.txt

# Symmetric encryption (password only)
gpg --symmetric file.txt

Decrypt File

# Decrypt to stdout
gpg --decrypt file.txt.gpg

# Decrypt to file
gpg --decrypt --output file.txt file.txt.gpg
gpg -d -o file.txt file.txt.gpg

Digital Signatures

Sign Files

# Create detached signature
gpg --detach-sign file.txt
# Creates: file.txt.sig

# Create inline signature
gpg --sign file.txt
# Creates: file.txt.gpg

# Clear-text signature (readable message + signature)
gpg --clearsign file.txt
# Creates: file.txt.asc

Verify Signatures

# Verify detached signature
gpg --verify file.txt.sig file.txt

# Verify inline signature
gpg --verify file.txt.gpg

GPG Agent

# Start agent
gpg-agent --daemon

# Configure in ~/.gnupg/gpg-agent.conf
default-cache-ttl 3600
max-cache-ttl 86400

Best Practices

Practice Recommendation
Key size 4096-bit RSA
Expiration Set 1-2 years, extend as needed
Passphrase Long, unique, stored securely
Backup Keep encrypted offline backup
Revocation Generate and store revocation certificate
intermediate Encryption Updated 2025-01-15
  • gpg
  • pgp
  • encryption
  • signing
  • email security