GPG/PGP Guide
GPG (GNU Privacy Guard) provides encryption and digital signatures.
Key Management
Generate Key Pair
# Interactive generation
gpg --full-generate-key
# Recommended settings:
# - Algorithm: RSA and RSA
# - Key size: 4096
# - Expiration: 2y (can be extended later)
# - Real name: Your Name
# - Email: [email protected]
# - Passphrase: Strong, unique passphraseList Keys
# List public keys
gpg --list-keys
gpg -k
# List private keys
gpg --list-secret-keys
gpg -K
# Show key fingerprint
gpg --fingerprint [email protected]Export Keys
# Export public key
gpg --export --armor [email protected] > publickey.asc
# Export private key (KEEP SECURE!)
gpg --export-secret-keys --armor [email protected] > privatekey.asc
# Export to keyserver
gpg --send-keys --keyserver hkps://keys.openpgp.org KEYIDImport Keys
# Import public key
gpg --import publickey.asc
# Import from keyserver
gpg --keyserver hkps://keys.openpgp.org --recv-keys KEYID
# Verify and sign imported key
gpg --edit-key [email protected]
# > trust
# > sign
# > saveEncryption
Encrypt File
# Encrypt for recipient
gpg --encrypt --recipient [email protected] file.txt
# Creates: file.txt.gpg
# Encrypt with armor (ASCII output)
gpg --encrypt --armor --recipient [email protected] file.txt
# Creates: file.txt.asc
# Encrypt for multiple recipients
gpg --encrypt -r [email protected] -r [email protected] file.txt
# Symmetric encryption (password only)
gpg --symmetric file.txtDecrypt File
# Decrypt to stdout
gpg --decrypt file.txt.gpg
# Decrypt to file
gpg --decrypt --output file.txt file.txt.gpg
gpg -d -o file.txt file.txt.gpgDigital Signatures
Sign Files
# Create detached signature
gpg --detach-sign file.txt
# Creates: file.txt.sig
# Create inline signature
gpg --sign file.txt
# Creates: file.txt.gpg
# Clear-text signature (readable message + signature)
gpg --clearsign file.txt
# Creates: file.txt.ascVerify Signatures
# Verify detached signature
gpg --verify file.txt.sig file.txt
# Verify inline signature
gpg --verify file.txt.gpgGPG Agent
# Start agent
gpg-agent --daemon
# Configure in ~/.gnupg/gpg-agent.conf
default-cache-ttl 3600
max-cache-ttl 86400Best Practices
| Practice | Recommendation |
|---|---|
| Key size | 4096-bit RSA |
| Expiration | Set 1-2 years, extend as needed |
| Passphrase | Long, unique, stored securely |
| Backup | Keep encrypted offline backup |
| Revocation | Generate and store revocation certificate |
- gpg
- pgp
- encryption
- signing
- email security