Protect your privacy with the Linux command
gpg . Use world-class encryption to protect your secrets. We'll show you how to use gpg to work with keys, encrypt files and decrypt files.
GnuPrivacy Guard (GPG) allows you to securely encrypt files so that only the intended recipient can decrypt them. In particular, GPG conforms to the OpenPGP standard. It is based on a program called Pretty Good Privacy (PGP). PGP was written in 1
GPG is based on the idea of two encryption keys per person. Each person has a private key and a public key. The public key can decrypt something that has been encrypted with the private key.
To securely send a file, encrypt it with your private key and the recipient's public key. To decrypt the file, you need your private key and your public key.
This shows that public keys have to be shared. You will need the recipient's public key to encrypt the file, and the recipient will need your public key to decrypt it. There is no danger of making your public keys public. Just for this purpose, as we shall see, there are public key servers. Private keys must be kept private. If your public key is public domain, your private key must be kept secret and secure.
Setting up GPG requires more steps than using it. Fortunately, you usually only need to set it up once.
Generating Your Keys
gpg was installed on all tested Linux distributions, including Ubuntu, Fedora, and Manjaro.  You do not need to use GPG for emails. You can encrypt and make files available for download or physically pass them to the recipient. However, you must assign an e-mail address to the keys you have generated. Therefore, select the e-mail address you want to use.
Find the command to generate your keys. The option
- Generate Key Completely generates your keys in an interactive session in your terminal window. You will also be prompted for a passphrase. Make sure you remember the passphrase. Three or four simple words associated with punctuation marks provide a good and reliable model for passwords and passwords.
gpg - full-generate-key
You must select a bit length for the encryption keys. Press Enter to accept the default.
You must specify how long the key should last. When testing the system, enter a short duration such as
5 for five days. If you want to keep this key, enter a longer duration of 1 year. The key has a term of 12 months and must be renewed after one year. Confirm your selection with a
You must enter your name and e-mail address. If you want, you can add a comment.
You will be asked to enter your passphrase. You need the passphrase when working with your keys. Make sure you know which passphrase your passphrase is. While working with
gpg this window is displayed. So do not forget to save your passphrase.
Key generation is in progress and you are returned to the command prompt.
Generating a Revocation Certificate
If your private key becomes known to others, you must unassign the old keys to your identity so that you can generate new ones. For this you need a revocation certificate. We'll do it now and keep it in a safe place.
After the option
- output specify the filename of the certificate you want to create. The option
- gen-revoke causes
gpg to generate a revocation certificate. You must specify the e-mail address you used when generating the keys.
gpg --output ~ / revocation.crt --gen-revoke email@example.com
You will be asked to confirm that you want to create a certificate. Press
Y and press Enter. You will be asked for the reason for creating the certificate. Since we do this in advance, we do not know exactly. Press
1 as a plausible guess and press Enter.
You can enter a description if you wish. Press Enter twice to exit the description.
You will be asked to confirm your settings, press
Y and press Enter.
 The certificate is being generated. A message will appear confirming the need to protect this certificate.
This message mentions a person named Mallory. Cryptographic discussions have long used Bob and Alice as the two communicating individuals. There are other supporting characters. Eva is an eavesdropper, Mallory is a malicious attacker. All we need to know is that we need to keep the certificate safe.
Let's remove at least all permissions except ours from the certificate.
chmod 600 ~ / revocation.crt
Let's check out
ls what permissions are available now:
That's perfect. Nobody but the file owner – we – can do anything with the certificate.
Importing another person's public key
To encrypt a message that someone else can decrypt, we need their public key.
If you provided your key in a file, you can import it with the following command. In this example, the key file is called "mary-geek.key".
gpg --import mary-geek.key
The key is imported and you will see the name and email address of the Key displayed. Of course, this should match the person from whom you received the key.
There is also the possibility that the person from whom you need a key has uploaded their key to a public key server. These servers store the public keys of people from all over the world. The key servers are regularly synchronized so that the keys are generally available.
MIT's public key server is a popular and regularly synchronized key server. Therefore, the search should be successful there. If someone recently uploaded a key, it may take a few days for it to appear.
key server option, specify the name of the key server that you want to search. The option
- search key must be followed either by the name of the requested person or their e-mail address. We use the e-mail address:
gpg --keyserver pgp.mit.edu --search-keys firstname.lastname@example.org
Matches are listed and numbered for you. To import one, enter the number and press Enter. In this case, there is a single match. Type
1 and press Enter.
The key is imported and we The name and the e-mail address of this key are displayed.
Checking and signing a key
If someone has given you a public key file from someone you know, you can safely say that it belongs to that person. If you have downloaded it from a public-key server, you may need to verify that the key belongs to the person for whom it is intended.
- Fingerprint option causes
gpg to create a short series of ten sentences with four hexadecimal characters. You can ask the person to send you the fingerprint of their key.
You can then use the
- Fingerprint option to generate and compare the same fingerprint sequence of hexadecimal characters. If they match, you know that the key belongs to that person.
gpg --fingerprint email@example.com
 The fingerprint is generated.
If you are satisfied that the key is genuine and belongs to the person to whom you want to assign it, you can sign their key.
If you do not, you can still use it to encrypt and decrypt messages from and to this person. But
gpg asks you every time if you want to continue because the key is not signed. We use the option
- Signature Key and specify the person's e-mail address so that
gpg knows which key to sign.
gpg --sign -key firstname.lastname@example.org
You will see information about the key and the person and asks if you really want to sign the key. Press
Y and press Enter to sign the key.
To free your public key as a file: We need to export it from the local keystore
gpg . We use the option
- Export followed by the e-mail address with which you generated the key. The option
- Output must be followed by the name of the file into which the key is to be exported. The option
- armor instructs
gpg to generate an ASCII armor output instead of a binary file.
gpg --output ~ / dave-geek.key --armor --export email@example.com
We can take a look inside The key file with
The key is shown in all its glory: 
You can also share your public key on a public key server. The option
- send-keys sends the key to the keyserver. The option
- Key Server must follow the web address of the public key server. To determine which key to send, the fingerprint for the key must be specified on the command line. Note that there are no spaces between the four characters.
(You can see the fingerprint for your key with the
- Fingerprint option.)
gpg --send-keys - keyserver pgp.mit.edu 31A4E3BE6C022830A804DA0EE9E4D6D0F64EEED4
<img class = " alignnone size-full wp-image-428078 "data-pagespeed-lazy-src =" https://www.howtogeek.com/wp-content/uploads/2019/07/xgpg_19.png.pagespeed.gp+jp+jw + pj + ws + js + rj + rp + rw + ri + cp + md.ic.7bzrLBZlZz.png "alt =" gpg –send-keys –keyserver pgp.mit.edu 31A4E3BE6C022830A804DA0EE9E4D6D0F64EE4 1965004
Finally, we can encrypt a file and send it to Mary, the file is called Raven.txt.
- encrypt instructs
gpg to encrypt the file, and instructs the option
- sign to sign the file with your entry n. The option
- armor instructs gpg to create an ASCII file. The option
-r (recipient) must follow the e-mail address of the person to whom you are sending the file.
gpg --encrypt --sign --armor - r mary - geek @ protonmail.com
The file is created with the same name as the original, but appended to the file name with ".asc". Let's take a look inside.
The file is completely unreadable and can only be decrypted by someone who has done so and Mary's private key. The only person who has both should be Mary.
Now we can send the file to Mary without anyone else being able to decrypt it.
Mary has sent a reply. It's in an encrypted file called coded.asc. We can easily decode it with the option
- decrypt . We will redirect the output to another file called plain.txt.
Note that we do not need to tell
gpg who the file came from. This can be determined from the encrypted contents of the file.
gpg --decrypt coded.asc> plain.txt
 Let 's look at the file plain.txt:
The file was successfully decrypted for us.
Updating Your Keys
Periodically, you can request
gpg to validate the keys on a public key server and to update the changed keys , You can do this every few months or if you get a key from a new contact.
- Refresh Keys causes
gpg to perform the test. The
key server option must be followed by the key server of your choice. Once the keys have been synchronized between the public key servers, it should not matter which one you select.
gpg - Key Server pgp.mit.edu --refresh-keys
gpg replies with the list of verified and updated keys and tells you if they have been changed or updated.
Privacy is hot topic
Privacy is always up to date. Regardless of your reasons to keep your data secure and private,
gpg provides a simple means to encrypt your files and communications incredibly hard.
There are other ways to use
gpg ]. You can get a plugin for Thunderbird called Enigmail. It integrates directly with your
gpg configuration so that you can encrypt e-mail messages from within Thunderbird.