GnuPG - quick console guide

This short gpg howto demonstrates how to use the Gnu Privacy Guard (GnuPG) tools on Unix/Linux systems. By following this guide you will understand how to generate a gpg key and you will go through the basics of public key encryption and digital signatures, and you would be able to work your way out to sending encrypted email attachments.

Generate Private Key

$ gpg --gen-key

During the generation of the key you will be asked a couple of questions:

Please select what kind of key you want:
(1) DSA and Elgamal (default)
(2) DSA (sign only)
(3) RSA (sign only)
Your selection?

You should be fine with the default of (1), then you will be asked for the keysize:

DSA keypair will have 1024 bits.
ELG-E kyes may be between 1024 and 4096 bits long.
What keysize do you want? (2048)

The default value of 2048 should be fine for the next few years at least, having in mind the difficulty of cracking strong encryption using a 2048 bit key in any reasonable period using current computer technology. Next, it will ask how long you want your key to be valid:

Requested keysize is 2048 bits
Please specify how long the key should be valid.
0 = key does not expire
<n> = key expires in n days
<n>w = key expires in n weeks
<n>m = key expires in n months
<n>y = key expires in n years

Key is valid for? (0)

For most purposes, either accept the default (0) by pressing the Enter key or specify 1y for one year. Assuming you entered 1y, you will be asked to verify the expiration date. Here, [date] is a stand-in for the actual time and date information indicated by the gpg utility:

Key expires at [date]
Is this correct? (y/N)

The default answer is N, for “no”. If you want to change your answer, just press Enter. If you wish to accept it, enter y.

Next it will ask you to identify yourself:

You need a user ID to identify your key; the software constructs the user ID from the Real Name, Comment and Email Address in this form:
"Think Security Support "

Real name:

Enter your name here and also answer appropriately on the next two questions:

Email address:

After all this information is entered, you will be asked to confirm your input:

You selected this USER-ID:
"Think Security Support "

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit?

Whatever name, comment, and email address is displayed, make sure they are accurate and enter o to select “Okay” — or, if they don’t match the reality, choose appropriately to change your answers.

After answering this question, you will be asked to dome something random – playing video or music, entering random text into a text document, moving the mouse and heavy network activity can all contribute to that needed “randomness”.

Generate Revocation Certificate

This creates a revocation certificate, which needs to be published if your pass phrase or private key are compromised by a hacker.

$ gpg --output revoke.asc --gen-revoke 'name'

It is recommended that you store your revocation key on physical media in a secure location so that it cannot be compromised along your private key and/or pass phrase.

Generate Public Key

This produces a text file called “pubkey.txt” that will contain the ascii version of your public key, where name is the Real Name you used to create the key:

$ gpg --armor --output pubkey.txt --export 'name'

Register Public Key

This uploads your public key to a keyserver on the PGP website – so that others can search by name for your public key on a central location:

$ gpg --send-keys 'name' --keyserver hkp://

Import Key Directly

Assuming you have the plain text public key of someone to whom you may later want to send encrypted files, this is how you can import it into your gpg keyring:

$ gpg --import pubkey.txt

From Keyserver

By using the key owner’s email address, this command retrieves his public key from the keyserver,:

$ gpg --recv-keys email --keyserver hkp://

Encrypt A File

To encrypt a file when you have the public key of the intended recipient in your gpg keyring, you can use the following command, where ID is replaced with that key’s ID and filename.ext is replaced with the name of the file you wish to encrypt:

$ gpg --encrypt --recipient ID filename.ext

The short version of the above command is:

$ gpg -e -r ID filename.ext

This command will create an encrypted copy of the file named filename.ext.gpg. If you want to encrypt a file so that only you can read it, you can specify your own key ID as the intended recipient.

Decrypt A File

Decrypting a file is simple:

$ gpg --output filename.ext --decrypt filename.ext.gpg

Leave a Reply

You can use these HTML tags

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>