GNU Privacy Guard

From Christoph's Personal Wiki
Jump to: navigation, search

GNU Privacy Guard (GnuPG or GPG) is a free-software replacement for Symantec's PGP cryptographic software suite.


Red Hat / CentOS
$ yum install gnupg
Ubuntu / Debian
$ apt-get install gnupg

See: Homebrew website for details.

$ /bin/bash -c "$(curl -fsSL"
$ brew install gnupg
$ brew install gnupg2


  • Create your GPG key:
$ gpg --gen-key
  • Export your public key:
$ gpg --export --armor > mypubkey.asc
  • Import another person's public key:
$ gpg --import theirpubkey.asc
  • List the public keys in your keyring:
$ gpg --list-keys
  • List private keys in your keyring:
$ gpg --list-secret-keys
  • Trust a public key:
gpg --edit-key bob

trust (invoke trust subcommand on the key)
5 (ultimate trust)
y (if prompted)

Encrypt a file

  • Encrypt a file named filename.txt for a single individual (i.e., specify that individual as a recipient):
$ gpg --encrypt --recipient alice filename.txt

This will create a new encrypted file named filename.txt.gpg.

  • Encrypt a file so that only you can decrypt it (i.e., specify yourself as the recipient):
$ gpg --encrypt --recipient 'my_name' filename.txt
  • Encrypt a file so that both you and another person can decrypt the file (i.e., specify both you and the other person as recipients):
$ gpg --encrypt --recipient alice --recipient 'my_name' filename.txt
  • Encrypt a file for a group of people, define the group in your gpg.conf file (see section below), and then specify the group as a recipient:
$ gpg --encrypt --recipient dev-team filename.txt

After a while, one will want to be more concise and use the short version of the command-line options.

  • Below is that shortened command:
$ gpg -e -r journalists filename.txt

Decrypt a file to terminal (standard output)

  • The first version of this command will display the content of a file within the terminal window itself:
$ gpg --decrypt filename.txt.gpg

Use the --decrypt option only if the file is an ASCII text file. If it is a binary file, then omit the --decrypt option, which will write the decrypted file to disk.

Decrypt a file to disk

Whether the file is ASCII or binary, if you want to make changes to the content of an encrypted file, you must first decrypt it, make your changes, then re-encrypt the file. As mentioned in the previous section, you write the decrypted version of a file to disk, by omitting the --decrypt option from the command:

$ gpg filename.txt.gpg

If the encrypted file was named filename.txt.gpg, the above command will create a decrypted version named filename.txt (with the .gpg extension removed).

Create groups of people in your GPG configuration file

NOTE: Your GPG software configuration is stored in your home directory within the ~/.gnupg/gpg.conf file.

$ cat ~/.gnupg/gpg.conf
group dev-team = bob alice

External links