100 Useful Command-Line Utilities

by Oliver; 2014

99. gpg

Note: gpg is not a default shell program. You have to download and install it.

gpg, "a complete and free implementation of the OpenPGP standard," according to the official docs, is a program for encrypting files. You can use it to implement public-key cryptography, which Wikipedia describes as follows:

Public-key cryptography, or asymmetric cryptography, is a cryptographic system that uses pairs of keys: public keys, which may be disseminated widely, and private keys, which are known only to the owner. The generation of such keys depends on cryptographic algorithms based on mathematical problems to produce one-way functions. Effective security only requires keeping the private key private; the public key can be openly distributed without compromising security.

In such a system, any person can encrypt a message using the receiver's public key, but that encrypted message can only be decrypted with the receiver's private key.

Here are the basics about gpg. The first thing to do is to generate a public/private key pair for yourself:

$ gpg --full-generate-key

The process will look something like this:


Since you're already going through the trouble, choose a 4096 bit key and a secure passphrase (you're going to need this passphrase in the future to decrypt stuff, so remember it). Provide your real name and email, which will be associated with the key pair.

If you want to generate keys with default options, just use:

$ gpg --gen-key

To encrypt a message (or file, or tarball) for somebody, you need to have his or her public key. You encrypt with the recipient's public key, and only the recipient can decrypt with his or her private key (you can, of course, use your own public key if you're encrypting something for yourself). The first step in this process is importing the recipient's public key into your keyring. If you want to practice this, you can save my pubic key in a file called oli.pub and import it:

$ gpg --import oli.pub

List the public keys in your keyring:

$ gpg --list-keys

This will return something like:

pub   4096R/9R092F51 2014-03-20
uid       [ unknown] Jon Smith  <jonsmith@example.com>
sub   4096R/320G5188 2014-03-20

You can also list your non-public keys:

$ gpg --list-secret-keys

Your keys are stored in the folder: To encrypt the file tmp.txt for the person with uid (user id) Jon Smith (where Jon Smith's public key has already been imported into your keyring):

$ gpg --recipient "Jon Smith" --encrypt tmp.txt

(you can use the email address as well as the name)

This will create the file tmp.txt.gpg, which is in non-human-readable binary OpenPGP format. If you're encrypting a bit of text, you can use the -a flag, which creates "ASCII armored output"—i.e., a file you can cat or paste into the body of an email:

$ gpg --recipient "Jon Smith" --encrypt -a tmp.txt

This will create the file tmp.txt.asc, which will look something like this:

-----BEGIN PGP MESSAGE-----
Version: GnuPG v2

hQIMA4P86BWIDBBVAQ/+KIfnVGBF0Ei/9G/a8btxHu1wXrOpxp77ofPLzJ47e3pm
Y4uO17sbR9JJ12gPHoc5wQT60De9JNtSsPbyD7HVUF0kD+mfnyM8UlyWd7P4BjE5
vRZLhlMt4R88ZvjsU5yTRmLFSkMTIl5NUXTiGuBfjkRZUL+1FooUKgrpu5osACy/
6/7FZ75jReR8g/HEYHody4t8mA3bB5uLoZ8ZEHluj6hf6HjI8nFivNO487IHMhz3
UnDeoStL4lrx/zU0Depv/QNb4FRvOWUQMR7Mf61RcFtcHqfDyjg3Sh5/zg5icAc6
/GEx/6fIuQtmVlXtDCuS17XjaTNBdBXgkBqxsDwk3G1Ilgl9Jo83kBkQLgo3FdB6
3qs9AafNxTzloba8nF38fp0LuvvtSyhfHpYIc4URD5Mpt5ojIHNBVxevY0OeRDX8
x6Bmqu1tKSsKJz7fb0z3K/4/dYTMspIMUIw64y6W3De5jJv9pkbaQ/T1+y5oqOeD
rNvkMYsOpMvHBrnf0liMgn+sLuKE+G26lQfGm4MdnFQmb7AWBC5eqK8p1MnSojGm
klTlTpRSKfx4vOhB4K64L2hlH0rBHE3CvOOsJivzZ7r7MKsBoX6ZHwxVR0YOh/5J
m0Fzk0iprP9vzv5bWlADpCWYVUp6I6WHDfaFnwCDxH2O6y+krxHGjHei7u7GV9fS
SgEVvZZDErHr/ZTwwa7Xld37cJ9dOpesBECrk5ncLr25mNzDNGxgDXqM2yEuzhNa
HDmO0dVloPnVuQ/2SYL/4JP4Z6Uitm13nKQK
=55in
-----END PGP MESSAGE-----

Conversely, if somebody wants to send you a secret message or file, they're going to need your public key. You can export it and send it to them:

$ gpg --export -a "myusername" > mypublickey.txt

where myusername was the user name you chose during key generation. (There are also keyservers, such as keyserver.ubuntu.com, which host public keys.)

If somebody sends you the encrypted file secret.txt.asc, you can decrypt it with:

$ gpg --decrypt secret.txt.asc

Suppose you want to encrypt a whole folder rather than a single file. How can you accomplish this? In order to do this, simply tar your folder first then encrypt it:

$ tar -czvf myfolder.tar.gz myfolder
$ gpg --recipient "myusername" --encrypt myfolder.tar.gz

This will produce a file called myfolder.tar.gz.gpg.

Copying Your Keys to Another Computer

Suppose you want to transfer your keys to another computer or a hard drive. First, remind yourself what your keys are:

$ gpg --list-keys
$ gpg --list-secret-keys

Next, as outlined here, save them:

$ gpg --export -a "myusername" > my_public_key1.asc
$ gpg --export-secret-keys -a "myusername" > my_private_key1.asc

This is all you have to do if you're storing them on a hard drive. If you want to import them into a keyring on another computer, it's:

$ gpg --import my_public_key1.asc
$ gpg --import my_private_key1.asc

Deleting or Modifying Keys

Edit keys:

$ gpg --edit-key mykeyid

Delete a public key:

gpg --delete-key mykeyid

Delete a private key:

$ gpg --delete-secret-keys mykeyid

More on gpg

If you want to learn more, here are some good references:

• Encrypting Files with gpg2
• Zachary Voase: Openpgp for Complete Beginners
• Alan Eliasen: GPG Tutorial
• Ian Atkinson: Introduction to GnuPG

<PREV   NEXT>