How to Use GPG in Linux: Encrypt, Sign, and Manage Keys

What Is GPG (And Why Every Linux Admin Should Know It)

If you’ve ever wondered how to use GPG in Linux, you’re asking the right question. GPG (GNU Privacy Guard) is the free, open-source tool that lets you encrypt files, sign data, and manage cryptographic keys right from your terminal. It’s the backbone of secure communication on Linux, and honestly, every sysadmin should have it in their toolkit.

GPG is the free implementation of the OpenPGP standard. It was created by Werner Koch back in 1997 after attending a Richard Stallman talk calling for a free replacement for the proprietary PGP software. The original PGP had US export restrictions that made it impractical for the global open-source community. Koch’s answer was GnuPG, and it changed everything.

“Everyone of us should be able to decide on his own whether he wants to tell others something about himself or herself.” — Werner Koch, Creator of GnuPG

I first ran into GPG when I was setting up a secure email server on my homelab. I remember staring at key fingerprints, trust levels, and revocation certificates, feeling like I’d stumbled into a spy movie. But once it clicked, I realized GPG is simpler than it looks. Fun fact: Edward Snowden used GPG to securely communicate with journalists when leaking NSA documents. If it’s good enough for that, it’s good enough for your server.

Get a VPS from as low as $11/year! WOW!

While the openssl command handles TLS/SSL certificates for web traffic, GPG handles file and email encryption. Different tools for different jobs. GPG works in two modes:

• Symmetric encryption: One password encrypts and decrypts. Simple, fast, good for personal files.
• Asymmetric encryption: A public/private key pair. You share your public key with the world. Only your private key can decrypt what’s sent to you.

Let’s get into the commands. Refer to the GnuPG official documentation for the full specification, but I’ll cover everything you need right here.

Installing GPG on Linux

Good news: GPG is pre-installed on most Linux distributions. Check first by running:

gpg --version

If you see output showing GnuPG 2.x, you’re good to go. If not, install it for your distro:

# Debian / Ubuntu
sudo apt install gnupg

# RHEL / Fedora / CentOS
sudo dnf install gnupg2

# Arch Linux (btw)
sudo pacman -S gnupg

Note the difference: some distros package it as gnupg, others as gnupg2. The binary is usually just gpg either way. Make sure you’re running version 2.x since version 1.x is outdated and lacks modern features.

Generating a GPG Key Pair

Your GPG key pair is the foundation of everything. Much like when you generate SSH keys, GPG uses a public/private key model. Your public key encrypts. Your private key decrypts. Never share your private key.

Running gpg –full-generate-key

The recommended way to create a key pair is the interactive method:

gpg --full-generate-key

This walks you through every option. If you want quick defaults instead, use gpg --gen-key, but I prefer the full version so I know exactly what I’m getting.

Choosing Key Type and Length

GPG will ask you to choose a key type. Here’s what matters:

• RSA and RSA (default): Widely compatible, battle-tested. Choose 4096 bits for key size. 2048 is the minimum, but 4096 is the current best practice.
• Ed25519 (modern): An elliptic curve algorithm that’s faster and equally secure with shorter keys. If your workflow doesn’t require legacy compatibility, this is the way to go.

Next, set an expiration date. I know it’s tempting to select “never expires,” but don’t. Set it for 1-2 years. You can always extend it later, but an expiring key is a safety net if you lose access. Enter your name, email, and a strong passphrase to protect the private key.

Once generated, list your keys:

# List public keys
gpg --list-keys

# List private keys
gpg --list-secret-keys

You’ll see a 40-character hex fingerprint. This is your key’s unique identifier, and it’s how others verify they have the right key.

Encrypting and Decrypting Files

This is the core of learning how to use GPG in Linux. There are two approaches, and which one you use depends on your situation.

Symmetric Encryption (Password-Based)

Symmetric encryption uses a single passphrase. It’s perfect for encrypting your own files, like backups or sensitive configs:

gpg --symmetric --cipher-algo AES256 file.txt

GPG prompts you for a passphrase and creates file.txt.gpg. Anyone with that passphrase can decrypt it. Simple, fast, no key exchange needed.

Asymmetric Encryption (Public Key)

When you need to send an encrypted file to someone else, use their public key:

gpg --encrypt --recipient '[email protected]' file.txt

Only the recipient’s private key can decrypt this. You can also encrypt and sign in one step to prove it came from you:

gpg --encrypt --sign --recipient '[email protected]' file.txt

Decrypting Files

To decrypt, it’s straightforward:

# Output to terminal
gpg --decrypt file.txt.gpg

# Output to a specific file
gpg --output decrypted.txt --decrypt file.txt.gpg

GPG will prompt for your passphrase if your private key is protected (and it should be).

Signing Files and Verifying Signatures

Signing doesn’t encrypt anything. Instead, it proves you created or approved a file, and that nobody tampered with it. This is huge for software releases, scripts, and any file where integrity matters.

Detached Signatures

A detached signature creates a separate .sig file alongside the original:

# Create signature
gpg --detach-sign file.txt

# Verify signature
gpg --verify file.txt.sig file.txt

This is the standard approach for software distribution. The file stays unchanged, and the signature file travels alongside it.

Clear-Text Signatures

For text files and messages, a clearsign embeds the signature directly in the document:

# Sign (creates message.txt.asc)
gpg --clearsign message.txt

# Verify
gpg --verify message.txt.asc

The original text stays readable, with the GPG signature appended at the bottom. This is commonly used for email signing and announcements.

Managing Your GPG Keyring

Your keyring is the local database where GPG stores all your keys. Managing it well is critical. And just like you’d protect SSH keys with strict Linux file permissions, your exported GPG private keys should be locked down with chmod 600.

Exporting and Importing Keys

# Export your public key (share this freely)
gpg --armor --export [email protected] > mypubkey.asc

# Export your private key (guard this with your life)
gpg --armor --export-secret-keys [email protected] > myprivkey.asc

# Import someone else's public key
gpg --import somepubkey.asc

The --armor flag outputs ASCII text instead of binary, making it easy to paste into emails or upload to websites. After importing a key, you’ll want to set its trust level:

gpg --edit-key FINGERPRINT
# Then type: trust

Uploading to a Key Server

Key servers let others find your public key. The recommended modern server is keys.openpgp.org:

# Upload your key
gpg --keyserver keys.openpgp.org --send-keys YOUR_KEY_ID

# Download someone's key
gpg --keyserver keys.openpgp.org --recv-keys THEIR_KEY_ID

Revoking a Key

If your private key is compromised or you lose access, you need a revocation certificate. Here’s the thing most tutorials skip: generate this immediately after creating your key, while you still have access.

# Generate revocation certificate (do this NOW)
gpg --gen-revoke [email protected] > revoke.asc

# If you ever need to revoke:
gpg --import revoke.asc
gpg --keyserver keys.openpgp.org --send-keys YOUR_KEY_ID

Store that revocation certificate somewhere safe and offline. I keep mine on an encrypted USB drive in a drawer. If you lose your private key without a revocation cert, your public key lives on keyservers forever with no way to tell people to stop using it.

Real-World Use Cases

Knowing GPG commands is one thing. Knowing where they matter in your daily workflow is where it gets practical. You can even wrap these into Bash scripts for automation.

Signing Git Commits

This is increasingly required in professional development. GitHub shows a green “Verified” badge on signed commits, and some organizations require it. Here’s the setup:

# Find your signing key
gpg --list-secret-keys --keyid-format LONG

# Configure git to use it
git config --global user.signingkey YOUR_KEY_ID
git config --global commit.gpgsign true

# Now every commit is automatically signed
git commit -m "your message"

Check GitHub’s official signing documentation for details on adding your GPG public key to your GitHub account. Once set up, you’ll see that satisfying “Verified” badge on every commit.

Verifying APT Repository Keys

If you’ve ever added a third-party repo to your Linux system, you’ve used GPG whether you realized it or not. When you install Docker on Linux, for example, the install instructions have you fetch a GPG key to verify the repository.

The modern approach uses gpg --dearmor and stores keys in /usr/share/keyrings/:

# Fetch and store the repo's GPG key
wget -qO- https://example.com/key.gpg | sudo gpg --dearmor -o /usr/share/keyrings/example.gpg

# Reference it in your sources list
deb [signed-by=/usr/share/keyrings/example.gpg] https://repo.example.com stable main

You can use either wget or the curl command to fetch remote keys. I’ll be honest, I fumbled through this the first time I added the Docker repo to my Debian server. The old apt-key method was deprecated, and the new signed-by approach confused me. But once you understand GPG, it makes perfect sense. The key verifies that packages actually come from the source you trust.

After adding a new repo key, run apt update and upgrade to pull the verified package lists.

GPG Quick Reference: Essential Commands

Common shorthand flags: -a (armor), -r (recipient), -o (output), -c (symmetric), -e (encrypt), -d (decrypt), -s (sign).

Frequently Asked Questions

Is GPG the same as PGP?

Not exactly. PGP (Pretty Good Privacy) is the original proprietary software. GPG (GNU Privacy Guard) is the free, open-source implementation of the same OpenPGP standard. They’re compatible with each other, but GPG is what you’ll find on Linux systems.

Should I use RSA or Ed25519 for my GPG key?

If you need maximum compatibility with older systems, go with RSA 4096. If you’re working in a modern environment, Ed25519 is faster and equally secure with shorter keys. I’ve been using Ed25519 on my newer setups without any issues.

Can I use GPG to encrypt entire directories?

GPG works on individual files. To encrypt a directory, first compress it with tar (tar czf folder.tar.gz folder/), then encrypt the archive with GPG. This is actually a common pattern in backup scripts.

Wrapping Up: GPG as Part of Your Security Toolkit

Learning how to use GPG in Linux isn’t just about one tool. It’s about building a layered security mindset. GPG handles encryption and authentication at the file level, but a solid Linux security setup goes further.

Pair GPG with a secure SSH configuration for remote access, fail2ban for intrusion prevention, a UFW firewall for network filtering, and a WireGuard VPN for encrypted tunnels. That’s a defense-in-depth approach that covers your bases from the file system to the network edge.

Start by generating your first key pair today. Sign your git commits. Encrypt a backup. Once you get comfortable with GPG, you’ll wonder how you ever managed without it.

Alexa Velinxs

I'm Alexa Velinxs, a cryptocurrency trading expert passionate about demystifying digital assets for both beginners and seasoned investors. Through my writing, I share actionable strategies, market insights, and practical tips to help you navigate the crypto landscape with confidence. Let's explore the future of finance together.

See Full Bio