GNU Privacy Guard

A Brief Overview of GNU Privacy Guard (GPG)

What is GPG?

Public Key Encryption Diagram

GNU Privacy Guard (GPG) is largely a modern replacement—or rather, an extension—of Pretty Good Privacy (PGP), which has been effectively abandoned by Symantec.

GPG is a modern implementation of the OpenPGP standard, often utilized on both *nix and Windows systems.

Many modern platforms and services are designed to be compatible with both GPG and OpenPGP tools, facilitating secure communication and non-repudiation via cryptographic signatures.

One of its most ubiquitous use cases is in *nix package management—leveraging Public Key Infrastructure (PKI) to ensure integrity and authenticity within the package management chain of trust.

Generating Keys

1gpg --full-generate-key

After initializing key generation, you’ll be prompted with a menu like this.

1Please select what kind of key you want:
2   (1) RSA and RSA
3   (2) DSA and Elgamal
4   (3) DSA (sign only)
5   (4) RSA (sign only)
6   (9) ECC (sign and encrypt) *default*
7  (10) ECC (sign only)
8  (14) Existing key from card
9Your selection?

Choose (9) — this creates an Elliptic Curve Cryptography (ECC) key pair, which is far more modern and efficient compared to RSA.

Generally speaking, ECC keys are considered more secure per bit compared to RSA keys—offering equivalent security while being far faster/portable.

1Please select which elliptic curve you want:
2   (1) Curve 25519 *default*
3   (4) NIST P-384
4   (6) Brainpool P-256

Choose (1) — ED25519 is a sane default and is widely adopted.

1Please specify how long the key should be valid.
2         0 = key does not expire
3      <n>  = key expires in n days
4      <n>w = key expires in n weeks
5      <n>m = key expires in n months
6      <n>y = key expires in n years

Choose at your discretion—though it would be wise to periodically rotate keys.

For all intents and purposes, (0) is fine.

1GnuPG needs to construct a user ID to identify your key.
2
3Real name: Mason Tuckett
4Email address: mason@tuckett.xyz
5Comment: test key
6You selected this USER-ID:
7    "Mason Tuckett (test key) <mason@tuckett.xyz>"

Enter any information that you may find relevant.

Make sure to select a strong, alphanumeric password that includes symbols—preferably over twelve characters long.

1public and secret key created and signed.
2
3pub   ed25519 2025-05-02 [SC]
4      07B41B22F08862AC61F1DB5E462E05498C4C7F06
5uid                      Mason Tuckett (test key) <mason@tuckett.xyz>
6sub   cv25519 2025-05-02 [E]

You should see an output similar to this.

Now we can move on to managing our key pair!

Managing Keys

Once you’ve generated your GPG key, you’ll need to share your public key so others may verify your digital signature and send you encrypted messages.

1gpg --fingerprint
2
3pub   ed25519 2025-05-02 [SC]
4      07B4 1B22 F088 62AC 61F1  DB5E 462E 0549 8C4C 7F06 # Fingerprint
5uid           [ultimate] Mason Tuckett (test key) <mason@tuckett.xyz>
6sub   cv25519 2025-05-02 [E]

Identifying your fingerprint is crucial for verifying the authenticity of your key; it is essentially a summary of your key pair.

Providing a fingerprint (07B41B22F08862AC61F1DB5E462E05498C4C7F06) prevents impersonation—which is commonly utilized for man-in-the-middle attacks.

Make sure to provide this when sharing your key.

Exporting Keys

To share your key with others, it is necessary to properly export your public key.

It’s best to use the --armor (ASCII) option for portability, as it makes everything readable and compatible across all platforms.

 1# Export the public key
 2gpg --armor --export 07B41B22F08862AC61F1DB5E462E05498C4C7F06 > pubkey.gpg
 3
 4# Verify the public key
 5cat pubkey.gpg
 6-----BEGIN PGP PUBLIC KEY BLOCK-----
 7
 8mDMEaBQztBYJKwYBBAHaRw8BAQdAoXjOBHJ2kHnL6zFhCEdsPfncq0CMSxdDLY6x
 9IYEss0a0LE1hc29uIFR1Y2tldHQgKHRlc3Qga2V5KSA8bWFzb25AdHVja2V0dC54
10eXo+iJMEExYKADsWIQQHtBsi8IhirGHx215GLgVJjEx/BgUCaBQztAIbAwULCQgH
11AgIiAgYVCgkICwIEFgIDAQIeBwIXgAAKCRBGLgVJjEx/BpgOAP0YS5iS0FXf9hL+
12yysPOAdcw2itZQKemWnMwxl/4FnapwD+Pzrz9ElopvfmsE2hvqwD+STh77yDvzaw
13dIQOXiYDTwa4OARoFDO0EgorBgEEAZdVAQUBAQdAlceTsCOfM+wEp/5xI0JG+ge5
14nUhgSQhKgkLipF8AJjEDAQgHiHgEGBYKACAWIQQHtBsi8IhirGHx215GLgVJjEx/
15BgUCaBQztAIbDAAKCRBGLgVJjEx/BszKAPoDV+OUtoPQITfgjCOdsjbyL4NXONJx
160i5RdBLmpFD3hwD+MtRJ8tpnG+w2OoGll1Vdl+xzP9o18w92rsSptL3x3ww=
17=1K3m
18-----END PGP PUBLIC KEY BLOCK-----

Once you have exported your public key, it is advisable to make backups of your private key.

 1# Export the private key (BACKUP PURPOSES ONLY — NEVER SHARE THIS!!!)
 2gpg --armor --export-secret-keys 07B41B22F08862AC61F1DB5E462E05498C4C7F06 > privatekey.gpg
 3
 4# Verify the private key
 5cat privatekey.gpg
 6-----BEGIN PGP PRIVATE KEY BLOCK-----
 7
 8     !!! DO NOT SHARE THIS !!!
 9
10-----END PGP PRIVATE KEY BLOCK-----

It’s best to utilize the fingerprint when exporting keys, especially if you have multiple keys tied to the same email address; this ensures you are exporting the correct key.

Naturally, you will be sharing your public key quite frequently—but NEVER SHARE YOUR PRIVATE KEY!

Public keys are safe to distribute, but private keys should remain PRIVATE.

Private keys are really only functionally used for decryption, and making backups ensures that you have redundancy; only do this when transferring or restoring keys.

Importing Keys

Typically, you will only import a recipient’s public key—but you may also need to import redundant copies of private keys.

 1# Public key
 2gpg --import pubkey.gpg
 3
 4#Private key
 5gpg --import privatekey.gpg
 6
 7# Check signatures
 8gpg --check-sigs 07B41B22F08862AC61F1DB5E462E05498C4C7F06
 9ub   ed25519 2025-05-02 [SC] 
10      07B41B22F08862AC61F1DB5E462E05498C4C7F06
11uid           [ultimate] Mason Tuckett (test key) <mason@tuckett.xyz>
12sig!3        462E05498C4C7F06 2025-05-02  [self-signature]
13sub   cv25519 2025-05-02 [E]
14sig!         462E05498C4C7F06 2025-05-02  [self-signature]
15
16gpg: 2 good signatures
17
18# Trust the key
19gpg --edit-key 07B41B22F08862AC61F1DB5E462E05498C4C7F06
20Secret key is available.
21
22sec  ed25519/462E05498C4C7F06
23     created: 2025-05-02  expires: never       usage: SC  
24     trust: unknown       validity: unknown
25ssb  cv25519/BCA683EF83020019
26     created: 2025-05-02  expires: never       usage: E   
27[ unknown] (1). Mason Tuckett (test key) <mason@tuckett.xyz>
28
29gpg> trust

Make sure to be mindful when discerning your level of trust.

1 = I don’t know or won’t say
2 = I do NOT trust
3 = I trust marginally
4 = I trust fully
5 = I trust ultimately

Deleting Keys

When deleting keys, it is incredibly important to make sure you are deleting the correct keys.

If you are deleting a key pair, the private key will need to be deleted first.

 1#Private key
 2gpg --delete-secret-key 07B41B22F08862AC61F1DB5E462E05498C4C7F06
 3sec  ed25519/462E05498C4C7F06 2025-05-02 Mason Tuckett (test key) <mason@tuckett.xyz>
 4
 5Delete this key from the keyring? (y/N) y
 6This is a secret key! - really delete? (y/N) y
 7
 8# Public key
 9gpg --delete-key 07B41B22F08862AC61F1DB5E462E05498C4C7F06
10pub  ed25519/462E05498C4C7F06 2025-05-02 Mason Tuckett (test key) <mason@tuckett.xyz>
11
12Delete this key from the keyring? (y/N) y

Signing with GPG

Signing files or messages is incredibly straightforward—just make sure to use the correct private key.

Detached signatures are preferable as both files are compared against one another, unlike a single attached signature.

 1# Detached signature
 2echo "msg" > msg
 3gpg --armor --default-key 07B41B22F08862AC61F1DB5E462E05498C4C7F06 --detach-sign msg
 4
 5# Verify the signature
 6gpg --verify msg.asc msg
 7gpg: Signature made Fri 02 May 2025 12:00:19 AM MDT
 8gpg:                using EDDSA key 07B41B22F08862AC61F1DB5E462E05498C4C7F06
 9gpg: Good signature from "Mason Tuckett (test key) <mason@tuckett.xyz>" [ultimate]
10
11cat msg.asc
12-----BEGIN PGP SIGNATURE-----
13
14iHQEABYKAB0WIQQHtBsi8IhirGHx215GLgVJjEx/BgUCaBRfcwAKCRBGLgVJjEx/
15Bg4aAPwJirjRBeacdjKTv0oyha0fGl69ZTR0LqgrLQKLMCy5XQD4jiW5gy8XhpzO
16VpcOptcsNNtqfovoNNoE6tFahdZ0Dg==
17=Ge5O
18-----END PGP SIGNATURE-----

Encrypting with GPG

Files and messages can be encrypted using the recipient’s public key.

By design, no intermediary can decrypt the file or message without the recipient’s private key.

Therefore, that is why you must exchange keys beforehand; otherwise, the data would effectively be unrecoverable.

 1# Encrypt a file
 2echo "file" > file
 3gpg --armor --encrypt --recipient recipient@mail.com file
 4
 5cat file.asc
 6-----BEGIN PGP MESSAGE-----
 7
 8hF4DmGWaJPMsGZ4SAQdAt6v31fJBwhecUZHqOrXfoPjEXWY8yjXeMV0GIuPAHSYw
 9SHf4TJGAcuGF7t35EsRD7TeIPRH7v/AniwonsjXJJwyHAaLEMtq/KU/u3D63j3F2
101EwBCQIQjuprIiTotwqwJYjpKBrQhC8DyC1DTZLZwlM2zmB59TAQeyuPviR8KMcy
114JoxPuR3tsOUOQAnvDZjojtFjtkiWC4a3fqMWU85
12=Th91
13-----END PGP MESSAGE-----
14
15# Decrypt the file (recipient's private key)
16gpg --decrypt file.asc
17gpg: encrypted with cv25519 key, ID 98659A24F32C199E, created 2025-05-02
18      "recipient (test) <recipient@mail.com>"
19file

Closing

GPG is an essential tool for anyone looking to ensure both integrity and authenticity by adding a secure layer to digital communication.

GPG or OpenPGP tools are useful for establishing chains of trust and for preventing man-in-the-middle attacks—limiting access to sensitive information.

It is a fantastic idea to communicate via GPG-encrypted messages or files, which many privacy-conscious providers like Proton Mail natively support.

Remember to always use encryption when necessary, even if it may not appear convenient at first; you are in control of your data.

Encrypt away!

05-01-2025 · Mason Tuckett

#gpg #crypto #privacy