Encrypt and Decrypt using GPG
GPG is an implementation of PGP (Pretty Good Privacy) cryptography method which uses a pair of private and public keys for the encryption and decryption of the messages.
This note describes about how we can use gpg
cli tool to encrypt and decrypt messages and it assumes gpg
is already available.
Create keys pair
We can use command,
gpg --generate-key
# or
gpg --full-generate-key # to set other options
gpg (GnuPG) 2.2.27; Copyright (C) 2021 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Please select what kind of key you want:
(1) RSA and RSA (default)
(2) DSA and Elgamal
(3) DSA (sign only)
(4) RSA (sign only)
(14) Existing key from card
Your selection? 1
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (3072) 1024
Requested keysize is 1024 bits
Please specify how long the key should be valid.
0 = key does not expire
<n> = key expires in n days
<n>w = key expires in n weeks
<n>m = key expires in n months
<n>y = key expires in n years
Key is valid for? (0) 1
Key expires at Saturday 07 June 2025 04:44:57 PM IST
Is this correct? (y/N) y
GnuPG needs to construct a user ID to identify your key.
Real name: nitin
Email address: nitin123narayan123@gmail.com
Comment: test
You selected this USER-ID:
"nitin (test) <nitin123narayan123@gmail.com>"
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
gpg: key 5EB3F9126288F5F4 marked as ultimately trusted
gpg: revocation certificate stored as '/home/nitin/.gnupg/openpgp-revocs.d/1238DB7C2B738579980C775C5EB3F9126288F5F4.rev'
public and secret key created and signed.
pub rsa1024 2025-06-06 [SC] [expires: 2025-06-07]
1238DB7C2B738579980C775C5EB3F9126288F5F4
uid nitin (test) <nitin123narayan123@gmail.com>
sub rsa1024 2025-06-06 [E] [expires: 2025-06-07]
List the generated keys using command,
gpg -K --fingerprint
# OR
gpg --list-keys
/home/nitin/.gnupg/pubring.kbx
------------------------------
sec rsa1024 2025-06-06 [SC] [expires: 2025-06-07]
1238 DB7C 2B73 8579 980C 775C 5EB3 F912 6288 F5F4
uid [ultimate] nitin (test) <nitin123narayan123@gmail.com>
ssb rsa1024 2025-06-06 [E] [expires: 2025-06-07]
Export Public Key for sharing (Optional)
We can export public key command,
gpg -a --export nitin > key.pub
Encrypting message
When providing text file as input
echo hello world > message.txt
gpg -a -r nitin -e message.txt
It should generate file message.txt.asc
that should have encrypted message with information about public key it is used while encrypting. This information is required while decrypting the message using gpg
-r
option provide key name that we have provided while creating the key pair. -e
option is for encryption mode and finally -a
option to enable ascii output from command. If we don’t provide this option, gpg
outputs something we can’t understand.
Decrypting message
We can decrypt the message by providing the decrypted message file to command and providing passphrase when asked (if passphrase is set while creating the keys).
gpg -d message.text.asc