Encrypt and Decrypt using GPG

GPG is an implementation of PGP (Pretty Good Privacy) cryptography method which uses a pair of private and public keys for the encryption and decryption of the messages.

This note describes about how we can use gpg cli tool to encrypt and decrypt messages and it assumes gpg is already available.

Create keys pair

We can use command,

gpg --generate-key
# or
gpg --full-generate-key # to set other options
gpg (GnuPG) 2.2.27; Copyright (C) 2021 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Please select what kind of key you want:
   (1) RSA and RSA (default)
   (2) DSA and Elgamal
   (3) DSA (sign only)
   (4) RSA (sign only)
  (14) Existing key from card
Your selection? 1
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (3072) 1024
Requested keysize is 1024 bits
Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0) 1
Key expires at Saturday 07 June 2025 04:44:57 PM IST
Is this correct? (y/N) y

GnuPG needs to construct a user ID to identify your key.

Real name: nitin
Email address: nitin123narayan123@gmail.com
Comment: test
You selected this USER-ID:
    "nitin (test) <nitin123narayan123@gmail.com>"

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
gpg: key 5EB3F9126288F5F4 marked as ultimately trusted
gpg: revocation certificate stored as '/home/nitin/.gnupg/openpgp-revocs.d/1238DB7C2B738579980C775C5EB3F9126288F5F4.rev'
public and secret key created and signed.

pub   rsa1024 2025-06-06 [SC] [expires: 2025-06-07]
      1238DB7C2B738579980C775C5EB3F9126288F5F4
uid                      nitin (test) <nitin123narayan123@gmail.com>
sub   rsa1024 2025-06-06 [E] [expires: 2025-06-07]

List the generated keys using command,

gpg -K --fingerprint 

# OR

gpg --list-keys
/home/nitin/.gnupg/pubring.kbx
------------------------------
sec   rsa1024 2025-06-06 [SC] [expires: 2025-06-07]
      1238 DB7C 2B73 8579 980C  775C 5EB3 F912 6288 F5F4
uid           [ultimate] nitin (test) <nitin123narayan123@gmail.com>
ssb   rsa1024 2025-06-06 [E] [expires: 2025-06-07]

Export Public Key for sharing (Optional)

We can export public key command,

gpg -a --export nitin > key.pub

Encrypting message

When providing text file as input

echo hello world > message.txt

gpg -a -r nitin -e message.txt

It should generate file message.txt.asc that should have encrypted message with information about public key it is used while encrypting. This information is required while decrypting the message using gpg

-r option provide key name that we have provided while creating the key pair. -e option is for encryption mode and finally -a option to enable ascii output from command. If we don’t provide this option, gpg outputs something we can’t understand.

Decrypting message

We can decrypt the message by providing the decrypted message file to command and providing passphrase when asked (if passphrase is set while creating the keys).

gpg -d message.text.asc