Getting Started with GPG: A Beginner's Guide to Email Encryption

What Is GPG?

GPG (GNU Privacy Guard) is a free, open-source implementation of the OpenPGP standard (RFC 4880). It allows you to encrypt and sign data, protecting your communications from eavesdropping and verifying the authenticity of messages. GPG is widely used for encrypting emails, signing software releases, and securing sensitive files.

Despite its power, GPG has a reputation for being complicated. This guide walks you through the essentials in plain language.

Prerequisites

Before you start, install GPG on your system:

• Linux: GPG is usually pre-installed. If not: sudo apt install gnupg
• macOS: Install via Homebrew: brew install gnupg or download GPG Suite from gpgtools.org
• Windows: Download Gpg4win from gpg4win.org (includes a GUI called Kleopatra)

Step 1: Generate Your Key Pair

Run the following command and follow the prompts:

gpg --full-generate-key

You'll be asked to choose:

1. Key type: Select RSA and RSA (default) or Ed25519 for a more modern elliptic curve key.
2. Key size: For RSA, choose 4096 bits for stronger security.
3. Expiration: Setting an expiry date (e.g., 2 years) is good practice — it limits damage if your key is ever compromised.
4. User ID: Enter your name and email address.
5. Passphrase: Choose a strong passphrase to protect your private key.

Step 2: Export and Share Your Public Key

Your public key is what others use to send you encrypted messages. Export it with:

gpg --armor --export your@email.com > publickey.asc

You can share this file openly — post it on your website, email it to contacts, or upload it to a public keyserver:

gpg --keyserver keys.openpgp.org --send-keys YOUR_KEY_ID

To find your key ID: gpg --list-keys your@email.com

Step 3: Import Someone Else's Public Key

To send an encrypted message to someone, you need their public key. If they've shared a file:

gpg --import theirpublickey.asc

Or search the keyserver:

gpg --keyserver keys.openpgp.org --search-keys their@email.com

Step 4: Encrypt a File or Message

To encrypt a file for a recipient (using their imported public key):

gpg --encrypt --armor --recipient their@email.com message.txt

This produces an message.txt.asc file. Only the recipient — with their private key — can decrypt it.

To encrypt for multiple recipients:

gpg --encrypt --armor --recipient alice@example.com --recipient bob@example.com message.txt

Step 5: Decrypt a Message

When you receive an encrypted message, decrypt it with:

gpg --decrypt message.txt.asc

GPG will prompt for your passphrase and output the plaintext.

Step 6: Sign a Message

Signing proves a message came from you. To sign and encrypt:

gpg --sign --encrypt --armor --recipient their@email.com message.txt

To verify a signature on a received file:

gpg --verify message.txt.asc

Create a Revocation Certificate

Before you forget — generate a revocation certificate now and store it somewhere safe. If your key is ever compromised or lost, you'll use this to invalidate it:

gpg --gen-revoke your@email.com > revoke.asc

Tips for Good GPG Hygiene

• Back up your private key to an encrypted, offline medium (e.g., a USB drive in a safe place).
• Use a strong, unique passphrase — your private key's last line of defense.
• Verify keys out-of-band — confirm fingerprints with contacts via phone or in person before trusting a key for sensitive communication.
• Set key expiry dates and remember to extend or rotate keys before they expire.
• Consider using a hardware security key (like a YubiKey) to store your GPG private key for added protection.

Where to Go From Here

GPG is a foundational tool for anyone serious about digital privacy. Once you're comfortable with the basics, explore email client integrations (Thunderbird with Enigmail, or built-in OpenPGP support in modern Thunderbird), git commit signing, and GPG agent configuration for a smoother workflow. The learning curve is real, but the control over your own communications is worth it.