GPG Basics: Encrypting, Decrypting, and Signing Files

2026-06-05 Reading time: About 10 min Difficulty: Intermediate

What You'll Learn

How to encrypt and decrypt files with gpg
When to use public-key mode vs password mode (symmetric)
How to sign files and verify them against tampering

Quick Summary

Protect with a password you share → gpg -c (symmetric / password mode)
Send to someone using their public key → gpg -e -r <recipient> (public-key mode)
Prove a file wasn't altered → gpg -b (detached signature)

Prerequisites

OS: Ubuntu / Debian family (apt install gnupg). Bundled by default on most distros.
Command name is gpg (GnuPG 2.x assumed).

What is GPG?

Conclusion: GPG is the GnuPG implementation of OpenPGP. Encryption makes data unreadable; signing detects tampering.

GPG (GnuPG, GNU Privacy Guard) implements the OpenPGP standard (RFC 4880). It does two main things:

Encrypt / decrypt: keep contents away from third parties
Sign / verify: prove who made a file and that it wasn't altered

Encryption comes in two modes. Public-key mode encrypts with the recipient's public key so only their private key can decrypt it. Password mode (symmetric) uses one passphrase for both encryption and decryption. We start with password mode because it needs no key setup.

How do you encrypt with just a password?

Conclusion: The simplest option is gpg -c. It encrypts with a passphrase you type and decrypts with the same passphrase — no key pair needed.

No key creation required. Use -c (--symmetric) to encrypt with a passphrase.

$ gpg -c secret.txt

You're prompted for a passphrase, and secret.txt.gpg (binary) is created. The original stays in place, so delete it separately if you don't need it.

Decrypt with -d (--decrypt).

$ gpg -d secret.txt.gpg

The contents print to standard output. To write to a file, use -o.

$ gpg -o secret.txt -d secret.txt.gpg

When you need a text form you can paste into mail or chat, add -a (--armor). You get secret.txt.asc, an ASCII (Base64) format.

$ gpg -c -a secret.txt

Password mode assumes you can deliver the passphrase securely. Sending the ciphertext and the password side by side in the same chat defeats the purpose. If key exchange is hard, use public-key mode below.

How do you set up public-key mode?

Conclusion: Create a key pair first. gpg --full-generate-key produces a private key (yours) and a public key (to distribute).

Public-key mode uses a pair: a public key for encryption and a private key for decryption. Create it first.

$ gpg --full-generate-key

You're asked interactively for key type, size, expiration, name, and email. The defaults (RSA, 3072-bit or larger) are fine. Finally, set a passphrase. This protects the private key — a different role from an encryption password.

List your keys with:

$ gpg --list-keys          # public keys
$ gpg --list-secret-keys   # private keys

The long hexadecimal string is the key ID / fingerprint. You use it to specify recipients later.

How do you share your public key?

Conclusion: Export your public key as text with gpg --export -a and send it. The other side imports it with gpg --import.

To let someone encrypt for you, give them your public key. Add -a to --export to make it text.

$ gpg --export -a "you@example.com" > my-pubkey.asc

They import it:

$ gpg --import my-pubkey.asc

Never share your private key (--export-secret-keys). Always distribute the public key (--export). A leaked private key lets others decrypt your ciphertext and forge signatures in your name.

How do you encrypt and decrypt with a public key?

Conclusion: gpg -e -r <recipient> encrypts with the recipient's public key. Only that recipient can decrypt it.

Once you've imported the recipient's public key, encrypt with -e (--encrypt) and -r (--recipient).

$ gpg -e -r "friend@example.com" report.pdf

This creates report.pdf.gpg, which only the holder of friend@example.com's private key can decrypt. They run:

$ gpg -d report.pdf.gpg > report.pdf

To read it yourself later, add yourself as a recipient too (-r can repeat).

$ gpg -e -r "friend@example.com" -r "you@example.com" report.pdf

Add -a for a text-friendly output.

$ gpg -e -a -r "friend@example.com" message.txt   # message.txt.asc

How do you verify integrity with a signature?

Conclusion: To prove authenticity without hiding content, sign instead of encrypt. gpg -b makes a separate signature file; --verify checks it.

Signing is different from encryption. The content stays readable, while the signature proves it was made by the signer and not altered. It's common for verifying the authenticity of distributed files.

The most practical form is a detached signature. Use -b (--detach-sign) to create a signature file separate from the original.

$ gpg -b -a release.tar.gz

This creates release.tar.gz.asc. Distribute it alongside the original. The recipient verifies with --verify.

$ gpg --verify release.tar.gz.asc release.tar.gz

A Good signature line means verification succeeded with the signer's public key and the file is intact.

Signing and encryption can combine: -s -e -r <recipient> produces signed-and-encrypted output. --clearsign embeds a signature into readable text, often used in email bodies.

Even a Good signature doesn't confirm the public key really belongs to the sender. Check where you obtained the key (an official site fingerprint, etc.). Verification only proves "signed with that key."

Summary: Command Cheat Sheet

Conclusion: Password mode is -c, public-key mode is -e -r, signing is -b. Add -a for text output and -d to decrypt — that covers daily use.

Goal	Command
Encrypt with a password	`gpg -c file`
Encrypt with a public key	`gpg -e -r <ID> file`
Decrypt	`gpg -d file.gpg`
Create a key pair	`gpg --full-generate-key`
Export a public key	`gpg --export -a <ID>`
Import a public key	`gpg --import key.asc`
Create a detached signature	`gpg -b -a file`
Verify a signature	`gpg --verify file.asc file`