Encrypt and decrypt a file using GPG keys
UPDATED ON 2022-12-07
If you have someone's public gpg key, you can use gnupg to safely encrypt a file and send it to them over an insecure connection (i.e. the internet). They can then use their private key to decrypt the file you sent.
How does GPG work?
To start using GPG, you’ll first need to have a GPG key.
A GPG key is what you’ll use to encrypt or decrypt files. It’s also what is used to identity you, with things like your name and email being tied to the key as well.
GPG keys work by using two files, a private key and a public key. These two keys are tied to each other, and are both needed to use all of GPG’s functionality, notably encrypting and decrypting files.
When you encrypt a file with GPG, it uses either the private key or the public key. The new, encrypted file can then only be decrypted with the paired alternate public or private key.
Generally public key is used for encryption and private one for decryption.
The private key is meant to be stored in a fashion stated directly in its name – privately, and not given out to anyone.
The public key on the other hand is meant to be given to others, or anyone you want to be able to encrypt files to send to you securely.
Prerequisite
- A computer with
gnupginstalled on it. - A GPG key pair
Don't know how to create one? Read this first.
Encryption using a public GPG key
Save the public key in a file, say yoges_pubgpg.asc
Contents inside yoges_pubgpg.asc should seem something like below:
-----BEGIN PGP PUBLIC KEY BLOCK-----
mQINBGNd8zcBEACpJLknkdJmlJ9FWnyc6W/mMBuv/DD9ECF4DB45+2mFhPc21bYW
nKHZosvtmwBIYHArU6xlHkaOlL2K3Rda7zzwRXB+LzQNqWv0GxN2ukzbS3yixGBg
s8yDTa4SM1KFBXuLe6j+x0t0/M7p4yD0tTtK1zCIheel2pkWZ8djHqzvboj34ZN9
5nlxTKSTDbsPOOrrD9Y9nM/RVKdkklHT1esWc25i9rSHwJ0ds0F3F17mCIt+rRpl
tm2vTD7Ml5Le5cR8FAz/VBhSltDANtWjr4PtUncuwlUU9wFu6zUGMxzsoxLUXkZp
bB+geMhnbE8Sk1kyYILExaoLcQZ9GmsmBwYc7n1lgWCCNdwuVh26CgQu2Y96VTaC
/lJMe+j/HlkZKgZwPJd8JL7kxCvL3zYCsnJ4KPTMxUpgSp5JaUOGm5+mNsR2O98u
EC8LGU5TplfE7TEsr7IvNH5Dq+XQHaTv54iOJyUDICZMmQyp32nhc7LAvWzRsxDU
Axsx2lsJzrZC/SkD7Kd7gZPGyA0i3KHNDWqq8YbGFIAv3uv+pvw26WKjvTLgm1d5
5oKEYOGEJa/LZAco3O2Mbl7sKMB7bpFcV4Q3Ff26rsp7oSCxU4C66pSdZdpAEQSY
nnoCsmTtNUIVbyNU9S5lwOwQrWX7IOcfTuGALNq1yW7LnOZimKoGblCBxQARAQAB
tDN5b2dlc2ggKGp1c3QgYSB0ZXN0IGtleSkgPGNhc3RvckB3aG9pc3lvZ2VzLmV1
Lm9yZz6JAlQEEwEIAD4WIQQDanUt6d9VFrM+h74zwFtGJIkDSAUCY13zNwIbAwUJ
AAKjAAULCQgHAgYVCgkICwIEFgIDAQIeAQIXgAAKCRAzwFtGJIkDSLgsEACRqvg6
2Bcglte32vQNz5tHWqqKmmtSuJsXaxgIYjg+eKvkJrRW3QLK+YpiHYvyTDZLjq0/
VCFbCL3We9CFr3fgdXP1t0svhkidzHyyoe9WihMvxSVqnNKz1kU2NSldsoNmn32p
VeXOFRI84uCbWFa/XMwMryJkOagQQkveK4uTbULjzcSaOGILJEQY6kjo9cQAoPHX
G9gdfva4Ik8cITVRvS6jISEDPF4atHsiOJ/RDUlVhPLdoWpgfmaJgAybLHbOEfJb
i/jxz4TCvR/q9z7yT5Znc9R8yHgrU2EKoK5rj0bmmCpYH/eYDkehId07on8/XXxh
VC15ydz1RqQzLcEx8ZUMRZ4nqW+6TfIrv4lyvVi2eJbodc0iKqTL7blFaWA3bvHu
X6ZPm+C3MzUP2tt3gvWrkfDJrn536Xrjt8r2P0W4BFT7tBiFFp4UNUxeS+ghVlJl
zkMvvgccpEpn2HHHU8BLMgdtPHKtLmJXNLK44cgXBb/lhS8DCusnzKB9dSFUliTS
WuC/ZUMgUFjL2TrnLbsUdQiSIwYsascqoCArcAd2++FBYTrD2yswv6ir+FzEUqjW
KPa76oCrDgD34aG4nJa67xjXWVnahg87SljxP3d3S/6q0+4RYC+I7uMmGeTxzdnZ
WAVL/7vFq7Hbmgvpx3YJj9LRJwQYUiQZpK+rDrkCDQRjXfM3ARAAo0Mlc25OPWJE
lQr/rEmCRTh5z8GejVPN4JL7rv2sqe+rctHxbjvofwH35ThInGfuq6Noq4l6r40F
yHIUuib0MZZLTAifgZGS5YyNlB54x258JdcY5C6eENaV9G5Gqz3UpMdXOs/jxzmh
h3sPKLhFiDhRAylj2o78BZdIPsxGa7xNn0/HLkdJ7zwyUGaoMwM+Ps3xHEA8kfA7
daCHhkzCx4G8PGs2LXNkSMW51Km0ZCE9gyk1COL2TxCaniCy9PxcIbGd/SZYUf89
5RAXz7aBtPIYt1OhXAItvM+b00XLBxxGtRIb1Nyo7pwbqT72dIPXiMPBf0OK7Vbq
JDUFiCIRsKTolUm2MCOcboGhgBxfR6uIUMOKXY2d3aer/7UkWHe/6y7+sGHkWBaf
MUjqbAMPDBjKk2b6OodalQr8oyxZ79d5z2D4gBooxKpJA2NS5UOUaLBPtB83POfw
5otQJk2RlnlWmV6MVQolwg+IXiRZQVkzJ0mazZ6eEwP/EcZPpXur8LT6W2mo+rN2
g8qC2nCRZUQ842PoNi9L5ug1fRsaiTYhC4pXUppBbY3Sp8GFuTxP9FhWhK2j2sX2
xdDRmqDWePjimPZ4tzBBQalCLj0kuO8PtfChuWXk2Ro/hEg59mPxOTR9uyLtZrPF
wOM7KIgPondEa/lYP9JFoaTCm3ktGi8AEQEAAYkCPAQYAQgAJhYhBANqdS3p31UW
sz6HvjPAW0YkiQNIBQJjXfM3AhsMBQkAAqMAAAoJEDPAW0YkiQNIYl4P/0yIj7WK
hNyJtgKHv5QMEtbD3lL6IPNcUnEddbrCDuQD+/CCb02Af9IG5wwuPlSIpBa2Nh4r
NZrTkcPVitqaRdNPVTAeCFXGNnY+vMzbGBYHh+ajX6/b1YCmNKtTC37FH8G6GAOl
Hvi1xYhP/jFNoX5ftkVNU6MJi2bfJx98jRSYk/fhjAc/bG7YpLR/4B/U7/4Q4YAF
u+OrrJOeYRz7OfuBaFBIO2E34nDyd6hxdjR6fOThidlyzPOgkOEc6OB3R/IeKN69
i0ASLp/SJSpL25FE2r1olrxR8FMZnnAMe10T8fE5oRtKR5crmq58SdKQSW6DFh6O
FcL/2LOLDJn7Dazto/pvgFVF9kJ89bZhcJdyVaUkP5T6W3qW7nSNvkKCfBI+shUT
gvSue/AqzhCTh4pXR9xO7SYNbXku9J1h0VXNpmH3U2z4GODhYzeeq1+e1QmOFVCR
zRb/45/Tf4WT/rHMfFzCOzmLW9IsH8k8yfi6gxmOEdRHOIqLqmf9Dgc2+KKnPWhO
NodtiJD3ZN1f3krdy22bAIzOlfm5cb7hWoUBcRWqk76ZWcmIndffl2cc8MFaFcV3
GNyVJ+vbeBq1mCC/pQPqxwmkvwOmywdu9dDUoXH7+S4EXtwPDSlbS3bQBU1KqSMr
igXd7Kt4qERYzmc1NLbHG7/H/DV6KyxuJ4dJ
=oYnT
-----END PGP PUBLIC KEY BLOCK-----
Add the public GPG key to your keyring
gpg --import yoges_pubgpg.asc
$ gpg --import yoges_pubgpg.asc
gpg: key 33C05B4624890348: public key "yogesh (just a test key) <castor@whoisyoges.eu.org>" imported
gpg: Total number processed: 1
gpg: imported: 1
Signing a Public Key
If you want to keep a file away from prying eyes and ensure that it comes from the person it says it comes from and that it has not be altered, you can sign the file using your private key and encrypt it using the recipient’s public key. The recipient can then decrypt it using his private key and verify the signature using the sender’s public key.
Check recipient's public key
gpg --list-public-keys
$ gpg --list-public-keys
/home/useless/.gnupg/pubring.kbx
--------------------------------------------
pub rsa4096 2022-10-29 [SC]
D8C96133251FFDCC8ACFE645AC5C5F04930D8ACF
uid [ultimate] Castor (Trusted GPG Key of Castor from https://castorIsDead.xyz; send map of hidden treasure to castor!) <whoisYoges@castorIsDead.xyz>
sub rsa4096 2022-10-29 [E]
pub rsa4096 2022-10-30 [SC] [expires: 2022-11-01]
036A752DE9DF5516B33E87BE33C05B4624890348
uid [ unknown] yogesh (just a test key) <castor@whoisyoges.eu.org>
sub rsa4096 2022-10-30 [E] [expires: 2022-11-01]
The [ultimate] one is your personal key. And the other [unknown] is the public key you just added.
Sign the public key with your GPG key
gpg --sign-key <id>
$ gpg --sign-key 036A752DE9DF5516B33E87BE33C05B4624890348
pub rsa4096/33C05B4624890348
created: 2022-10-30 expires: 2022-11-01 usage: SC
trust: unknown validity: unknown
sub rsa4096/58A64F87EEA58B99
created: 2022-10-30 expires: 2022-11-01 usage: E
[ unknown] (1). yogesh (just a test key) <castor@whoisyoges.eu.org>
pub rsa4096/33C05B4624890348
created: 2022-10-30 expires: 2022-11-01 usage: SC
trust: unknown validity: unknown
Primary key fingerprint: 036A 752D E9DF 5516 B33E 87BE 33C0 5B46 2489 0348
yogesh (just a test key) <castor@whoisyoges.eu.org>
This key is due to expire on 2022-11-01.
Are you sure that you want to sign this key with your
key "Castor (Trusted GPG Key of Castor from https://castorIsDead.xyz; send map of hidden treasure to castor!) <whoisYoges@castorIsDead.xyz>" (AC5C5F04930D8ACF)
Really sign? (y/N) y
And then you'll be prompted to enter your GPG key password, enter that and the key is signed.
After signing the public key, the [unknown] key is signed and shown as [ full ].
$ gpg --list-public-keys
pub rsa4096 2022-10-29 [SC]
D8C96133251FFDCC8ACFE645AC5C5F04930D8ACF
uid [ultimate] Castor (Trusted GPG Key of Castor from https://castorIsDead.xyz; send map of hidden treasure to castor!) <whoisYoges@castorIsDead.xyz>
sub rsa4096 2022-10-29 [E]
pub rsa4096 2022-10-30 [SC] [expires: 2022-11-01]
036A752DE9DF5516B33E87BE33C05B4624890348
uid [ full ] yogesh (just a test key) <castor@whoisyoges.eu.org>
sub rsa4096 2022-10-30 [E] [expires: 2022-11-01]
Encrypt the file you're sending, using the public GPG key:
In this example message.txt is the secret text message, message.txt.gpg is the encrypted file and castor@whoisYoges.eu.org is the email address from the receiver's public key. The encrypted file can be named whatever you like.
gpg --encrypt --output message.txt.gpg --recipient castor@whoisYoges.eu.org message.txt
$ gpg --encrypt --output message.txt.gpg --recipient castor@whoisYoges.eu.org message.txt
gpg: checking the trustdb
gpg: marginals needed: 3 completes needed: 1 trust model: pgp
gpg: depth: 0 valid: 1 signed: 1 trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: depth: 1 valid: 1 signed: 0 trust: 1-, 0q, 0n, 0m, 0f, 0u
gpg: next trustdb check due at 2022-11-01
Now you can send the encrypted file (message.txt.pgp) to the recipient. It is even safe to upload the file/s to a public file sharing service and tell the recipient to download them from there.
Decrypting using private GPG key
Here the encrypted file is message.txt.pgp and the decrypted file will be named message.txt
gpg --decrypt --output message.txt message.txt.pgp
$ gpg --decrypt --output message.txt message.txt.gpg
gpg: encrypted with 4096-bit RSA key, ID 58A64F87EEA58B99, created 2022-10-30
"yogesh (just a test key) <castor@whoisyoges.eu.org>"
Deleting public keys from keyring
Assuming you don't need the key any more and wish to delete it:
list the available keys for the respective user
gpg --list-public-keys
$ gpg --list-public-keys
pub rsa4096 2022-10-29 [SC]
D8C96133251FFDCC8ACFE645AC5C5F04930D8ACF
uid [ultimate] Castor (Trusted GPG Key of Castor from https://castorIsDead.xyz; send map of hidden treasure to castor!) <whoisYoges@castorIsDead.xyz>
sub rsa4096 2022-10-29 [E]
pub rsa4096 2022-10-30 [SC] [expires: 2022-11-01]
036A752DE9DF5516B33E87BE33C05B4624890348
uid [ full ] yogesh (just a test key) <castor@whoisyoges.eu.org>
sub rsa4096 2022-10-30 [E] [expires: 2022-11-01]
Delete the unrequired key
gpg --batch --delete-keys --yes <id>
$ gpg --batch --delete-keys --yes 036A752DE9DF5516B33E87BE33C05B4624890348
Verify the deletion
gpg --list-public-keys
$ gpg --list-public-keys
pub rsa4096 2022-10-29 [SC]
D8C96133251FFDCC8ACFE645AC5C5F04930D8ACF
uid [ultimate] Castor (Trusted GPG Key of Castor from https://castorIsDead.xyz; send map of hidden treasure to castor!) <whoisYoges@castorIsDead.xyz>
sub rsa4096 2022-10-29 [E]
Facebook
Twitter
LinkedIn