GnuPG – HowTo, Tutorial, Notes

Basic GnuPG instructions, create and backup keys, encryption and decryption of files.

This GnuPG tutorial covers installing and running the basics of GnuPG: encrypt, decrypt, create and export or backup your public and private keys.  It is geared for a single user where encryption is used as part of a data backup/transmission strategy.  This tutorial is command line based,and works on *nix/Windows. The commands are basic enough that a GUI is not needed. To handle multiple files first create a tar/zip archive and then encrypt that.

This tutorial does not cover how to securely share keys between multiple people you may not trust.  It also does not cover the different types of keys you can choose from, and only uses the default setting (which is designed to be quite secure).  Using encryption suggests a basic level of paranoia, but there are much higher levels this tutorial does not delve into.  If you want to get paranoid, I hear there are certain herbs that do that.

For more in-depth use, see: web of trust, finger prints, key validation, and signing.

Steps in this tutorial:

  1. Install GnuPG
  2. Create the public and private keys
  3. Backup and move the keys to other machines where encryption/decryption will also take place
  4. Encrypt/decrypt files
  5. Symmetric keys – an easier but less secure route

GnuPG Install:

GnuPG (1.4.11) –


Download the binary for windows.

Install under C:\GnuPG
Add C:\GnuPG to $PATH
Right click My Computer, select Properties
Select Advanced Tab, click ‘Environmental Variables’ button
Choose the PATH variable, click the Edit button,
adding “;C:\GnuPG\” to the end of the Variable value line
Hit OK, OK

To test the install, open a command prompt (start->run, type ‘cmd’), then at the DOS looking prompt type ‘gpg –help’, you should get something.


Check that it is already installed? ($ ‘which gpg’)
It is a common package to many distributions.  There’s probably a yum or apt for it:
$ apt-get install gpg
$ yum install gpg

You can also Download the source and compile it.

$ tar xfvz ./gnupg-1.4.11.tar.gz
$ cd ./gnupg-1.4.11
$ ./configure
$ make
$ sudo make install

Add /GnuPG to PATH if it does not automatically appear
($ ‘which gpg’ should give you something)

Create a new set of public/private keys:

$ gpg --gen-key
#Select the following:
Key type: (1) DSA and Elgamal
Key size: 2048 bits
Expiration: never expires
real name: JohnDoe  [Key owner name here]
select (o) for okay to continue
pass phrase: {enter passphrase - make it complex}

(keep your passphrase somewhere safe, like KeePass)

The command will generate key files under:
(Windows C:\Documents and Settings\[current user]\Application Data\gnupg)
(Unix ~/.gnupg/)

pubring.gpg – the public key

To send files to JohnDoe that only JohnDoe can decrypt, the sender needs this file.

secring.gpg – the public key

To decrypt files created by the JohnDoe public key, the private key plus the pass phrase are needed.

Export/import the PUBLIC key

The public key is needed to encrypt files to be sent to this user. So, if someone wants to send John Doe a file, that is encrypted for his key, they need this file.

machine 1>gpg --armor --output JohnDoe_PUBLIC.gpg

Now, copy JohnDoe_PUBLIC.gpg from machine1 to machine2.

Import, and elevate to a trusted key:

machine 2>gpg --armor --import JohnDoe_PUBLIC.gpg
machine 2>gpg --edit-key
machine 2> Command> trust
(upgrade to highest level of trust)
machine 2> Command> q
machine 2>gpg --list-keys


Export/import the private key

Here we will move the key created to a second machine, which will be able to decrypt John Doe’s data.

machine 1>gpg --armor --output JohnDoe_PRIVATE.gpg 

Copy JohnDoe_PRIVATE.gpg from machine1 to machine2.
If you loose JohnDoe_PRIVATE.gpg, there is no way to decrypt!

machine 2>gpg --armor --import JohnDoe_PRIVATE.gpg
machine 2>gpg --list-secret-keys

Now machine2 can decrypt anything to, but machine2 user must still have the pass phrase.

Encrypt/Decrypt using KEYS

Encrypt a file, which can only be opened by the user we created:

$ gpg --recipient --encrypt testfile.txt
(makes testfile.txt.gpg)

If you add –sign it will ask for the private key’s pass phrase, and the file will contain a signature which prevents tampering, but can’t be ran automated. Recipients can then check the signature for validity before they open it (maximum paranoia).

Decrypt the file using private key and pass phrase:

$ gpg --recipient --output decrypted.txt
            --decrypt testfile.txt.gpg

Encrypt/Decrypt using Symmetric Ciphers

This style of encryption is simple. There are no public/private keys involved here. The pass phrase used to encrypt is the pass phrase needed to decrypt. You cannot use this method in an automated process unless you want to store the pass phrase in clear text (that’s a no no!).

$ gpg --symmetric test_sym.txt
Enter pass phrase: 123456789a
(makes test_sym.txt.gpg)

To decrypt the file that was encrypted using symmetric ciphers:

$ gpg --output test_sym_decrypted.txt --decrypt test_sym.txt.gpg
This entry was posted in Sys Admin and tagged , , . Bookmark the permalink.

Comments are closed.