GPG Fundamentals

I've only recently been motivated to encrypt a small portion of my email. Though I've been familiar with various encryption methods for a long time and PGP in particular, I found that I had to step back and do a lot of rehashing of what I know and don't fully understand about public/private key systems to come up with something that works.

GPG, for those of you thinking I meant to type PGP in the title of this week's post, stands for Gnu PG or GnuPG. GnuPG is the GNU project's complete and free implementation of the OpenPGP standard.

The basic idea behind GnuPG, and any public/private key system, is that you generate a pair of matched keys. One key decrypts what the other encrypts. They are referred to as public and private because one key (the public one) is to be shared with anyone you want to be able to send encrypted email to you that only you can read and the other (the private one), you keep to yourself so that no one else can decrypt email meant only for you.

Generating a Key Pair

You can generate a pair of keys using the command "gpg --gen-key". You will have to make a few decisions in this process, such as whether you want your keys to expire and how many bits your key should contain. The process will look more or less like this:

boson% gpg --gen-key
gpg (GnuPG) 1.4.8; Copyright (C) 2007 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

gpg: WARNING: using insecure memory!
gpg: please see for more information
Please select what kind of key you want:
   (1) DSA and Elgamal (default)
   (2) DSA (sign only)
   (5) RSA (sign only)
Your selection? 1
DSA keypair will have 1024 bits.
ELG-E keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048)
Requested keysize is 2048 bits
Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0)
Key does not expire at all
Is this correct? (y/N) y

You need a user ID to identify your key; the software constructs the user ID
from the Real Name, Comment and Email Address in this form:
    "Heinrich Heine (Der Dichter) <>"

Real name: Sandra Henry-Stocker
Email address:
Comment: bugfarm
You selected this USER-ID:
    "Sandra Henry-Stocker (bugfarm) <>"

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O
You need a Passphrase to protect your secret key.

The software will then go and create your keys, printing a lot of "++++>...+++" on your screen in the process. Notice that you are also required to enter a passphrase (twicce). You will have to type this phrase, in addition to having your private key installed, when you decrypt something that is encrypted for your eyes only. So, make it less than obvious, but don't make it impossibly difficult to type correctly.

Once your key pair has been created, you will have a .gnupg directory in your home directory. It will look like this:

-rw-------   1 bugfarm  staff       9029 Feb 27 09:02 gpg.conf
-rw-------   1 bugfarm  staff       3566 Mar  4 14:16 pubring.gpg
-rw-------   1 bugfarm  staff       3566 Mar  4 14:16 pubring.gpg~
-rw-------   1 bugfarm  staff        600 Mar  4 14:16 random_seed
-rw-------   1 bugfarm  staff       2651 Mar  4 14:16 secring.gpg
-rw-------   1 bugfarm  staff       1360 Mar  4 14:16 trustdb.gpg

None of these files should be sent to your intended correspondant. Instead, you will prepare a plain text version of your public key for sharing.

boson% gpg --armor --export >
gpg: WARNING: using insecure memory!
gpg: please see for more information

If you examine the public key file you have created, you will see that it starts with a BEGIN marker:

boson% cat
Version: GnuPG v1.4.8 (SunOS)


It ends with a corresponding END marker:


You will send this entire file, including the BEGIN and END markers, to your intended correspondant, who will then import your key like this:

fermion% gpg --import
gpg: WARNING: using insecure memory!
gpg: please see for more information
gpg: key 125531B0: public key "Sandra Henry-Stocker (bugfarm) <>" imported
gpg: Total number processed: 1
gpg:               imported: 1

Your correspondant will then encrypt messages for you like this:

fermion> gpg --recipient --out testmsg.enc --encrypt testmsg
gpg: WARNING: using insecure memory!
gpg: please see for more information
gpg: E5D6FCEB: There is no assurance this key belongs to the named user

pub  2048g/E5D6FCEB 2009-03-04 Sandra Henry-Stocker (bugfarm) <>
 Primary key fingerprint: B237 5EA6 37B4 C61D A16C  78A1 4A45 9BD5 1255 31B0
      Subkey fingerprint: C6CF DA4B 3EFB CF7D D5DE  F546 C0E2 6B00 E5D6 FCEB

It is NOT certain that the key belongs to the person named in the user ID. If you *really* know what you are doing, you may answer the next question with yes.

Use this key anyway? (y/N) y

When you receive the encrypted file, you can decrypt it with a similar command:

bash-2.03$ gpg --output testmsg --decrypt testmsg.enc
gpg: WARNING: using insecure memory!
gpg: please see for more information

You need a passphrase to unlock the secret key for
user: "Sandra Henry-Stocker (bugfarm) <>"
2048-bit ELG-E key, ID E5D6FCEB, created 2009-03-04 (main key ID 125531B0)

gpg: encrypted with 2048-bit ELG-E key, ID E5D6FCEB, created 2009-03-04
      "Sandra Henry-Stocker (bugfarm) <>"

The testmsg file should then be available in plain text.

It might seem like a lot of trouble, but encrypting messages for a particular recipient is really not all that hard.

This article is published as part of the IDG Contributor Network. Want to Join?

Computerworld's IT Salary Survey 2017 results
Shop Tech Products at Amazon