// THE REBEL BLOG

Thoughts on free software, privacy, and taking back control

2026-03-0112 min readSecurity

Mastering GPG: Encryption for the Command Line

Every encryption system relies on keys. In the world of asymmetric cryptography, you have two keys: a public key that you share with everyone, and a private key that you keep secret. This is the foundation of GPG (GNU Privacy Guard), and once you understand it, you have true digital sovereignty.

In this guide, we'll walk through installing GPG on Debian and mastering the essential commands for file encryption, message signing, and key management.

What is GPG?

GPG (GNU Privacy Guard) is a free and open source implementation of the OpenPGP standard. It's been around since 1997 and is the backbone of encrypted communication for journalists, activists, developers, and anyone who values privacy.

Unlike symmetric encryption where one key does everything, GPG uses public-key cryptography. You encrypt with someone's public key, and only they can decrypt with their private key. You sign with your private key, and anyone can verify with your public key.

Pro Tip: Your private key is only as secure as your passphrase and your storage. Never share it. Never lose it. If you lose your private key, anything encrypted to it is gone forever.

Installation

On Debian, GPG is likely already installed. Let's verify:

which gpg
gpg --version

If not installed, get it:

sudo apt update
sudo apt install gnupg

Generating Your First Key Pair

Before you can encrypt or sign anything, you need keys. Let's generate your master key:

gpg --full-generate-key

You'll be prompted through several questions:

  1. Key type — Choose (1) RSA and RSA (default)
  2. Key size4096 bits (yes, go big)
  3. Key validity0 = never expires (or set your preference)
  4. Your name — Real name for key identification
  5. Email address — Use a dedicated email if possible
  6. Passphrase — Use a strong, unique passphrase. Write it down and store it safely.
Important: Your passphrase protects your private key on disk. Use a password manager to generate a long, random passphrase. This is not a password you'll memorize—it's too long for that.

Listing Your Keys

View your keys:

# List secret keys
gpg -K
gpg --list-secret-keys

# List public keys
gpg -k
gpg --list-keys

Each key has a fingerprint—a long string that uniquely identifies it. Note the 8-character key ID at the end (the last 8 digits of the fingerprint).

Exporting Your Public Key

To receive encrypted messages or files, others need your public key. Export it:

# Export to file (armored/ASCII)
gpg --armor --export YOUR_KEY_ID > mypubkey.asc

# Or output to stdout
gpg --armor --export your@email.com

The --armor flag outputs ASCII-armored text instead of binary, making it safe to copy-paste or embed in emails.

Publishing to a Keyserver

Keyervers let others find your public key by email:

gpg --keyserver keyserver.ubuntu.com --send-keys YOUR_KEY_ID

Popular keyservers include:

  • keyserver.ubuntu.com
  • keys.openpgp.org
  • pgp.mit.edu

Importing Someone's Public Key

To encrypt files for someone else, you need their public key:

# From file
gpg --import theirkey.asc

# From keyserver (by email)
gpg --keyserver keyserver.ubuntu.com --search-keys person@email.com

# From keyserver (by fingerprint)
gpg --keyserver keyserver.ubuntu.com --recv-keys ABCD1234EFGH5678
Verify fingerprints! Always verify you've imported the correct key by checking the fingerprint with the owner through another channel (in person, Signal, etc.).

Encrypting Files

Now the good stuff—actual encryption:

Encrypt for yourself (symmetric)

gpg --symmetric --armor secret.txt

This prompts for a passphrase and creates secret.txt.asc.

Encrypt for someone else (asymmetric)

gpg --encrypt --armor --recipient their@email.com secret.txt

Creates secret.txt.asc that only they can decrypt.

Encrypt for multiple recipients

gpg --encrypt --armor --recipient alice@email.com --recipient bob@email.com secret.txt

Encrypt for yourself AND others

gpg --encrypt --armor --recipient your@email.com --recipient their@email.com secret.txt

Decrypting Files

Decryption is simple:

# Decrypt to stdout
gpg --decrypt secret.txt.asc

# Decrypt to file (GPG auto-detects filename)
gpg --decrypt secret.txt.asc --output secret.txt

# Short form
gpg -d secret.txt.asc

GPG will prompt for your passphrase if the file was encrypted to your key.

Signing Messages

Signing proves a message came from you and wasn't tampered with:

Clear-sign (for emails)

gpg --clearsign message.txt

Creates message.txt.asc—readable text with signature attached.

Detached signature

gpg --armor --detach-sign document.pdf

Creates document.pdf.sig—a separate signature file. Useful for software releases.

Inline signing

gpg --sign message.txt

Creates a binary message.txt.gpg—encrypted AND signed.

Verifying Signatures

# Verify inline signature
gpg --verify message.txt.asc

# Verify detached signature
gpg --verify document.pdf.sig document.pdf

You'll see "Good signature" if valid, or warnings if the signature is bad or from an unknown key.

Key Management Essentials

Edit your key

gpg --edit-key YOUR_KEY_ID

This opens an interactive menu where you can:

  • passwd — Change your passphrase
  • uid — Add/edit user IDs
  • expire — Set expiration
  • trust — Set trust level for other keys
  • quit — Save and exit

Revoke your key

If your key is compromised, generate a revocation certificate NOW—before you need it:

gpg --gen-revoke YOUR_KEY_ID > revoke.asc

Store this safely. If you lose access to your key, upload this to keyervers to invalidate it.

Backup your keys

Export your secret keys to encrypted backups:

# Export secret master key
gpg --export-secret-keys YOUR_KEY_ID > master.key

# Export secret subkeys
gpg --export-secret-subkeys YOUR_KEY_ID > subkeys.key
Store backups securely! These files are encrypted with your passphrase, but treat them like the keys themselves. Keep offline, in a safe place.

Web of Trust

GPG isn't just encryption—it's identity verification. When you sign someone's key, you're vouching for their identity:

gpg --edit-key THEIR_KEY_ID
# In interactive mode:
sign
save

After signing, you can send their key back (or to a keyserver) so others trust your vouch:

gpg --send-keys THEIR_KEY_ID

This is the decentralized trust model. You don't need a CA (Certificate Authority)—you build trust through connections.

Tors and Common Errors

"No secret key"

You're trying to decrypt something encrypted to a different key, or you haven't imported your secret key.

"Untrusted key"

GPG won't encrypt to an untrusted key by default. Use --trust-model always to override, or sign the key first.

"Key expired"

Extend expiration or generate a new key. This is why short expiration (1-2 years) is recommended.

Automation Scripts

Here are quick aliases for your ~/.bashrc:

# Encrypt file to self
alias gpg-encrypt='gpg --symmetric --armor'

# Encrypt file to recipient
alias gpg-encrypt-to='gpg --encrypt --armor --recipient'

# Decrypt file
alias gpg-decrypt='gpg --decrypt --output'

# Sign file
alias gpg-sign='gpg --armor --detach-sign'

The Bigger Picture

GPG is powerful, but it's just one tool in the privacy toolkit. For complete communication security, consider:

  • Email encryption: Mailvelope, Gpg4win, or full email client integration
  • File encryption: Use GPG for sensitive files before cloud storage
  • Code signing: Sign your commits with GPG for verified authorship
  • Passwords: Combine GPG with a password manager

The goal isn't perfect security—no such thing exists. The goal is making yourself a harder target. Most surveillance is automated. If your messages are encrypted with GPG, they bounce off automated collection systems. A human has to specifically target you to read them.

That's the difference between mass surveillance and targeted surveillance. That's the difference between being data and being a person.

"Encryption works. Properly implemented strong crypto systems are one of the few things that you can rely on." — Edward Snowden

// Comments

Leave a Comment