ENCRYPTION
POWER

// Your keys. Your data. Your rules.

ENCRYPTION IS RESISTANCE.

In a world where corporations and governments vie for access to your data, encryption is your shield. GPG (GNU Privacy Guard) is the gold standard for asymmetric encryption—a technology that gives you the power to communicate privately, sign documents cryptographically, and verify the authenticity of messages.

NO MORE EXCUSES.

"I have nothing to hide" is the argument of someone who doesn't understand privacy. Privacy isn't about hiding—it's about consent. You decide who sees your data. GPG makes that decision enforceable, even against sophisticated adversaries.

LEARN THE TOOLS THAT MATTER.

This guide covers everything from generating your first key pair to managing a web of trust. By the end, you'll encrypt emails, sign code commits, and verify signatures like a privacy professional.

BEGIN YOUR JOURNEY →

// The Path to Encryption Mastery

12 lessons. Complete GPG control.

LESSON 01

Introduction to GPG

What is GPG? Installing GnuPG and understanding cryptographic fundamentals.

Beginner
LESSON 02

Generating Keys

Creating your first key pair. Algorithm choices and security considerations.

Beginner
LESSON 03

Key Management

Listing, viewing, and managing your keys. Keyrings and key storage.

Beginner
LESSON 04

Encrypting Data

Encrypting files and messages. Symmetric vs asymmetric encryption.

Beginner
LESSON 05

Decrypting Data

Decrypting messages and files. Handling encrypted communications.

Beginner
LESSON 06

Digital Signatures

Signing messages and files. Understanding signature types.

Intermediate
LESSON 07

Verifying Signatures

Verifying signatures. Trust models and signature verification.

Intermediate
LESSON 08

Web of Trust

Signing other keys. Keysigning parties and trust propagation.

Intermediate
LESSON 09

Subkeys & Revocation

Using subkeys for daily work. Creating and using revocation certificates.

Advanced
LESSON 10

Smart Cards

Hardware tokens. YubiKey and OpenPGP cards for key protection.

Advanced
LESSON 11

Git Signing

Signing Git commits and tags. Verified commits in GitHub/GitLab.

Advanced
LESSON 12

Email Encryption

Setting up email with GPG. Thunderbird and webmail integration.

Advanced

LESSON 01: Introduction to GPG

×

What is GPG?

GPG (GNU Privacy Guard, also called GnuPG or GPG) is a complete and free implementation of the OpenPGP standard. It allows you to encrypt and sign your data and communications, featuring a versatile key management system along with access modules for all kinds of public key directories.

GPG is the backbone of private digital communication. It's used by journalists, activists, developers, and anyone who values their digital privacy. It's been battle-tested for over 20 years.

⚡ POWER MOVE: GPG is free software (GPL licensed). It's been audited, contributed to by security researchers worldwide, and is the closest thing to military-grade encryption you can use without special licenses.

Symmetric vs Asymmetric Encryption

Understanding the difference is crucial:

Symmetric Encryption

Same key encrypts and decrypts. Like a physical lock with one key.

# Encrypt with password
gpg --symmetric --armor message.txt

# Decrypt with password
gpg --decrypt message.txt.asc

Asymmetric Encryption

Two keys: public key encrypts, private key decrypts. Like a mailbox—anyone can drop mail in (encrypt with public key), but only the owner can retrieve it (decrypt with private key).

# Encrypt for recipient (using their public key)
gpg --encrypt --armor --recipient alice@example.com message.txt

# Decrypt (using your private key)
gpg --decrypt message.txt.asc

Installing GPG

Linux

# Debian/Ubuntu
sudo apt install gnupg

# Fedora
sudo dnf install gnupg

# Arch
sudo pacman -S gnupg

macOS

# Via Homebrew
brew install gnupg

Windows

# Download from https://www.gpg4win.org/

Verify your installation:

gpg --version

Key Concepts

  • Private Key: Your secret key. NEVER share this. Used to decrypt and sign.
  • Public Key: Share this freely. Others use it to encrypt messages for you.
  • KeyID: Unique identifier for a key (e.g., 0x1234567890ABCDEF)
  • Fingerprint: SHA-1 hash of the key. Most secure way to identify keys.
  • Passphrase: Password protecting your private key.
← Back to Lessons Next Lesson →

LESSON 02: Generating Keys

×

Generating Your First Key Pair

gpg --full-generate-key

You'll be prompted through an interactive wizard:

  1. Key type: RSA and RSA (default)
  2. Key size: 4096 (maximum security)
  3. Expiration: 1-2 years (you can extend later)
  4. Name: Your real name
  5. Email: Your email address
  6. Passphrase: Strong password to protect your private key
⚡ CRITICAL: Use a strong passphrase! This is your last line of defense if your machine is compromised. Also, generate a revocation certificate NOW (we'll cover this later).

Key Algorithm Choices

RSA vs DSA/ElGamal

  • RSA: Recommended. Works for both signing and encryption.
  • DSA: Signing only (legacy).
  • ElGamal: Encryption only (legacy).

Key Sizes

  • 2048 bits: Minimum acceptable
  • 3072 bits: Good balance
  • 4096 bits: Maximum security (slower)

Expiration

Key expiration is a safety feature:

  • Short expiration (1 year): Recommended for most users
  • Longer (2-3 years): If you're lazy about key rotation
  • Never: NOT recommended—you lose ability to force key retirement

You can always extend expiration later without regenerating keys.

Generating a Revocation Certificate

Do this IMMEDIATELY after creating your key:

# Replace with your key ID or email
gpg --output revocation_cert.asc --gen-revoke your@email.com

# Store this securely (USB drive in safe, print paper copy)
# You need this if you:
# - Lose your private key
# - Forget your passphrase
# - Want to retire the key
← Previous Lesson Next Lesson →

LESSON 03: Key Management

×

Listing Keys

# List your secret keys (private keys you own)
gpg --list-secret-keys

# List your public keys
gpg --list-keys

# List all keys with fingerprints
gpg --fingerprint

Output shows KeyID, creation date, and User ID (name + email).

Exporting Keys

# Export your public key to share
gpg --armor --export your@email.com > my_public_key.asc

# Export secret key (backup)
gpg --armor --export-secret-keys your@email.com > my_secret_key.asc

# Export with specific key ID
gpg --armor --export 0x1234567890ABCDEF > public_key.asc

Importing Keys

# Import a public key
gpg --import friend_public_key.asc

# Import a secret key (for migration/backup)
gpg --import my_secret_key.asc

# Import from keyserver
gpg --keyserver keyserver.ubuntu.com --search-keys friend@email.com
gpg --keyserver keyserver.ubuntu.com --recv-keys 0x1234567890ABCDEF

Key Servers

Public keys are distributed via key servers:

# Upload your public key
gpg --keyserver keyserver.ubuntu.com --send-keys 0xYOURKEYID

# Search for a key
gpg --keyserver keyserver.ubuntu.com --search-keys "John Doe"

# Refresh (download latest versions)
gpg --refresh-keys
⚡ NOTE: Keys uploaded to key servers CANNOT be deleted. They can only be revoked. Think before publishing.
← Previous Lesson Next Lesson →

LESSON 04: Encrypting Data

×

Symmetric Encryption

Encrypt with a password (no key pair needed):

# Encrypt file
gpg --symmetric --armor secret.txt

# Output: secret.txt.asc

# Or with specific algorithm
gpg --symmetric --cipher-algo AES256 --armor secret.txt

The output is ASCII-armored (readable text), suitable for email.

Asymmetric Encryption

Encrypt for a specific recipient (using their public key):

# Encrypt for recipient
gpg --encrypt --armor --recipient friend@example.com secret.txt

# Encrypt for multiple recipients
gpg --encrypt --armor \
    --recipient alice@example.com \
    --recipient bob@example.com \
    secret.txt

# Encrypt and sign (proves you sent it)
gpg --encrypt --sign --armor --recipient friend@example.com secret.txt

Encryption Options

# Compression (default - recommended)
gpg --compress-keys ...   # Don't compress keys separately
gpg --compress-sigs ...   # Don't compress signatures separately

# Algorithm selection
gpg --cipher-algo AES256 ...   # Strongest
gpg --cipher-algo CAMELLIA256 ...

# Batch encryption
gPG --encrypt-files --recipient friend@email.com *.txt

Encrypting Directories

# Tar first, then encrypt
tar czf - mydirectory/ | gpg --symmetric --armor -o mydirectory.tar.gz.asc

# Or use tar with gpg
tar -czf - mydirectory | gpg --encrypt --recipient friend@email.com -o mydirectory.tar.gz.gpg
← Previous Lesson Next Lesson →

LESSON 05: Decrypting Data

×

Basic Decryption

# Decrypt a file (will prompt for passphrase if needed)
gpg --decrypt secret.txt.asc

# Decrypt to specific file
gpg --decrypt secret.txt.asc --output decrypted.txt

# Decrypt symmetric-encrypted file
gpg --decrypt secret.txt.asc

Decryption in Practice

# Decrypt and view directly
gpg --decrypt message.txt.asc 2>/dev/null | less

# Decrypt tar archive
gpg --decrypt backup.tar.gz.asc | tar tzf -

# Decrypt and extract
gpg --decrypt backup.tar.gz.asc | tar xzf -

Agent & Caching

gpg-agent caches your passphrase:

# Default cache: 10 minutes
# Configure in ~/.gnupg/gpg-agent.conf

# Clear cache
echo RELOADAGENT | gpg-connect-agent

# View cache settings
gpg-agent --daemon
gpg-agent --use-standard-socket
← Previous Lesson Next Lesson →

LESSON 06: Digital Signatures

×

Why Sign?

Digital signatures prove:

  • Authenticity: The message really came from you
  • Integrity: The message wasn't modified
  • Non-repudiation: You can't deny signing it

Signing Files

# Create separate signature file
gpg --sign document.txt
# Output: document.txt.gpg (binary)

# ASCII-armored signature
gpg --armor --sign document.txt
# Output: document.txt.asc

# Clearsign (message + signature in one readable file)
gpg --clearsign message.txt
# Output: message.txt.asc

# Detached signature (separate file)
gpg --armor --detach-sign document.txt
# Output: document.txt.sig

Default Key Selection

# Sign with specific key
gpg --local-user 0xKEYID --sign document.txt

# Set default key in ~/.gnupg/gpg.conf
default-key 0xYOURKEYID

# Or use GPG_KEY environment variable
GPG_KEY=0xYOURKEYID gpg --sign document.txt
← Previous Lesson Next Lesson →

LESSON 07: Verifying Signatures

×

Verification Basics

# Verify signed file (includes original)
gpg --verify document.txt.gpg

# Verify clearsigned file
gpg --verify message.txt.asc

# Verify detached signature
gpg --verify document.txt.sig document.txt

Good signature output:

gpg: Signature made Mon Jan 15 10:30:00 2024
gpg:                using RSA key 0x1234567890ABCDEF
gpg: Good signature from "John Doe "

Understanding Trust

After verification, GPG tells you:

  • Good signature: Cryptographically valid, from the claimed key
  • Bad signature: Data was modified or key is fake
  • Valid but untrusted: Signature is valid but you haven't verified the key

Practice: Verify Software Downloads

# Download software + signature
wget https://example.com/software.tar.gz
wget https://example.com/software.tar.gz.sig

# Import developer's key (do this once)
gpg --keyserver keyserver.ubuntu.com --recv-keys 0xDEADBEEF

# Verify
gpg --verify software.tar.gz.sig software.tar.gz
← Previous Lesson Next Lesson →

LESSON 08: Web of Trust

×

Trust Model

GPG uses a "web of trust" instead of central authorities:

  • Ultimate: Your own keys (you trust yourself)
  • Full trust: You trust this person to verify keys properly
  • Marginal trust: You trust this person somewhat
  • Untrusted: You don't trust this person's verifications
  • Unknown: No trust assignment

Signing Other Keys

# Sign someone's public key (after verifying their identity!)
gpg --sign-key friend@example.com

# Limited signature (won't be uploaded by default)
gpg --sign-key --local-user 0xYOURKEYID friend@example.com

# Export the signature to give to them
gpg --export-options export-minimal --export friend@example.com > friend_key.asc
⚡ CRITICAL: Only sign a key after you've verified the person's identity! Check their passport/ID. A signature means "I verified this is the real person."

Keysigning Parties

In-person events where people verify each other's identities and sign keys:

  1. Generate your key and print the fingerprint
  2. Bring ID (passport, driver's license)
  3. Meet others, verify their identity
  4. Sign each other's keys
  5. Upload signatures to keyserver
← Previous Lesson Next Lesson →

LESSON 09: Subkeys & Revocation

×

Why Subkeys?

Subkeys separate your signing/encryption capabilities from your master key:

  • Use subkeys for daily work
  • Keep master key offline (or on USB)
  • If subkey is compromised, revoke only the subkey
  • Keep your identity intact

Creating Subkeys

# Edit your key
gpg --edit-key your@email.com

# At gpg> prompt:
gpg> addkey
# Choose: RSA (sign only) or RSA (encrypt only)
# Choose size: 4096
# Set expiration
# Save: save

# List subkeys
gpg> list

Revocation Certificates

You MUST create this when you create your key:

# Create revocation certificate
gpg --output revocation.asc --gen-revoke your@email.com

# To use it later:
gpg --import revocation.asc
gpg --send-keys YOURKEYID

Reasons for revocation:

  • Key compromised
  • Passphrase forgotten
  • Key superseded
  • No longer used
← Previous Lesson Next Lesson →

LESSON 10: Smart Cards

×

Hardware Tokens

Smart cards/hardware tokens keep your private keys physically secure:

  • YubiKey: Popular, multi-purpose
  • OpenPGP Card: Dedicated GPG card
  • Librem Key: Privacy-focused

Keys never leave the device. Even if your computer is compromised, attacker can't get your keys.

YubiKey Setup

# Install required software
sudo apt install libusb-1.0-0 libpcsclite1 libccid pcscd

# Check if YubiKey is detected
gpg --card-status

Generating Keys on Card

gpg --edit-card

# At gpg> prompt:
gpg> admin

# Generate new key on card
gpg> generate

# Or move existing key to card
gpg> key 1
gpg> keytocard
← Previous Lesson Next Lesson →

LESSON 11: Git Signing

×

Why Sign Commits?

Signed commits prove:

  • You really authored the commit
  • Code wasn't tampered with
  • Verified badges on GitHub/GitLab

Configure Git to Use GPG

# Tell Git your key
git config --global user.signingkey 0xYOURKEYID

# Default to signing commits
git config --global commit.gpgsign true

# Default to signing tags
git config --global tag.gpgsign true

# Use GPG program
git config --global gpg.program gpg

Signing in Practice

# Sign a commit
git commit -S -m "My signed commit"

# Sign a tag
git tag -s v1.0 -m "My signed tag"

# Push signed commits
git push

# On GitHub: Look for "Verified" badge

Github/GitLab Integration

GitHub

  1. Add GPG key to GitHub: Settings > SSH and GPG keys > New GPG key
  2. Export: gpg --armor --export your@email.com
  3. Commits show "Verified" badge

GitLab

  1. Add GPG key to GitLab: Settings > GPG Keys
  2. Export your public key
  3. Paste and add
← Previous Lesson Next Lesson →

LESSON 12: Email Encryption

×

Email Encryption Options

  • Thunderbird + Enigmail: Classic, well-supported
  • Mailvelope: Webmail (Gmail, Outlook, etc.)
  • ProtonMail: Built-in encryption
  • FlowCrypt: Browser extension for Gmail

Thunderbird Setup

  1. Download Thunderbird
  2. Add your email account
  3. Install Enigmail extension
  4. Run Enigmail Setup Wizard
  5. It will find or create your keys
# In Enigmail:
# - OpenPGP > Key Management
# - You can generate new keys or import existing
# - Enable encryption by default in Preferences

Mailvelope for Webmail

  1. Install Mailvelope browser extension
  2. Click Mailvelope icon in email
  3. Add your private key (or generate)
  4. Import contacts' public keys
  5. Encrypt/decrypt directly in webmail

Key Distribution for Email

# Option 1: Keyserver
gpg --keyserver keyserver.ubuntu.com --send-keys YOURKEY

# Option 2: Attach to email signature
# Add to email signature:
# -----BEGIN PGP PUBLIC KEY BLOCK-----
# [your public key]
# -----END PGP PUBLIC KEY BLOCK-----

# Option 3: Personal website
# Host your key at https://yourdomain.com/key.asc

Conclusion

You've completed the GPG mastery guide. You now know how to:

  • Generate secure key pairs
  • Manage keys and keyrings
  • Encrypt and decrypt files
  • Sign and verify messages
  • Build and navigate the web of trust
  • Use subkeys for security
  • Protect keys with hardware tokens
  • Sign Git commits
  • Set up email encryption

Remember:

  • NEVER share your private key
  • ALWAYS verify keys before signing
  • KEEP your revocation certificate safe
  • USE strong passphrases
  • BACKUP your keys securely
← Previous Lesson Back to Lessons ↑