A Practical GPG Guide Part 3: Encrypt and Decrypt Files
In part 2, I explained how to upload a public key to a key server and import public key to a local keyring. In part 3, you will learn how to encrypt a file with public key and decrypt it with private key from the command line.
How GPG Encryption Works
If you need to send an encrypted file to a recipient with GPG, follow these steps
- Import the recipient’s public key to your keyring.
- Encrypt the file with the recipient’s public key
- Send the encrypted file to the recipient.
- The recipient decrypts the file with his/her own private key.
Step 1: Create a Second User Account
We will need another user account for testing. Run the following command to create the
test user account, which will act as the file sender.
sudo adduser test
sudo password, then set a password for the
test user account.
Step 2: Import the Public Key
Switch to the
test user account. (Please don’t leave out the dash character.)
su - test
Because we use the
test account as the file sender, it doesn’t need its own GPG key, we just need to import the recipient’s public key. In part 2, we uploaded the public key to a key server with the following command:
gpg --send-key key-id
So now you can just run the following command to import the public key. User ID is your GPG email address.
gpg --search user-id
As you can see, it found one record of my email address on the key server, so enter number
1 to import this key. Then check the fingerprint of this key:
gpg --fingerprint user-id
The fingerprint of the imported key is 378C B32D 8AC7 D656 F389 61B1 752E 173A 3F8B 04F5.
Now open another terminal window, so you will be using the original account, and check the fingerprint of the GPG key.
As you can see, the two fingerprints match, so it’s the correct key.
Hint: When you receive a person’s public key, you must contact the person by email, over the phone, or in-person to ask them if it’s the correct fingerprint. If the two fingerprints match, then you get the correct public key.
In the real world, you should also run the following command to sign the recipient’s public key. However we are testing, so you don’t need to do it now.
gpg --sign-key key-id
Step 3: Encrypt File With Public Key
test account, run the following command to create a sample file.
echo "This file is encrypted with GPG" | tee test-file.txt
Then run the following command to encrypt the file for a single recipient.
--armor means the file will be ASCII armored instead of creating a binary file.
gpg --recipient user-id --encrypt --armor test-file.txt
Notice the warning “There’s no assurance this key belongs to the named user.” This is because we didn’t sign the recipient’s public key in the previous step. Press
Enter. It will create a file with
.asc file extension, which is the encrypted file, also known as ciphertext.
If you have imported multiple public keys from multiple people, you can use the following syntax to encrypt a file for multiple recipients.
gpg --recipient user-id1 --recipient user-id2 --encrypt --armor test-file.txt
Step 4: Decrypt File with Private Key
Now switch back to the original account and copy the
sudo cp /home/test/test-file.txt.asc ~
Then enter the following command to decrypt it.
gpg --decrypt --pinentry-mode=loopback test-file.txt.asc > decrypted.txt
It will ask you to enter the passphrase to unlock your private key. After that, the decrypted content will be saved as
Now you can check the content of
This file is encrypted with GPG
Now you learned how to encrypt and decrypt files with GPG from the command line. In part 4, we will learn how to configure GPG in the Thunderbird email client, so you don’t have to type commands.