How to Set Up GPG Encryption
Generate GPG key pairs, encrypt and decrypt files, sign data, manage your keyring, and verify signatures on Debian, Fedora, and Arch Linux.
Before you start
- ▸A terminal with sudo access
- ▸gpg version 2.2 or later (gpg --version to check)
- ▸A valid email address to associate with your key
- ▸Offline storage (USB drive or password manager) for key backups
GPG (GNU Privacy Guard) is the open-source implementation of the OpenPGP standard. It handles two distinct jobs: encrypting data so only the intended recipient can read it, and signing data so recipients can verify it came from you and has not been tampered with. This guide walks through generating a strong key pair, managing your keyring, encrypting and decrypting files, and signing—covering the everyday workflows a sysadmin or developer actually needs.
Install GPG
Most distributions ship GPG, but confirm you have the modern gpg2 branch (version 2.2 or later). On many distros, the gpg binary already points to it.
# Debian / Ubuntu
sudo apt install gnupg# Fedora / RHEL 9+ / Rocky
sudo dnf install gnupg2# Arch
sudo pacman -S gnupggpg --versionThe output will show the version and supported algorithms. You want 2.2.x or 2.4.x.
Generate a Key Pair
The full interactive wizard gives you the most control. Use --full-generate-key rather than the simplified --generate-key.
gpg --full-generate-keyRecommended choices
- Key type: ECC (EdDSA) + ECC for the signing key, then select Curve 25519. On older systems that don't offer ECC, RSA 4096 is acceptable. Avoid RSA 2048 for new keys.
- Expiry: Set an expiry—2 years is a reasonable default. You can extend it later without generating a new key. A key that never expires is a liability if you lose control of it.
- Real name and email: Use whatever identity you want others to associate with this key. For personal use, your actual name and primary email is conventional.
- Passphrase: Use a strong, memorable passphrase. This protects the private key at rest.
gpg-agentwill cache it so you aren't prompted constantly.
GPG will collect entropy and generate the key. It prints your key fingerprint—save it. The fingerprint is the canonical identifier for your key.
Inspect and Back Up Your Keyring
List your keys
# List public keys
gpg --list-keys
# List secret (private) keys
gpg --list-secret-keys --keyid-format=longOutput will show key IDs, fingerprints, UIDs, and expiry dates. The long key ID is a 16-hex-digit suffix of the full fingerprint.
Export and back up
Back up your private key to offline storage immediately after creation. Anyone who obtains your unencrypted private key and passphrase can impersonate you.
# Export your public key (safe to share)
gpg --export --armor [email protected] > my-public-key.asc
# Export your private key (keep this secret and offline)
gpg --export-secret-keys --armor [email protected] > my-private-key.ascStore my-private-key.asc on an encrypted USB drive or in a secure password manager. Also generate a revocation certificate now, before you ever need it:
gpg --gen-revoke --armor [email protected] > my-revocation-cert.ascStore this offline too. If your key is compromised or you lose access, importing this certificate tells the world to stop trusting that key.
Exchange Public Keys
Encryption requires the recipient's public key. Signing verification requires the sender's public key. There are two common ways to share keys.
Keyservers
# Upload your public key
gpg --keyserver hkps://keys.openpgp.org --send-keys YOUR_KEY_FINGERPRINT
# Search for someone else's key
gpg --keyserver hkps://keys.openpgp.org --search-keys [email protected]
# Import a specific key by fingerprint (more reliable than search)
gpg --keyserver hkps://keys.openpgp.org --recv-keys THEIR_FINGERPRINTDirect file exchange
# Import a public key from a file
gpg --import colleague-public-key.asc
# Verify the fingerprint out-of-band (phone, in person)
gpg --fingerprint [email protected]Never trust a key solely because it arrived in your keyring. Always verify the fingerprint through a separate channel before encrypting sensitive data or trusting signatures.
Encrypt and Decrypt Files
Encrypt for a recipient
# Encrypt a file for someone else; output is report.txt.gpg
gpg --encrypt --recipient [email protected] --output report.txt.gpg report.txtThe --armor flag produces ASCII output (.asc) instead of binary, useful when sending over email or pasting into a chat message:
gpg --encrypt --armor --recipient [email protected] --output report.asc report.txtEncrypt for yourself (local storage)
gpg --encrypt --recipient [email protected] --output secrets.gpg secrets.txtSymmetric encryption (no key pair needed)
For files you're encrypting purely for yourself or a shared secret, symmetric encryption is simpler. GPG will prompt for a passphrase.
gpg --symmetric --cipher-algo AES256 --output archive.tar.gz.gpg archive.tar.gzDecrypt
# Decrypt to a file
gpg --output report.txt --decrypt report.txt.gpg
# Decrypt to stdout (useful in scripts)
gpg --decrypt secrets.gpgGPG will invoke gpg-agent to retrieve your cached passphrase, or prompt if the cache has expired.
Sign and Verify
Signing proves the content came from the holder of a specific private key. There are three common signing modes.
Clearsign (human-readable output)
gpg --clearsign message.txt
# Produces message.txt.asc containing the original text plus an armored signatureDetached signature (file untouched)
gpg --detach-sign --armor --output release.tar.gz.asc release.tar.gzDistribute the .asc signature file alongside the original. This is the standard approach for software releases.
Sign and encrypt in one step
gpg --sign --encrypt --recipient [email protected] --output message.gpg message.txtVerify a signature
# Verify a clearsigned or inline-signed file
gpg --verify message.txt.asc
# Verify a detached signature
gpg --verify release.tar.gz.asc release.tar.gzA successful verification prints Good signature from along with the signer's UID and fingerprint. A WARNING about an untrusted key means the key is in your keyring but you have not explicitly set your trust level for it—not that the signature is invalid.
Set Key Trust
GPG's web-of-trust model uses trust levels you assign locally. After you've verified a key's fingerprint out-of-band, mark it as trusted:
gpg --edit-key [email protected]At the gpg> prompt, type trust, choose level 4 (full) or 5 (ultimate, for your own keys), then quit. This silences the untrusted-key warning for legitimate keys you've verified.
Verify Everything Is Working
# End-to-end self-test: encrypt then decrypt
echo "test payload" | gpg --encrypt --armor --recipient [email protected] | gpg --decryptIf GPG prints test payload and Good signature (if you also signed), the full pipeline is operational.
Troubleshooting
gpg-agent not running / passphrase not cached
On headless servers or after an SSH login, gpg-agent may not be running. Start it explicitly:
gpgconf --launch gpg-agentIf you use SSH forwarding, also set GPG_TTY in your shell profile:
export GPG_TTY=$(tty)"No public key" error when decrypting
The file was encrypted to a key you don't hold. Confirm which key ID was used:
gpg --list-packets encrypted-file.gpg 2>&1 | grep keyidExpired key
Extend your own key's expiry without generating a new one:
gpg --edit-key [email protected]
# at gpg> prompt:
expire
# enter new duration, e.g. 2y
saveKey not found on keyserver
Not all keyservers sync with each other. Try hkps://keyserver.ubuntu.com or hkps://pgp.mit.edu as alternatives. For verified keys, direct file import is more reliable than keyserver lookup.
Frequently asked questions
- What is the difference between signing and encrypting?
- Encryption keeps content confidential—only the holder of the private key matching the recipient's public key can read it. Signing proves authorship and integrity; it uses your private key to create a signature anyone with your public key can verify, but does not hide the content.
- Should I use RSA or ECC (Ed25519) keys?
- Ed25519 (ECC) is preferred for new keys: smaller key size, faster operations, and equivalent or better security than RSA 4096. Use RSA 4096 only if you need compatibility with very old software that does not support ECC.
- Why should I set an expiry date on my key?
- An expiry limits the damage if you lose your private key or forget your passphrase—the key becomes automatically untrusted after the expiry date. You can always extend the expiry on a key you still control, so there is no downside to setting one.
- How do I securely send someone my public key?
- Upload it to a keyserver or attach the .asc file directly. The public key is not secret—what matters is that the recipient verifies the fingerprint matches yours through a trusted channel such as a phone call or in-person confirmation.
- Can I use GPG encryption in scripts without a passphrase prompt?
- Yes. Use gpg-agent with a long cache TTL, or for fully automated scenarios (like backup scripts), generate a dedicated subkey with no passphrase. For decryption in scripts, the --batch and --passphrase-fd flags let you feed the passphrase from a secured file or environment variable—but protect that secret carefully.
Related guides
Manage Secrets with Ansible Vault
Encrypt Ansible secrets with AES-256 using ansible-vault: encrypt files and inline vars, automate with password files, and isolate group-level secrets with vault IDs.
AppArmor Explained
Learn how AppArmor profiles work, how to switch between enforce and complain mode, create new profiles, and diagnose access denials on Ubuntu, Debian, and Arch.
Apply CIS Benchmarks with OpenSCAP
Use OpenSCAP and scap-security-guide to evaluate, report on, and remediate Linux systems against CIS Benchmarks — covering install, eval, and automation.
How to Audit a Linux System with auditd
Set up auditd on Linux to track file access, syscalls, and privilege use. Covers persistent rules, file watches, ausearch, and aureport across major distros.