Point Blank Blog

GPG for Noobs

Govind Pandey -

By the end of this tutorial, you will have a basic understanding of what GPG (GNU Privacy Guard) is and how to use it to enhance your privacy and security.

Installation

macOS

brew install gnupg

Verify Installation

gpg --version

Linux

Debian / Ubuntu

sudo apt update
sudo apt install gnupg

Fedora

sudo dnf install gnupg

Arch Linux / Manjaro

sudo pacman -S gnupg

Verify Installation

gpg --version

Windows

  1. Download the Gpg4win installer from:
    https://gpg4win.org
  2. Run the installer and follow the setup instructions.
  3. After installation, open Kleopatra (a GUI for GPG) or use the command line via cmd.

Verify Installation

gpg --version

Key Pair Generation

Most tutorials use the basic command:

gpg --generate-key

This command creates:

  • One primary key for signing and certification
  • One subkey for encryption and decryption

While this is sufficient for general use, it offers limited control over key capabilities.

We're Going Advanced

Instead, we'll use:

gpg --full-generate-key --expert

or

gpg --full-gen-key --expert

This provides granular control over:

  • Key types (e.g., RSA, ECC)
  • Separate keys for signing, encryption, and authentication
  • Key size
  • Expiration settings

This approach is ideal if you want a more professional setup or plan to use GPG for multiple purposes (e.g., signing Git commits, encrypting files, etc.).

You will be prompted with this screen:

❯ gpg --full-gen-key --expert
gpg (GnuPG) 2.4.7; Copyright (C) 2024 g10 Code GmbH
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Please select what kind of key you want:
   (1) RSA and RSA
   (2) DSA and Elgamal
   (3) DSA (sign only)
   (4) RSA (sign only)
   (7) DSA (set your own capabilities)
   (8) RSA (set your own capabilities)
   (9) ECC (sign and encrypt) *default*
  (10) ECC (sign only)
  (11) ECC (set your own capabilities)
  (13) Existing key
  (14) Existing key from card

We will use ECC, as it provides shorter keys and is widely supported in modern ecosystems; therefore, press 11 to set your own capabilities.

You will then see:

Possible actions for this ECC key: Sign Certify Authenticate
Current allowed actions: Sign Certify

   (S) Toggle the sign capability
   (A) Toggle the authenticate capability
   (Q) Finished

Your selection?

Press S and Enter, as we will be setting a subkey for signing. Then press Q to quit the settings.

Next, you will be prompted to choose the elliptic curve:

Please select which elliptic curve you want:
   (1) Curve 25519 *default*
   (2) Curve 448
   (3) NIST P-256
   (4) NIST P-384
   (5) NIST P-521
   (6) Brainpool P-256
   (7) Brainpool P-384
   (8) Brainpool P-512
   (9) secp256k1
Your selection?

We will pick Curve 25519, as it is extremely fast for signing, verifying, key generation, and key exchange.

Then set the expiry or leave it empty for no expiry:

Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0)

Ideally, you should set an expiry and renew your key occasionally.
In this example, I will pick 2 years for the primary key and 1 year for subkeys.

After this, enter your name and email, and set a strong passphrase.

Congratulations — you have successfully created a GPG key.

Adding Subkeys

To add separate subkeys for signing and encryption, first determine the Key ID:

gpg -k

This command outputs something similar to:

pub   ed25519 2025-04-16 [C] [expires: 2027-04-16]
      CCAF3D9B14F987766EB0D30B8985D3E84FB43F47
uid           [ultimate] Govind <govindup63@gmail.com>

In this example, CCAF3D9B14F987766EB0D30B8985D3E84FB43F47 is the Key ID.

Next, run the command:

gpg --edit-key --expert <KEY ID>

This command lets you configure your key:

❯ gpg --edit-key --expert CCAF3D9B14F987766EB0D30B8985D3E84FB43F47
gpg (GnuPG) 2.4.7; Copyright (C) 2024 g10 Code GmbH
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Secret key is available.

sec  ed25519/8985D3E84FB43F47
     created: 2025-04-16  expires: 2027-04-16  usage: C
     trust: ultimate      validity: ultimate
[ultimate] (1). Govind <govindup63@gmail.com>

gpg>

To add subkeys, use the command addkey:

gpg> addkey

This command will prompt you with:

Please select what kind of key you want:
   (3) DSA (sign only)
   (4) RSA (sign only)
   (5) Elgamal (encrypt only)
   (6) RSA (encrypt only)
   (7) DSA (set your own capabilities)
   (8) RSA (set your own capabilities)
  (10) ECC (sign only)
  (11) ECC (set your own capabilities)
  (12) ECC (encrypt only)
  (13) Existing key
  (14) Existing key from card
Your selection?

Since we need a sign-only key, choose 10. Then, select the curve (Curve 25519) and set the expiration, and follow similar steps for creating an encrypt-only subkey.

After making all these changes, save your configuration by typing:

gpg> save

Now you have a primary key for certification and two subkeys for signing and encryption each.

Git Setup

Now let's set up Git for signing commits using your GPG key.

Copy your Key ID first. In my case, it's:

CCAF3D9B14F987766EB0D30B8985D3E84FB43F47

and run the following command:

git config --global user.signingkey <Key ID>
You can also use the --local flag for a particular repository.

Now you can pass the -S flag in all your commits for signing:

git commit -S -m 'commit message'

OR

You can configure Git to sign every commit:

git config --global commit.gpgSign true

Now all your commits will be signed.

GitHub Setup

To ensure GitHub recognizes your signed commits, you need to add your GPG public key to your GitHub account.

1. Export Your Public Key

Export your public key in ASCII-armored format:

gpg --armor --export <your-email@example.com>

or

gpg --armor --export <Key ID>

Copy the entire output, including the lines:

-----BEGIN PGP PUBLIC KEY BLOCK-----
...
-----END PGP PUBLIC KEY BLOCK-----

2. Add the Public Key to GitHub

  1. Go to GitHub.com and log in.
  2. Click your profile picture (top right) → Settings.
  3. In the left sidebar, click SSH and GPG keys.
  4. Click New GPG key.
  5. Paste your public key into the field.
  6. Click Add GPG key.

3. Verify

  • Make a signed commit and push it to GitHub.
  • On GitHub, your commit should show a "Verified" badge.

You have now fully set up GPG for Git and GitHub!

Encryption and Decryption

With your GPG keys set up, you can now encrypt and decrypt files or messages to ensure confidentiality.

Encrypting a File

To encrypt a file for a recipient (using their public key):

gpg --encrypt --armor --recipient <recipient-email-or-key-id> original_file.txt
  • --encrypt: Tells GPG to encrypt.
  • --recipient: The email or key ID of the person you’re encrypting for.
  • original_file.txt: The file you want to encrypt.

Example:

gpg --encrypt --armor --recipient alice@example.com secret.txt

Decrypting a File

To decrypt a file encrypted for you (using your private key):

gpg --decrypt encrypted_file.gpg
  • --decrypt: Tells GPG to decrypt.
  • encrypted_file.gpg: The encrypted file.

Example:

gpg --decrypt secret.txt.gpg

Encrypting and Decrypting Messages

You can also encrypt and decrypt text messages directly.

Encrypt a Message

  1. Type your message into a file (e.g., message.txt).

Encrypt it:

gpg --armor --encrypt --recipient message.txt

- `--armor` outputs ASCII text instead of binary.

#### Decrypt a Message

To decrypt an ASCII-armored message:
```bash
gpg --decrypt message.txt.asc

Now you can securely exchange files and messages using GPG encryption!