Encryption with GnuPG on Ubuntu

If you want to exchange encrypted files with other parties and exchange encryption keys safely with said parties then Public Key Cryptography, as supported by GnuPG, is the way to go.

With Public Key Cryptograhy keys come in pairs consisting of a public key and a private key. The public key and private key are related in such a way that files encrypted with one key can only be decrypted with the other.

public key cryptographyAs the name suggests the public key can be shared with anyone. You could for instance share your public key with a friend by email. Once your friend is in possession of your public key, he can now use it to encrypt a file and send it to you by email. The file is then decrypted by you using your private key.

Email is an inherently unsafe channel of communication and someone could have intercepted both your public key and the encrypted file - but no harm done. Without the private key the intercepted material is of no use.

Let's see how this works hands-on with GnuPG on Ubuntu.

Install GnuPG

Ubuntu life is easy:

sudo apt-get install gnupg

Create a key

First let's create your personal key pair. GnuPG will take you through a number of steps to set it up.

gpg --gen-key

Select the key type (1) RSA and RSA.

Please select what kind of key you want:
(1) RSA and RSA (default)
(2) DSA and Elgamal
(3) DSA (sign only)
(4) RSA (sign only)
Your selection? 1

A keysize of 2048 bits is still considered adequate, and if you some day wish to move your key to a safer storage, such as a OpenPGP smartcard, then the card may have a max size of 2048 bits, so let's stay with that for now.

What keysize do you want? (2048) 2048

Understanding expiration periods is difficult without understanding the concept of a primary key and its subkeys, which I will introduce in another post. For now just create the key without an expiration period, it can be changed later on.

Please specify how long the key should be valid.
0 = key does not expire
<n> d = key expires in n days
<n> w = key expires in n weeks
<n> m = key expires in n months
<n> y = key expires in n years
Key is valid for? (0) 0

Your friends will import your public key into their keyring and when they want to use the key they identify it by name, email and a comment. Make sure these uniquely identify who you are.

Real name: Bob
Email address:
Comment: Aka bobmeister

The passphrase is critically important because it protects your private key. GnuPG maintains two keyrings, one for public keys and one for private keys. Whenever you use a private key to decrypt something, GnuPG will prompt you for the passphrase.

Chose a passphrase of 3 to 5 random words. They should be random in the sense that one should not be able to find this sequence of words in any book. Google "random passphrase generator" if you need help to generate something truly random.

Enter passphrase: WarmWilly-WANKA2wants&warts

When you are through, the keys are stored in a public and private keyring file under ~/.gnupg:

drwx------   2 bob bob 4096 jul  5 14:08 ./
drwxr-xr-x 100 bob bob 4096 jul 5 09:35 ../
-rw------- 1 bob bob 9398 mar 26 20:44 gpg.conf
-rw------- 1 bob bob 3707 jul 5 13:56 pubring.gpg
-rw------- 1 bob bob 2577 jul 5 13:34 secring.gpg
-rw------- 1 bob bob 1360 jul 5 13:56 trustdb.gpg

Encrypt a file

Now that you have a key pair let's start out with a simple scenario - to encrypt a file that only you can decrypt.

The -e option names the file to encrypt and the -o option the encrypted output file. The -r option tells GnuPG who the recipient is. Encryption is performed with the recipient's public key. Choose yourself as recipient (in this scenario that's you Bob!).

Bob> gpg -o <encryptedoutputfile> -r -e <sourcefile>

Using the email address to select the associated key is a general pattern when using GnuPG. If you can't remember the email address of a public key, then list the keys in your public keyring with this command:

Bob> gpg -k

To decrypt the encrypted file using your private key:

Bob> gpg -o <outputfile> -d <encryptedsourcefile>

Notice that we didn't specify which key to use for decryption. The key is already identified by information stored in the encrypted file.

This completes the first scenario.

In this next scenario we encrypt a file that only your friend Joe can decrypt.

First Joe exports his public key to a file and sends it to you:

Joe> gpg -o joespublickey.asc --export -a

You import his public key into your keyring:

Bob> gpg --import joespublickey.asc

Someone may have substituted his public key for their own while it was in transit to you. To verify that it is actually his key, you list the fingerprint of the key (a sort of short digest of the public key), call him on the phone and read the fingerprint aloud.

Bob> gpg --fingerprint
pub 2048R/675F7FA8 2015-03-25
Key fingerprint = BD9F 2FB3 91B0 D6CA 97EF 957F 9C15 570B 675E 7FA7
uid Bob <>
sub 2048R/7A11F3A0 2015-03-25

If he agrees that it is indeed his key, then sign his key with your own private key to make it trusted. Note you can skip this step but GnuPG will warn you that his key is not trusted when you use it.

Bob> gpg --sign-key

Encrypt a file with his public key:

Bob> gpg -o <encryptedoutputfile> -r -e <sourcefile>

Send the encrypted file to Joe who can now decrypt it using his own private key:

Joe> gpg -o <outputfile> -d <encryptedsourcefile>


Backup all the files stored in the ~/.gnupg folder. Although the private keyring is already protected by a passphrase, you could add another layer of security, by storing the backup on an encrypted USB flash drive.

Wrapping up

You now have a basic setup to work with public key encryption, but having the private key stored on the day-to-day machine does pose a risk that the key might be stolen. Someone that breaks into that machine, could steal your passphrase with a keylogger and copy the private keyring file. For that reason many GnuPG users choose to move the private key off the harddrive onto a OpenPGP Card USB device such as the Nitrokey Pro. Once stored on the USB device the private key can still be used, but no longer copied.