How to secure yourself with GPG

Generate your key

  1. Run following command in your shell,
    gpg --gen-key
  2. Now program will ask you to choose couple of options, use following preferences
  3.  Please select what kind of key you want: 1    RSA and RSA (default)
  4.  What keysize do you want? (2048) 4096
  5.  Key is valid for? (0) 0
  6. Is this correct? (y/N) y
  7. Now enter name, email and comment message.
  8. Change (N)ame, (C)omment, (E)-mail or (O)kay/(Q)uit? o
  9. Finally, enter a passphrase to protect your secret key.

Edit your key

We can later edit key to use other options.
e.g Lets set our key to use stronger hashes.

  1. Edit key using following command,
     gpg --edit-key
  2. Now set hash preferences as follows,
    gpg> setpref SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP
  3.  Really update the preferences? (y/N) y
  4. Enter your passphrase
  5. Save new preferences by command,

Make available your key

There are 2 ways to make available your key to other users.

  1. Give them manually. Use following command,
    gpg --armor --export

    You will get your public key. Copy and paste it and send to other user.

  2. Upload to key server. You can do this again using 2 ways. One is using, forms available on server. While for second way, first grab your id using following command’s output & then upload to keyservers like
gpg --send-keys --keyserver <key-id>


Importing other keys

  1. Import other user’s keys. We can import keys of other users with multiple ways. From text file – If someone sends you text file containing his public key, import it as,
     gpg --import <pub_key_file>

    From key server – There are some popular key serves which host public keys.
    One of such server is ``. Here you can search particular user’s key as follows,

    gpg --keyserver --search-keys <string>
  2. Validate key. The easy way to validate person’s identification is match fingerprint of key.
    gpg --fingerprint
  3. Sign imported key as,
    gpg --sign-key
  4. Optionally you can send back signed key

Using gpg key

  • To encrypt message using your key use following command,
    gpg --encrypt --sign --armor -r <filename>
  • To decrypt file,
     gpg <filename>

    Creating revocation certificate

There is always possibility that your master key-pair may get lost. (and may be stolen if you are unfortunate). If this happen, you must tell other people to not use your public key. This can be done using revocation certificate. Generate revocation certificate using following command,

gpg --output \<\>.gpg-revocation-certificate --gen-revoke

Store it safe somewhere separately from master key-pair

Some useful commands

  • List available keys,
    gpg --list-keys
  • Update key information,
     gpg --refresh-keys




About Rohit Chormale

I am software engineer from Hyderabad, India with primary interests in distributed systems. In my leisure time, I love to read technical papers and hacking emacs.

Leave a Reply

Your email address will not be published. Required fields are marked *