How to Encrypt and Decrypt Files Using GPG in Linux

In computing, encryption is a popular and most times the recommended technique of hiding information in a secretive format. GnuPG is one of the useful tools for encrypting information (files) on Linux systems.

GnuPG (also known as GNU Privacy Guard or simply GPG) is GNU’s tool used to encrypt data and create digital signatures that contribute to overall information security. It is a complete and free implementation of the OpenPGP Internet standard that provides an advanced key management solution.

There are two versions of GPG available:

1. gpg – a standalone version that is more suited for servers and embedded platforms.
2. gpg2 – a version intended for desktops and requires several other modules to be installed.

In some popular Linux distributions such as Debian, the gnupg2 package is a dummy transitional package that provides symlinks from gpg2 to gpg.

This guide shows how to generate a GPG key pair, export and share public keys, encrypt a file, and share and decrypt a file using GPG in Linux systems.

It demonstrates information sharing between two parties:

1. Kili Aaron ([email protected]) whose command prompt is aaronk@tecmint.
2. Test Admin ([email protected]) whose command prompt is root@server.

The file shared between the two parties is called secret.txt, which contains a highly sensitive password that the Test Admin wants to share with user Kili Aaron.

You can view the contents of the secret.txt file that contains the password and other remote access details using the following cat command as shown. It exists on the Test Admin’s server:

# cat secret.txt

Install GnuPG (GNU Privacy Guard) on Linux

To install the GnuPG package, run the appropriate command for your Linux distribution as shown. Note that the gnupg package must be installed on the two systems sharing data.

$ sudo apt install gnupg          [On Debian, Ubuntu and Mint]
$ sudo yum install gnupg          [On RHEL/CentOS/Fedora and Rocky/AlmaLinux]
$ sudo emerge -a app-crypt/gnupg  [On Gentoo Linux]
$ sudo apk add gnupg              [On Alpine Linux]
$ sudo pacman -S gnupg            [On Arch Linux]
$ sudo zypper install gnupg       [On OpenSUSE]    

Generating New GPG Key Pairs in Linux

To generate new key pairs (public and private), run the gpg command with the --full-generate-key flag on both systems and follow the prompts to define the kind of key, the key size, how long the key should be valid, a user ID to identify your key, and a secure passphrase for the key as shown in the screenshot that follows.

$ gpg --full-generate-key

List GPG Key Pairs in Linux

To list the public GPG key you have just created together with other existing keys, run the gpg command with the --list-public-keys flag. To perform a long listing, add the --keyid-format=long flag.

$ gpg --list-public-keys
OR
$ gpg --list-public-keys --keyid-format=long

To list the secret GPG key you have just created together with other existing keys, run the gpg command with the --list-secret-keys flag. To perform a long listing, add the --keyid-format=long flag.

$ gpg --list-secret-keys
OR
$ gpg --list-secret-keys --keyid-format=long

Export Keys with GPG in Linux

Once the GPG key pairs have been generated on both sides, the two parties can export their public keys into a file and share via email or other means.

--------- On Kili Aaron Server --------- 
$ gpg --list-public-keys
$ gpg --export -o aaronsec.key 15B4814FB0F21208FB5076E7A937C15009BAC996

--------- On Test Admin Server ---------
# gpg --list-public-keys
# gpg --export -o tadminsec.key BC39679E5FF48D4A6AEF6F3437211F0B4D6D8A61

Import Keys with GPG in Linux

Next, exchange the public keys either via email or secure other means such as using the scp command as shown:

$ scp aaronsec.key [email protected]:/root/
$ scp [email protected]:/root/tadminsec.key ./

Next, import the public key from the opposite end into the local system public keyring by adding the --import flag as shown.

# gpg --import aaronsec.key
# gpg --import tadminsec.key

To check if the imported public key exists in the local system keyring, list the available public keys as shown.

# gpg --list-public-keys

Encrypting Files Using GPG in Linux

Now let’s look at how to encrypt the secret file using gpg keys. For this section, we will run the commands on the Test Admin’s server.

To encrypt a plain text file using the just created GPG key pair, run the following command. The -e or --encrypt flag enables encryption and the -r or --recipient flag is used to specify the recipient ID and secret.txt is the plain text file to be encrypted.

The following command encrypts the file secret.txt using the recipient [email protected]’s public key:

#gpg -e -r [email protected] secret.txt  
OR
# gpg --encrypt --recipient [email protected] secret.txt

If the previous command run successfully, a new file (the original filename ending with .gpg extension) will be generated in the current directory:

$ ls secret.txt.gpg

To store the encrypted information in a different file, use the -o or --output option followed by a filename. In this example, the preferred filename is node_configs:

# gpg -e -r [email protected] -o node_configs secret.txt
OR
# gpg --encrypt --recipient [email protected] --output node_configs secret.txt

Now share the encrypted file with your partner via email or other secure means.

Decrypting Files Using GPG in Linux

To decrypt a file encrypted using gpg, add the -d or --decrypt flag and specify the encrypted filename. By default, the decrypted information will be displayed in standard output. You can store it in a file using the -o flag as shown.

$ gpg -d -o secrets.txt secrets.txt.gpg
$ ls secrets.txt

For more information, see the gpg/gpg2 man page as shown.

$ man gpg
OR
$ man gpg2

That’s it for the scope of this guide. GPG is a commonly used tool for encrypting and decrypting information or files in Linux. If you have any comments to share about this guide, use the feedback form below.