GPG Tutorial - Command Line.


My GPG key can be found here

In a world where there exists an ever-growing economy revolving around the sale and processing of individuals’ private data, tools like GNU Privacy Guard (GPG) offer a convenient way to take back control of what was once a well-respected right – individual privacy. I have spoken before on several occasions about why it is important to take your privacy seriously, and to be clear, GPG is not by any means an extensive solution; it is to a smaller extent a part of a much larger mosaic of tools needed to completely take control of your privacy.

GPG offers a set of features which allow the user to secure and/or verify data in a number of ways. I often hear the argument “surely a big, powerful entity could decrypt my data if they really want to?”, and sure, there are circumstances in which this could be true, but if used correctly, GPG offers a solid way to mathematically guarantee the integrity and security of data i.e. no one, however powerful or well-funded has any way of accessing that data ever. I have written a guide like this before (depreciated) which goes into more detail about why this is important and how it works on a slightly more technical level, which you can access here if you’d like to. I will warn, however, that it’s aimed towards only Windows users and is outdated.

How to install GPG

Installing GPG will vary based on your platform, and there are often several methods of doing so. The following are the methods I recommend using to install GPG (all of which will use a package manager).


  1. Open Terminal - open Finder by holding Command and pressing the Space Bar, then type ‘Terminal’ and press enter
  2. Install Homebrew by entering the following command into Terminal (please confirm this command matches the one on the Homebrew website - it may be outdated):
    /bin/bash -c "$(curl -fsSL"
  3. Once Homebrew is installed, run the following command in Terminal:
    brew install gnupg

GPG should now be installed on your Mac.


  1. Open PowerShell (admin) - in Windows Search, type PowerShell. Locate PowerShell within the results, right click, and click “Run as Administrator”. Approve the User Account Control prompt when it shows.

  2. Install Chocolatey by entering the following command into PowerShell (please confirm this command matches the one on the Chocolatey website - it may be outdated):

    Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString(''))
  3. Once Chocolatey is installed, run the following command in PowerShell:

    choco install gnupg

GPG should now be installed on your Windows PC.


  1. If you use Linux and don’t already know how to use GPG, stop using Linux immediately - you simply aren’t worthy!

How to generate a GPG keypair

In order to use GPG, you need to generate a keypair, that is a public key and a private key. Your public key will be responsible for encrypting data, and is (as the name suggests) available to the public. Your private key, however, is the key used to decrypt and sign data; it is therefore vitally important that you keep your private key very safe, and equally secure to prevent others seeing your data or pretending to be you.

And that’s it! You’re now the proud owner of a shiny new GPG keypair. Now you need to send your key to a keyserver, or more specifically many keyservers. This allows anyone to look up your GPG key and encrypt things for you, as well as to verify your signatures. You can do this as follows…

Your key has now been sent to a pool of keyservers around the world. Yay!

The last thing you should do is generate a revocation certificate, just in case your key goes missing. A revocation certificate is basically a kill-switch for your keypair. If it’s published to a keyserver, it tells everyone to stop using your key, so you can make a new one.

Now this is very important… KEEP THIS CERTIFICATE SAFE! If you lose it, or it gets into the wrong hands, it can cause you a whole lot of problems; it’s far easier to just look after the thing.

How to use GPG

Now you’ve got your keypair, you’re ready to start using it. GPG has a number of useful functions, but today I am only going to cover the two most commonly used ones - sign, and encrypt.

Often data will be both signed and encrypted, in order to guarantee both its integrity, origin, and security.

How to import someone else’s key

If someone has sent you a file with a signature or an encrypted file, it is important to be able to verify/decrypt it. The first thing you’ll need to do is import the key of whoever sent you the file.

gpg --sign-key <their key's signature>

How to sign data

To sign a file, you first need to navigate to whichever directory said file is stored in on your device. I won’t outline here how to do that, but numerous guides online will help with this (it’s very easy).

When you distribute files with a signature, be sure to include both the file itself and the .gpg/.sig signature file.

How to encrypt data

To encrypt a file, the process is remarkably similar to signing. As before, begin by navigating to the file’s directory.

How to verify a signature

With the sender’s key imported (as above), run the following command in the signature file’s directory. It is important to have both the signature file and the file itself together for this:

gpg --verify <signature's filename>

The level of trust in this signature should now be shown.

How to decrypt a file

Decrypting a file is probably the easiest GPG operation. Simply navigate in the terminal to the directory where the encrypted file is and run the following command:

gpg --decrypt <filename>

That’s it! I said it’d be easy.

A signature for this message can be found here