GPG
How to use PGP/GPG encryption (and with your 404 email address for enhanced privacy and security)
📑 Table of Contents
PGP/GPG Guide
A complete guide to setting up and using GPG (GNU Privacy Guard) for encrypting emails, signing messages, and verifying identities. This guide covers Linux, macOS, and Windows.
What is GPG?
GPG (GNU Privacy Guard) is a free implementation of the OpenPGP standard. It lets you:
- Encrypt messages so only the intended recipient can read them
- Sign messages to prove they came from you
- Verify signatures to confirm a message's authenticity
- Manage keys for yourself and your contacts
How It Works
GPG uses asymmetric cryptography --- you have two keys:
| Key | Purpose | Share it? |
|---|---|---|
| Public Key | Others use it to encrypt messages to you and verify your signatures | Yes --- publish it freely |
| Private Key | You use it to decrypt messages and sign things | Never --- keep it secret |
Installation
Linux
Most Linux distributions include GPG by default. Verify with:
gpg --versionIf not installed:
Debian/Ubuntu:
sudo apt update && sudo apt install gnupgFedora/RHEL:
sudo dnf install gnupg2Arch Linux:
sudo pacman -S gnupgmacOS
Option 1 --- Homebrew (recommended):
brew install gnupgOption 2 --- GPG Suite:
Download the full GPG Suite from gpgtools.org. This includes a GUI key manager, Mail.app integration, and a system-level keychain.
Verify installation:
gpg --versionWindows
Option 1 --- Gpg4win (recommended):
- Download from gpg4win.org
- Run the installer
- Select components (Kleopatra GUI is recommended)
- Complete the installation wizard
Option 2 --- WSL (Windows Subsystem for Linux):
If you have WSL installed, GPG is available through your Linux distribution. Follow the Linux instructions above inside your WSL terminal.
Verify installation (open Command Prompt or PowerShell):
gpg --versionExpected output (all platforms):
gpg (GnuPG) 2.4.x
libgcrypt 1.10.x
Copyright (C) 2024 g10 Code GmbH
...
Home: ~/.gnupg
Supported algorithms:
Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA
Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, ...Generating Your Key Pair
The process is the same across all platforms once GPG is installed.
Quick Generate
gpg --full-generate-keyYou'll be prompted interactively:
gpg (GnuPG) 2.4.x; Copyright (C) 2024 g10 Code GmbH
Please select what kind of key you want:
(1) RSA and RSA
(2) DSA and Elgamal
(3) DSA (sign only)
(4) RSA (sign only)
Your selection? 1
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (3072) 4096
Please specify how long the key should be valid.
0 = key does not expire
<n> = key expires in n days
<n>w = key expires in n weeks
<n>m = key expires in n months
<n>y = key expires in n years
Key is valid for? (0) 1y
Real name: YourName
Email address: you@4-0-4.io
Comment:
You selected this USER-ID:
"YourName <you@4-0-4.io>"
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? OYou'll then be asked for a passphrase to protect your private key.
Recommended Settings
| Setting | Value | Why |
|---|---|---|
| Algorithm | RSA and RSA | Widely compatible |
| Key size | 4096 bits | Strong security |
| Expiration | 1 year | Limits damage if compromised; can be renewed |
you@4-0-4.io | Ties to your 404 identity |
Verify Your Key
gpg --list-keys --keyid-format longOutput:
pub rsa4096/ABCDEF1234567890 2026-02-07 [SC] [expires: 2027-02-07]
Key fingerprint = 1234 5678 9ABC DEF0 1234 5678 ABCD EF12 3456 7890
uid [ultimate] YourName <you@4-0-4.io>
sub rsa4096/0987654321FEDCBA 2026-02-07 [E] [expires: 2027-02-07]Exporting and Sharing Your Public Key
Export to a File
gpg --armor --export you@4-0-4.io > my-public-key.ascThe --armor flag outputs ASCII text instead of binary, making it safe to paste in emails or on websites.
Upload to a Key Server
gpg --keyserver hkps://keys.openpgp.org --send-keys ABCDEF1234567890Replace ABCDEF1234567890 with your key ID from gpg --list-keys.
Share via 404
You can add your public key to your 404 profile so others can find it and send you encrypted messages.
Importing Someone Else's Key
From a File
gpg --import their-public-key.ascOutput:
gpg: key ABCDEF1234567890: public key "Alice <alice@example.com>" imported
gpg: Total number processed: 1
gpg: imported: 1From a Key Server
gpg --keyserver hkps://keys.openpgp.org --search-keys user@example.comVerify the Fingerprint
Always verify a key's fingerprint through a trusted channel (in-person, phone call, signed message) before trusting it:
gpg --fingerprint user@example.comOutput:
pub rsa4096/ABCDEF1234567890 2026-01-15 [SC] [expires: 2027-01-15]
Key fingerprint = AAAA BBBB CCCC DDDD EEEE FFFF 0000 1111 2222 3333
uid [ full ] Alice <alice@example.com>
sub rsa4096/1111222233334444 2026-01-15 [E] [expires: 2027-01-15]Sign (Trust) Their Key
After verifying the fingerprint, sign the key to mark it as trusted:
gpg --sign-key user@example.comEncrypting and Decrypting
Encrypt a Message
gpg --armor --encrypt --recipient user@example.com message.txtThis creates message.txt.asc (or message.txt.gpg without --armor). The encrypted output looks like:
-----BEGIN PGP MESSAGE-----
hQIMA...long base64 string...
...
-----END PGP MESSAGE-----Encrypt for Multiple Recipients
gpg --armor --encrypt \
--recipient alice@example.com \
--recipient bob@example.com \
message.txtDecrypt a Message
gpg --decrypt message.txt.ascGPG will automatically use your private key and prompt for your passphrase.
# Save decrypted output to a file
gpg --decrypt --output decrypted.txt message.txt.ascEncrypt from Stdin (Pipe)
echo "secret message" | gpg --armor --encrypt --recipient user@example.comSigning and Verifying
Sign a Message
Clearsign (readable text with inline signature):
gpg --clearsign message.txtOutput (message.txt.asc):
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
This is the original message content.
-----BEGIN PGP SIGNATURE-----
iQIzBAEB...signature data...
-----END PGP SIGNATURE-----Detached signature (separate .sig file):
gpg --armor --detach-sign message.txtSign and encrypt in one step:
gpg --armor --sign --encrypt --recipient user@example.com message.txtVerify a Signature
# Verify a clearsigned message
gpg --verify message.txt.asc
# Verify a detached signature
gpg --verify message.txt.sig message.txtSuccessful output:
gpg: Signature made Wed 07 Feb 2026 12:00:00 PM UTC
gpg: using RSA key ABCDEF1234567890
gpg: Good signature from "YourName <you@4-0-4.io>" [ultimate]Key Management
List Your Keys
# List public keys
gpg --list-keys
# List private keys
gpg --list-secret-keysEdit a Key
gpg --edit-key you@4-0-4.ioInside the edit prompt, useful commands:
| Command | Description |
|---|---|
passwd | Change your passphrase |
expire | Change expiration date |
adduid | Add another email/identity |
trust | Set trust level |
save | Save and exit |
quit | Exit without saving |
Extend Expiration
gpg --edit-key you@4-0-4.io
# At the gpg> prompt:
expire
# Enter new expiration (e.g., 1y)
saveThen re-upload to the key server:
gpg --keyserver hkps://keys.openpgp.org --send-keys ABCDEF1234567890Delete a Key
# Delete a public key
gpg --delete-keys user@example.com
# Delete your private key (be careful!)
gpg --delete-secret-keys you@4-0-4.ioBackup and Recovery
Back Up Your Private Key
gpg --armor --export-secret-keys you@4-0-4.io > private-key-backup.ascStore this file somewhere safe and offline (encrypted USB drive, printed on paper, etc.). If you lose your private key, you lose access to all messages encrypted to it.
Back Up Your Revocation Certificate
GPG automatically creates one at key generation. Find it at:
- Linux/macOS:
~/.gnupg/openpgp-revocs.d/ - Windows:
%APPDATA%\gnupg\openpgp-revocs.d\
Restore from Backup
gpg --import private-key-backup.ascRevoke a Compromised Key
If your key is compromised, publish the revocation certificate:
# Generate a revocation certificate (if you don't have one)
gpg --gen-revoke you@4-0-4.io > revoke.asc
# Import the revocation
gpg --import revoke.asc
# Publish the revocation
gpg --keyserver hkps://keys.openpgp.org --send-keys ABCDEF1234567890GUI Tools by Platform
Linux --- Seahorse (GNOME) / KGpg (KDE)
Seahorse provides a graphical key manager on GNOME desktops:
sudo apt install seahorseKGpg is the KDE equivalent:
sudo apt install kgpgBoth provide visual interfaces for generating keys, importing/exporting, and encrypting files.
macOS --- GPG Keychain
Part of the GPG Suite. Provides a native macOS interface for:
- Generating and managing keys
- Importing/exporting keys
- Encrypting/decrypting files via drag and drop
Windows --- Kleopatra
Included with Gpg4win. Features:
- Visual key manager
- File encryption/decryption via right-click context menu
- Certificate management
- Smartcard support
Email Integration
Thunderbird (Linux / macOS / Windows)
Thunderbird has built-in OpenPGP support (no add-on needed since v78):
- Open Account Settings > End-to-End Encryption
- Click Add Key and either generate a new key or import your existing one
- Enable Require encryption by default if desired
Apple Mail (macOS)
With GPG Suite installed, encryption and signing controls appear automatically in the Mail compose window:
- Click the lock icon to encrypt
- Click the seal icon to sign
Outlook (Windows)
With Gpg4win and the GpgOL plugin:
- Open Outlook
- Compose a new email
- Use the GpgOL toolbar to sign/encrypt
Quick Reference
Common Commands
# Generate a key pair
gpg --full-generate-key
# List keys
gpg --list-keys
gpg --list-secret-keys
# Export public key
gpg --armor --export you@4-0-4.io > pubkey.asc
# Import a key
gpg --import keyfile.asc
# Encrypt a file
gpg --armor --encrypt --recipient user@example.com file.txt
# Decrypt a file
gpg --decrypt file.txt.asc
# Sign a file
gpg --clearsign file.txt
# Verify a signature
gpg --verify file.txt.asc
# Search key servers
gpg --keyserver hkps://keys.openpgp.org --search-keys user@example.com
# Upload your key
gpg --keyserver hkps://keys.openpgp.org --send-keys YOUR_KEY_IDGPG Config Tweaks
Add to ~/.gnupg/gpg.conf for better defaults:
# Use strong algorithms
personal-cipher-preferences AES256 AES192 AES
personal-digest-preferences SHA512 SHA384 SHA256
personal-compress-preferences ZLIB BZIP2 ZIP Uncompressed
# Display long key IDs
keyid-format 0xlong
# Show fingerprints
with-fingerprint
# Default key server
keyserver hkps://keys.openpgp.orgTroubleshooting
"No public key" When Encrypting
# Import the recipient's key first
gpg --keyserver hkps://keys.openpgp.org --search-keys recipient@example.com"Bad passphrase" or Agent Issues
# Restart the GPG agent
gpgconf --kill gpg-agent
gpg-agent --daemonOn macOS with GPG Suite, you may need to set the pinentry program:
echo "pinentry-program /usr/local/bin/pinentry-mac" >> ~/.gnupg/gpg-agent.conf
gpgconf --kill gpg-agent"Unusable public key" or Trust Issues
# Set the trust level for a key
gpg --edit-key user@example.com
# At the gpg> prompt, type: trust
# Select trust level 5 (ultimate) for your own keys, or appropriate level for othersKey Expired
# Extend your own key's expiration
gpg --edit-key you@4-0-4.io
# At the gpg> prompt:
expire
# Set new expiration, then:
saveWindows: "gpg is not recognized"
Add GPG to your PATH:
- Find the install directory (usually
C:\Program Files (x86)\GnuPG\bin) - Add it to your system PATH via System Properties > Environment Variables
- Restart your terminal
Additional Resources
- GnuPG Official Documentation
- OpenPGP Best Practices
- Email Self-Defense (FSF Guide)
- GPG Suite for macOS
- Gpg4win for Windows
For support, join #help on my IRC server or consult the community forums.
Last updated: 2026-02-11