GPG encryption guide part 2 (asymmetric encryption)


This is the next post in our series of GPG guides. Here, we cover asymmetric encryption and decryption of data using the gpg command.

Reading time:
3 min

A quick recap

If you don't know what asymmetric encryption or gpg are, or have not yet generated a gpg key pair, or don't you know how to obtain someone else's public key, then please take a look at part 1 of our GPG Guide.

As a quick refresher, asymmetric encryption involves using a public/private key pair. The public key is distributed to people who want to send you encrypted data.

You then use your private key (which nobody else has access to) to decrypt that data.

Asymmetric Encryption

Firstly, ensure that you have the public key for the person you want to encrypt data for.

You can double check this by using the command:

gpg --list-keys

If you have the public key, then you can proceed with the encryption commands, otherwise you'll need to obtain the public key first.

To encrypt a file you can use the -e (or --encrypt) option along with the -r (or --recipient) option, as shown below:

gpg -e -r key-id|name filename

So if someone wanted to encrypt a file called file.txt for us here at Tutonics, they could use the user name "Tutonics":

gpg -e -r Tutonics file.txt

or use the key-id "EE74D48D",

gpg -e -r EE74D48D file.txt

This will produce an encrypted file called file.txt.gpg that only the recipient Tutonics can decrypt. If you need to change the name of the resulting encrypted file use the -o (or --output) option, for example to call it file.gpg, you could use:

gpg -o file.gpg -e -r Tutonics file.txt

Note that if you had not verified the Tutonics public key yet (see GPG Guide Part 1 to find out how), you'll get a warning message to that effect when you try to encrypt data using that public key (this warning is shown in the screenshot below and won't happen if the key is properly verified by you).

Decryption of asymmetrically encrypted ciphertext

For the recipient to decrypt the encrypted data created in the steps above, they need to specify the output file using -o and also use the -d (or --decrypt) option.

So to decrypt file.txt.gpg from above, the recipient (and owner of the private key) would execute this command:

gpg -o file.txt -d file.txt.gpg

The recipient will be prompted to enter the passphrase for their private key.

If the correct passphrase is used, the decryption algorithm will proceed and the original data will be stored in file.txt.

It's quite important to note that if no output file is specified, the decrypted ciphertext that is the plaintext (the original data) gets sent to standard out. So unless you pipe it to a file or another program, it will be displayed in your terminal and not stored to file.

Whats next?

In the next part of the GPG Guide, we'll show you how the encrypting party can use the gpg command to digitally sign data and how the recipient can verify this signature.

Thanks to everyone who worked on GNU Privacy Guard (the GNU Projects implementation of the OpenPGP standard)

Thank you for reading this article.
Please share if you liked it.