When you hear the word encryption, it often sounds like something only security researchers and intelligence agencies deal with. But in reality, every IT professional – even small teams, freelancers, or home users – should understand the basics of protecting sensitive files.
GnuPG (or GPG) is one of the most trusted tools for this. It’s free, open-source, built into every Linux distribution, and works perfectly for encrypting files, verifying downloads, or signing work-related documents.
This guide walks you through a clean, beginner-friendly setup – no advanced OPSEC, no air-gapped machines, no master-key rituals. Just the essentials that anyone at home or at work can start using today.
1. Install GPG
On most Linux systems, GPG is already installed. If not:
sudo apt install gnupg2That’s all you need.
2. Create Your Key Pair
A GPG key pair contains:
- a public key (you share this),
- and a private key (you protect this).
To generate your first key:
gpg --full-gen-keyRecommended settings:
- RSA 4096 bits
- Expiration: Yes – 1–2 years is reasonable
- Name: Your real name or work name
- Email: Your actual email address
- Comment: Optional
- Passphrase: Strong and stored safely
For password storage, I highly recommend KeePassXC, Proton Pass, or your company’s secure vault.
3. Set Trust on Your Own Key
GPG needs to know that you trust yourself. It sounds funny, but it’s important for signatures to work properly.
gpg --edit-key your@email.comInside the GPG prompt:
trust5saveDone.
4. Back Up Your Private Key
Your GPG private key is your identity.
Lose it – and you lose access to encrypted files.
Let it leak – and somebody else can impersonate you.
Export your private key safely:
gpg --armor --export-secret-keys your@email.com > private_key_backup.ascThen encrypt that backup file with a symmetric password:
gpg -c private_key_backup.ascThis creates private_key_backup.asc.gpg, which is safer to store.
Where to store it?
- A USB stick encrypted with LUKS
- A secure cloud provider (Proton Drive, Syncthing, etc.)
- A physical offline copy in a safe place
Make at least two backups.
5. Export Your Public Key (For Sharing)
If someone wants to send you encrypted files, they need your public key:
gpg --armor --export your@email.com > public_key.ascYou can publish the public key:
- on your website,
- via email,
- on key servers.
It’s safe to share.
6. Encrypt & Decrypt Files
To encrypt a file for a specific recipient:
gpg --encrypt --recipient email@example.com important.pdfYou’ll get important.pdf.gpg.
To decrypt it:
gpg --decrypt important.pdf.gpg > important.pdfGPG will ask for your passphrase – your private key never leaves your machine.
7. Sign & Verify Files
Signing is useful when sharing software, scripts, or documents.
Sign a file:
gpg --sign report.txtVerify a signature:
gpg --verify report.txt.gpgThis ensures the file really came from you and wasn’t modified.
8. Check Your Key Anytime
gpg --list-secret-keysgpg --fingerprintYour fingerprint is how you confirm your identity to others – especially when sending keys or signing commits.
Why This Matters
Even if you’re not an OPSEC specialist or a security researcher, good encryption hygiene protects you and your workplace from:
- ransomware actors scanning for exposed internal documents
- intercepted files shared over email
- tampered downloads
- identity spoofing
- and accidental data leaks
GPG gives you a trustworthy, time-tested defense – with zero cost.
If you’re already using SSH, VPNs, password managers, or MFA, GPG is the next logical security step.
Final Thoughts
This guide focuses on simple, practical GPG usage – nothing extreme or air-gapped. Anyone can learn this, and everyone benefits from using it.
For those who want the deeper, OPSEC-tier setup (offline master keys, subkeys, isolated devices), I’ve written a much stricter version – but that’s for people who enjoy living in the cryptographic deep end.
For everyday IT workflows?
The basics above will keep your data safe and your identity protected.
Tom's IT Cafe 