Introduction

Want to send secret messages that only the intended person can read? Need to prove that a file really came from you and hasn't been tampered with? PGP (Pretty Good Privacy) makes this possible.

PGP might sound technical, but the concept is simple: you create two keys (a public key you share and a private key you keep secret), and these keys work together to encrypt messages and prove authenticity. Think of it like a special mailbox where only the person with the right key can open it.

This guide will show you how to set up and use PGP on macOS, Windows, and Linux, using both easy graphical applications and command-line tools. By the end, you'll be able to encrypt files, verify signatures, and communicate securely.

What Is PGP and Why Should You Care?

PGP uses something called public key cryptography. Here's how it works:

Your key pair consists of two parts:

• Public key: You share this freely with everyone. People use it to encrypt messages to you or verify signatures you make.
• Private key: You keep this secret and protect it with a passphrase. You use it to decrypt messages sent to you and to sign messages you send.

Real-world scenarios where PGP helps:

1. Secure communication: Send emails or files to someone knowing that only they can read them, even if intercepted.

1. Verify authenticity: Prove that a file or message really came from you and wasn't modified by someone else.

1. Protect sensitive documents: Encrypt files on your own computer so even if someone steals your laptop, they can't read them.

1. Software verification: Many developers sign their software releases with PGP, allowing you to verify downloads haven't been tampered with.

The analogy: Think of your public key as a padlock you can give to anyone. They put their message in a box, lock it with your padlock, and send it to you. Only your private key can unlock that padlock. Similarly, you can "sign" messages with your private key to prove they came from you, and anyone with your public key can verify the signature.

Choosing Your Approach: GUI vs Command Line

You have two main options for using PGP:

Graphical User Interface (GUI) Applications:

• Easier to learn and use
• Visual interface with buttons and menus
• Great for beginners
• Best for: occasional encryption, email integration, visual key management

Command Line Interface (CLI):

• More powerful and flexible
• Better for automation and scripting
• Works consistently across all platforms
• Best for: frequent use, advanced features, integration with other tools

This guide covers both. If you're new to PGP, start with the GUI applications. Once you're comfortable, you can explore the command-line tools for more advanced uses.

Part 1: GUI Applications (Easiest for Beginners)

macOS: GPG Suite

GPG Suite provides a complete graphical interface for PGP on macOS, including integration with Apple Mail.

Installation

1. Download GPG Suite from gpgtools.org
2. Open the downloaded .dmg file
3. Run the installer and follow the prompts
4. Restart your Mac if prompted

Creating Your First Key Pair

1. Open GPG Keychain (installed with GPG Suite)
2. Click New in the toolbar
3. Fill in the form:

• Full Name: Your real name or pseudonym

• Email: Your email address (this is how people will find your key)

• Comment (optional): Something like "Personal PGP Key"

• Passphrase: A strong password to protect your private key

1. Click Advanced Options and set:

• Key type: RSA

• Key length: 4096 bits

• Expiration: 2 years (you can extend it later)

1. Click Generate Key

The app will create your key pair. This may take a minute as it generates random data.

Using GPG Keychain

To export your public key:

1. Select your key in the list
2. Right-click and choose Export
3. Save it as publickey.asc
4. You can now share this file with others or upload it to key servers

To import someone else's public key:

1. Click Import in the toolbar
2. Select their .asc file
3. Their key appears in your keychain

To encrypt a file:

1. Right-click any file in Finder
2. Choose Services > OpenPGP: Encrypt File
3. Select the recipient's key (the person who should be able to decrypt it)
4. A new encrypted .gpg file is created

To decrypt a file:

1. Right-click the .gpg file in Finder
2. Choose Services > OpenPGP: Decrypt File
3. Enter your passphrase
4. The decrypted file appears

To sign a file:

1. Right-click any file in Finder
2. Choose Services > OpenPGP: Sign File
3. Enter your passphrase
4. A .sig signature file is created alongside the original

Email Integration

GPG Suite integrates with Apple Mail:

1. Open Mail and compose a new message
2. You'll see a lock icon and a checkmark icon in the compose window
3. Click the lock to encrypt the email (recipient must have PGP set up)
4. Click the checkmark to sign the email (proves it's from you)

The integration is seamless once your keys are set up.

Windows: Gpg4win with Kleopatra

Gpg4win is the standard PGP solution for Windows, and Kleopatra provides an excellent graphical interface.

Installation

1. Download Gpg4win from gpg4win.org
2. Run the installer
3. During installation, make sure Kleopatra is selected (it's the GUI application)
4. Complete the installation

Creating Your First Key Pair

1. Open Kleopatra from the Start menu
2. Click File > New OpenPGP Key Pair
3. Fill in the form:

• Name: Your real name or pseudonym

• Email: Your email address

1. Click Advanced Settings and configure:

• Key Material: RSA, 4096 bits

• Valid until: 2 years from now

• Certificate usage: Sign, Encrypt

1. Click OK, then Create
2. Create a strong passphrase when prompted
3. Your key pair is generated

Using Kleopatra

To export your public key:

1. Right-click your key in Kleopatra
2. Choose Export Certificates
3. Save as publickey.asc
4. Share this file with others

To import someone else's public key:

1. Click Import in the toolbar
2. Select their .asc file
3. Click OK to import

To encrypt a file:

1. Click Sign/Encrypt in Kleopatra
2. Click Add and select your file
3. Check Encrypt and select the recipient's key
4. Optionally check Sign to also sign the file
5. Click Sign/Encrypt
6. The encrypted file is saved with a .gpg extension

To decrypt a file:

1. Right-click the .gpg file in File Explorer
2. Choose Decrypt and verify (from Gpg4win context menu)
3. Enter your passphrase
4. The decrypted file is saved

To sign a file:

1. Right-click any file in File Explorer
2. Choose Sign and encrypt (from Gpg4win context menu)
3. Check only Sign (not encrypt)
4. Enter your passphrase
5. A .sig signature file is created

Email Integration

Gpg4win includes GpgOL for Outlook integration:

1. Open Outlook
2. You'll see GpgOL options in the ribbon
3. When composing, click Encrypt or Sign buttons
4. Recipients with PGP can read encrypted emails and verify signatures

Linux: Seahorse (GNOME) or KGpg (KDE)

Most Linux distributions come with PGP tools pre-installed. The graphical interface depends on your desktop environment.

For GNOME (Ubuntu, Fedora, etc.): Seahorse

Installation (if not already installed):

sudo apt install seahorse  # Ubuntu/Debian
sudo dnf install seahorse  # Fedora

Creating Your First Key Pair:

1. Open Passwords and Keys (Seahorse) from your applications menu
2. Click the + button and choose PGP Key
3. Fill in the form:

• Full Name: Your name or pseudonym

• Email Address: Your email

• Comment (optional): Description of key purpose

1. Click Advanced key options and set:

• Encryption type: RSA

• Key strength: 4096 bits

• Expiration date: 2 years from now

1. Click Create
2. Enter a strong passphrase twice

Using Seahorse:

To export your public key:

1. Right-click your key
2. Choose Export
3. Save as publickey.asc

To import someone else's key:

1. Click the + button
2. Choose Import from file
3. Select their .asc file

To encrypt/decrypt/sign files:

• Right-click files in your file manager (Nautilus)
• Look for Encrypt, Sign, or Decrypt options in the context menu
• These are provided by the seahorse-nautilus package

For KDE (Kubuntu, openSUSE, etc.): KGpg

Installation (if not already installed):

sudo apt install kgpg  # Kubuntu/KDE neon
sudo dnf install kgpg  # Fedora KDE

KGpg provides similar functionality with a KDE-style interface. The workflow is nearly identical to Seahorse.

Part 2: Command Line (GPG)

The command-line tool is called GPG (GNU Privacy Guard). It's more powerful than GUI apps and works consistently across all platforms.

Installation

macOS:

brew install gnupg
gpg --version

Windows: After installing Gpg4win (see above), GPG is available in PowerShell or Command Prompt:

gpg --version

Linux (Debian/Ubuntu):

sudo apt update
sudo apt install gnupg
gpg --version

Linux (Fedora/RHEL):

sudo dnf install gnupg2
gpg --version

You should see version information, confirming GPG is installed.

Creating Your Key Pair

Run this command:

gpg --full-generate-key

You'll be asked several questions:

1. What kind of key do you want?

• Choose: (1) RSA and RSA (default)
• Press Enter

2. What keysize do you want?

• Type: 4096
• This is very strong encryption

3. How long should the key be valid?

• Recommended: 2y (2 years)
• You can extend the expiration date later
• Setting an expiration date is a security best practice

4. Is this correct?

• Type: y

5. Real name:

• Enter your full name or pseudonym

6. Email address:

• Enter your email address (this is how people find your key)

7. Comment:

• Optional. Something like "Personal PGP Key" or "Work Key"

8. Okay?

• Review the information and type: O (that's the letter O for Okay)

9. Passphrase:

• Create a strong passphrase
• This protects your private key
• If someone gets your private key file but not this passphrase, they can't use it

GPG will generate your key pair. This takes a minute as it collects random data for cryptographic strength. Move your mouse and type on your keyboard to help generate randomness.

When complete, you'll see a message with your key ID and fingerprint.

Listing Your Keys

See your public keys:

gpg --list-keys

Output looks like:

pub   rsa4096 2026-01-02 [SC] [expires: 2028-01-02]
      A1B2C3D4E5F6G7H8I9J0K1L2M3N4O5P6Q7R8S9T0
uid           [ultimate] Your Name gt;
sub   rsa4096 2026-01-02 [E] [expires: 2028-01-02]

See your private keys:

gpg --list-secret-keys

Your private keys are stored encrypted on your computer. Without your passphrase, they're useless to anyone who finds them.

Exporting Your Public Key

To share your public key with others:

macOS/Linux:

gpg --armor --export you@example.com >gt; ~/Desktop/publickey.asc

Windows (PowerShell):

gpg --armor --export you@example.com >gt; C:\Users\YourName\Desktop\publickey.asc

Replace you@example.com with your actual email address.

What this does:

• --armor: Makes the output readable text (ASCII) instead of binary
• --export: Exports your public key
• > publickey.asc: Saves it to a file

You can now:

• Email this file to people
• Post it on your website
• Upload it to key servers (explained later)

Importing Someone Else's Public Key

When someone sends you their public key file:

gpg --import theirpublickey.asc

Their key is now in your keyring. You can verify it imported:

gpg --list-keys

You should see their name and email in the list.

Encrypting a File

To encrypt a file so only a specific person can read it:

gpg --encrypt --recipient their@email.com file.txt

Replace their@email.com with the recipient's email (the one associated with their public key you imported).

What this does:

• Creates file.txt.gpg (encrypted version)
• Only the person whose key you specified can decrypt it
• Even you can't decrypt it unless you also encrypted it to yourself

To encrypt for multiple people (including yourself):

gpg --encrypt --recipient their@email.com --recipient your@email.com file.txt

To create an ASCII-armored encrypted file:

gpg --armor --encrypt --recipient their@email.com file.txt

This creates file.txt.asc instead of file.txt.gpg. It's text-based and can be pasted into emails.

Decrypting a File

When someone sends you an encrypted file:

gpg --decrypt file.txt.gpg >gt; file.txt

What this does:

• Prompts you for your passphrase
• Decrypts file.txt.gpg
• Saves the decrypted content to file.txt

If you just want to read it without saving:

gpg --decrypt file.txt.gpg

The decrypted content appears in your terminal.

Signing a File

Signing proves a file came from you and hasn't been modified.

Create a signature file (recommended):

gpg --detach-sign file.txt

This creates file.txt.sig (the signature) alongside file.txt. Send both files to the recipient.

Create a signed version of the file:

gpg --sign file.txt

This creates file.txt.gpg, which is both signed and compressed.

Sign and create ASCII output:

gpg --clearsign file.txt

Creates file.txt.asc with the signature embedded in readable text. Great for signing emails or text files.

Verifying a Signature

When someone sends you a signed file:

If they used detached signature:

gpg --verify file.txt.sig file.txt

If they used --sign:

gpg --verify file.txt.gpg

GPG checks the signature against the file content. If it matches, you'll see:

Good signature from "quot;Their Name gt;"quot;

If the file was modified or the signature is wrong:

BAD signature from "quot;Their Name gt;"quot;

Signing and Encrypting Together

Often you want to both sign (prove it's from you) and encrypt (keep it private):

gpg --encrypt --sign --recipient their@email.com file.txt

The recipient can decrypt it and also verify it came from you.

Encrypting a Message (Not a File)

To encrypt a message directly:

echo "quot;Secret message"quot; | gpg --encrypt --armor --recipient their@email.com >gt; message.asc

Or interactively:

gpg --encrypt --armor --recipient their@email.com

Type your message, then press Ctrl+D (macOS/Linux) or Ctrl+Z then Enter (Windows) to finish. The encrypted output appears in your terminal.

Decrypting a Message

If someone sends you ASCII-armored encrypted text:

gpg --decrypt message.asc

Or paste the encrypted block:

gpg --decrypt

Then paste the encrypted text (starting with -----BEGIN PGP MESSAGE-----) and press Ctrl+D.

Key Management

Backing Up Your Keys

Your private key is extremely important. If you lose it, you lose access to all encrypted data forever. Back it up securely.

Export your private key:

gpg --armor --export-secret-keys you@example.com >gt; private-key-backup.asc

Store this file:

• On an encrypted USB drive
• In a password manager's secure notes
• Printed on paper in a safe

Never:

• Email it to yourself
• Store it in cloud storage unencrypted
• Leave it on your Desktop

Importing Your Backup

If you need to restore your private key on a new computer:

gpg --import private-key-backup.asc

You'll be prompted for your passphrase.

Revoking a Compromised Key

If your private key is stolen or you lose the passphrase, you need to revoke it so people stop using it.

Generate a revocation certificate when you first create your key (do this now):

gpg --gen-revoke you@example.com >gt; revoke.asc

Store revoke.asc in a safe place. If you ever need to revoke your key:

gpg --import revoke.asc
gpg --send-keys YOUR_KEY_ID

This tells key servers your key is no longer valid.

Extending Key Expiration

If your key is about to expire, you can extend it:

gpg --edit-key you@example.com

At the gpg> prompt, type:

expire

Follow the prompts to set a new expiration date. Then:

save

Update key servers with the new expiration:

gpg --send-keys YOUR_KEY_ID

Trusting Keys

When you import someone's public key, GPG doesn't automatically trust it. To sign their key (indicating you trust it):

gpg --sign-key their@email.com

This tells GPG you've verified this key actually belongs to that person.

Key Servers

Key servers are public databases where people can upload and search for PGP keys.

Popular Key Servers

• keys.openpgp.org - Modern, privacy-respecting
• keyserver.ubuntu.com - Ubuntu's key server
• pgp.mit.edu - Classic MIT key server

Uploading Your Public Key

gpg --keyserver keys.openpgp.org --send-keys YOUR_KEY_ID

Find YOUR_KEY_ID from gpg --list-keys (it's the long hexadecimal string).

Now anyone can find your key by searching for your email address.

Searching for Someone's Key

gpg --keyserver keys.openpgp.org --search-keys their@email.com

If found, you can import it directly from the key server.

Refreshing Keys from Key Server

Update all keys in your keyring (checks for revocations and expiration updates):

gpg --keyserver keys.openpgp.org --refresh-keys

Practical Workflows

Workflow 1: Secure Email Communication

Setup (one time):

1. Create your key pair
2. Upload your public key to a key server or share it with your contact
3. Import your contact's public key

Sending an encrypted email:

1. Write your email in a text file: email.txt
2. Encrypt it:

```bash gpg --encrypt --sign --armor --recipient their@email.com email.txt ```

1. Copy the contents of email.txt.asc into your email
2. Send it

Receiving an encrypted email:

1. Copy the encrypted block (including -----BEGIN PGP MESSAGE----- and -----END PGP MESSAGE-----) into a file: encrypted.asc
2. Decrypt it:

```bash gpg --decrypt encrypted.asc ```

1. Read the decrypted message

Workflow 2: Verifying Software Downloads

Many developers sign their software releases. Here's how to verify:

1. Download the software file (e.g., software-v1.0.tar.gz)
2. Download the signature file (e.g., software-v1.0.tar.gz.sig)
3. Import the developer's public key (usually provided on their website):

```bash gpg --import developer-key.asc ```

1. Verify the signature:

```bash gpg --verify software-v1.0.tar.gz.sig software-v1.0.tar.gz ```

1. If you see "Good signature," the download is authentic

Workflow 3: Encrypting Files for Yourself

Encrypt sensitive files on your own computer:

gpg --encrypt --recipient you@example.com sensitive-document.pdf

This creates sensitive-document.pdf.gpg. Delete the original sensitive-document.pdf securely.

When you need to access it:

gpg --decrypt sensitive-document.pdf.gpg >gt; sensitive-document.pdf

Workflow 4: Secure File Transfer

Sending a file securely to someone:

1. Encrypt the file to their public key:

```bash gpg --encrypt --armor --recipient their@email.com important-file.pdf ```

1. Send important-file.pdf.asc via email or file transfer
2. They decrypt it with their private key

Best Practices

Key Security

1. Use a strong passphrase: At least 20 characters, mix of words, numbers, symbols
2. Never share your private key: Only your public key should be shared
3. Back up your private key securely: Store encrypted in multiple safe locations
4. Generate revocation certificates immediately: Store them safely for emergencies
5. Set expiration dates: Use 2-year expirations and extend as needed
6. Use 4096-bit keys: Stronger than 2048-bit keys

Operational Security

1. Verify fingerprints: Before trusting a key, verify the fingerprint with the person through another channel (phone, in person)
2. Keep software updated: Regularly update GPG to get security fixes
3. Use key servers carefully: Anyone can upload keys claiming to be you. Verify keys through multiple sources
4. Sign keys you trust: This builds a web of trust in the PGP community
5. Revoke compromised keys immediately: Don't wait if you think your private key is stolen

Key Hygiene

1. Refresh keys regularly: gpg --refresh-keys to check for revocations
2. Clean up old keys: Remove keys you no longer use
3. Maintain separate keys: Consider different keys for work vs personal use
4. Subkeys for devices: Use subkeys for day-to-day signing/encryption, keeping your master key offline

Troubleshooting Common Issues

"No public key" Error

When trying to encrypt or verify, GPG says "no public key":

• You haven't imported the recipient's public key
• Import it: gpg --import their-key.asc

"Decryption failed" Error

When trying to decrypt:

• Wrong passphrase: Try again carefully
• File was encrypted for a different key: Make sure it was encrypted for you
• File is corrupted: Try re-downloading

Can't Find Your Key

If gpg --list-keys doesn't show your key:

• You might be using a different GPG home directory
• Check: echo $GNUPGHOME
• If set, unset it: unset GNUPGHOME

Passphrase Prompt Not Appearing

On some systems, the passphrase prompt fails:

• Install a pinentry program: sudo apt install pinentry-gtk2 (Linux)
• Or use: export GPG_TTY=$(tty) before running gpg commands

Key Expired

Your key or the recipient's key expired:

• If it's your key: Extend the expiration (see Key Management section)
• If it's their key: Ask them to extend it and re-export their public key

Advanced Topics

Using Subkeys

Subkeys allow you to keep your master key offline for security while using subkeys for daily operations.

Create a subkey:

gpg --edit-key you@example.com
addkey

Choose RSA (sign only) or RSA (encrypt only), and follow prompts.

Export only subkeys:

gpg --export-secret-subkeys you@example.com >gt; subkeys.asc

Transfer subkeys.asc to your laptop. Keep your master key on a secure USB drive.

Using GPG with Git

Sign your Git commits to prove they're from you:

Configure Git:

git config --global user.signingkey YOUR_KEY_ID
git config --global commit.gpgsign true

Now all commits are automatically signed.

Verify commits:

git log --show-signature

GPG Agent Configuration

GPG Agent caches your passphrase so you don't have to type it repeatedly.

Configure cache timeout (in ~/.gnupg/gpg-agent.conf):

default-cache-ttl 3600
max-cache-ttl 7200

This caches passphrases for 1 hour, maximum 2 hours.

Restart GPG Agent:

gpgconf --kill gpg-agent

Integration with Other Tools

Email Clients

• macOS Mail: GPG Suite provides seamless integration
• Outlook (Windows): Gpg4win includes GpgOL plugin
• Thunderbird: Install Enigmail add-on (all platforms)
• Mutt: Built-in PGP support (command line email)

Password Managers

Many password managers use PGP:

• pass: Command-line password manager using GPG
• gopass: Team-oriented password manager with GPG

Backup Tools

Encrypt backups with GPG:

tar czf - /path/to/files | gpg --encrypt --recipient you@example.com >gt; backup.tar.gz.gpg

Restore:

gpg --decrypt backup.tar.gz.gpg | tar xz

Resources and Further Reading

Official Documentation:

• GPG Manual: gnupg.org/documentation
• GPG Suite: gpgtools.org/support
• Gpg4win Compendium: gpg4win.org/documentation

Key Servers:

• keys.openpgp.org
• keyserver.ubuntu.com

Learning Resources:

• Email Self-Defense Guide: emailselfdefense.fsf.org
• The GNU Privacy Handbook: Comprehensive guide to GPG

Tools:

• Gpg4win (Windows): gpg4win.org
• GPG Suite (macOS): gpgtools.org
• GnuPG: gnupg.org

Quick Reference

Essential Commands

# Create key pair
gpg --full-generate-key

# List keys
gpg --list-keys
gpg --list-secret-keys

# Export public key
gpg --armor --export you@example.com >gt; publickey.asc

# Import a key
gpg --import their-key.asc

# Encrypt file
gpg --encrypt --recipient their@email.com file.txt

# Decrypt file
gpg --decrypt file.txt.gpg >gt; file.txt

# Sign file
gpg --detach-sign file.txt

# Verify signature
gpg --verify file.txt.sig file.txt

# Sign and encrypt
gpg --encrypt --sign --recipient their@email.com file.txt

# Upload key to server
gpg --keyserver keys.openpgp.org --send-keys YOUR_KEY_ID

# Search for key
gpg --keyserver keys.openpgp.org --search-keys their@email.com

Final Thoughts

PGP might seem complicated at first, but once you understand the basic concepts—public keys, private keys, encryption, and signatures—it becomes straightforward. The initial setup takes some time, but after that, encrypting messages and verifying signatures becomes second nature.

Start simple:

1. Create your key pair
2. Share your public key with a friend
3. Practice encrypting and decrypting files
4. Gradually incorporate PGP into your daily workflow

Remember: PGP is only as secure as your private key and passphrase. Protect them carefully, back them up securely, and never share your private key with anyone.

Whether you're protecting sensitive documents, verifying software downloads, or communicating securely with others, PGP gives you the tools to take control of your digital privacy and security.