The GNU Privacy Guard (GPG) is one of the most important programs available today, as it allows you to create your own digital identity and establish encrypted communications online.
This article will show how you can get started with GPG in Linux using Kleopatra and send your first encrypted message over the internet.
Tip: Learn how you can create your own GPG key in Windows 11.
How GPG Works
At its core, GPG follows the OpenPGP standard which allows its users to exchange encrypted and signed messages over a network. The way it works is that the program relies on the idea of asymmetric cryptography. This is a method of cryptography that does not need a "pre-arranged" key to encrypt messages to other users.
One of the biggest advantages of this approach is that you do not need your recipient to be present to begin encrypting messages. This makes GPG suitable for "delay-tolerant" communication such as email.
Aside from that, asymmetric encryption also gives you the opportunity to create "public keys" that you can share to verify your identity. This is highly useful in preventing any bad actor to impersonate as you online.
Installing GNU Kleopatra
While GPG is a powerful tool, it can be hard and complex to use on its own. GNU Kleopatra aims to reduce this complexity by providing an intuitive and easy to use graphical front-end for GPG.
To install Kleopatra in Debian and Ubuntu Linux, you can run the following command:
sudo apt install kleopatra
To install Kleopatra on Fedora and Enterprise Linux 8 distribution:
sudo dnf install kleopatra
and for Arch Linux
sudo pacman -S kleopatra
Good to know: Learn what is the best free Enterprise Linux 8 distribution for you by looking at the differences between AlmaLinux and Rocky Linux.
Creating Your First GPG Keypair
- Launch Kleopatra from your desktop's application launcher.
- Kleopatra will check if it has all of its utilities up and running. You can press "Continue" to load the program.
- Click the "New Key Pair" button to generate your GPG key.
- Write the name and the email address that you want to use for your GPG key. While it is good practice to provide accurate contact information, you do not need to write a resolvable email address for your key.
- Tick the "Protect the generated key with a passphrase" checkbox. Doing this will add an additional layer of security for your key.
- Click the "Advanced Settings…" button.
Configuring Your GPG Key
- Click the drop-down box for both the "RSA" and "+ RSA" options and select "4096 bits." Increasing the bits will make sure that your GPG private key is secure for the foreseeable future.
- Click the drop-down box beside the "Valid until:" checkbox and select a date for your key's expiration date. This ensures that your GPG key will disable itself even if you cannot access it anymore. In my case, I usually set the expiration date for my GPG keys between 6 to 9 months.
- Click "OK," then "Create."
- Provide the password for your new GPG key.
- Click the "Finish" button to save your new GPG key.
Tip: Learn how to create and use GPG keys using only the command line.
Publishing Your Public Key Online
At this point, you have a working GPG key. You can use this to either sign digital messages or encrypt files to protect your privacy. However, in order to receive encrypted emails from other people, you also need to provide your key's public key.
One of the easiest ways to do this is by publishing your key on a centralized GPG keyserver. These are write-once, read-many servers that allow you store your public key in an easily searchable index.
- Before you publish your key, you need to create a "Revocation Certificate." To generate one, right click your key, then select "Details."
- Click "Generate Revocation Certificate."
- Select a folder where you want to save your certificate.
- Click "Close."
- With a revocation certificate at hand, you can now upload your public key to a GPG keyserver. Right click your key and select "Publish on Server."
- Click "Continue" on the warning prompt.
- This will upload your public key to a rotating list of keyservers. Once it is done, Kleopatra will display a confirmation message showing that the public key is now live.
Importing Other People's Public Keys
Aside from letting other people fetch your public key, you could also import theirs to your own keyring. This can be helpful if you are sending the first message and you want your recipient to verify his identity.
To find a GPG Public Key, you need to go to a key directory. These are websites that present the key fingerprint of any user that has uploaded his public key online. One of the most popular key directories available today is keyserver.ubuntu.com.
- Go to keyserver.ubuntu.com
- Click the search bar and type the email address of the user that you want to import the public key of. For example, you can type "email@example.com" to search for a GPG key that I have made for this article.
- Right click the link that contains a string of letters and numbers on the column with the "[self-sig]" label.
- Click "Save Link As…"
- Change the name of the file from "lookup" to "lookup.asc" and save it in your home directory.
- Go back to Kleopatra and click "File," then "Import."
- Navigate to your home directory and select your "lookup.asc" file.
- Click "OK" on the confirmation box to include the new public key to your keyring.
Encrypting Your First File in GPG
Once you have the public key of the user that you want to communicate with, you can now use Kleopatra to send encrypted messages and files to them.
- To encrypt your first file, click "File," then "Sign/Encrypt."
- Select the file that you want to encrypt.
- This will open a small window where you can tell Kleopatra how you want to encrypt your file. Tick the "Encrypt for Others" checkbox and type the address of your recipient's public key.
- Click "Sign/Encrypt" to create your GPG-encrypted file.
FYI: You can also create automatic encrypted backups to the cloud using Rclone.
Decrypting Your First File in GPG
The Kleopatra utility also provides the ability to decrypt GPG-encrypted files from inside the program. This, coupled with the ability to encrypt files, makes Kleopatra an effective tool to securely correspond with other GPG users.
- To decrypt a GPG-encrypted file, click "File," then "Decrypt/Verify"
- Select the file that you want to decrypt.
- This will open a summary window where Kleopatra will check whether the GPG-encrypted file has been properly encrypted and addressed to you. You can decrypt your file by clicking "Save All."
Tip: Learn how to do quick file and directory encryption using Tomb.
Frequently Asked Questions
How can I delete a key from a keyserver?
It is not possible to fully delete a key from a GPG keyserver. However, you can tell a keyserver that you no longer use a particular public key.
While this will not remove your record from a keyserver, this will allow you to prevent any malicious actor from reusing your old keys. To do this, you need to right click your key in Kleopatra and select "Revoke Certification."
Is it possible to recover a GPG key password?
There is no built-in function in either GPG or Kleopatra to recover a key password. If the password you used is simple enough, you can try "brute forcing" your key's password using a dictionary password cracker (though that really defies the purpose of setting a password).
Is it possible to encrypt entire directories with GPG?
Yes. Click "File -> Sign/Encrypt Folder" in Kleopatra. It will open a file picker dialog box where you can select the folder that you want to encrypt.
Aside from that, you can also encrypt a directory by placing it first inside a tar archive. For example, running:
tar cvzf ./encrypt-folder.tar.gz ./sample will compress the sample directory as "./encrypt-folder.tar.gz." You can then encrypt this archive as a file in Kleopatra.
Image credit: Towfiqu barbhuiya via Unsplash. All alterations and screenshots by Ramces Red.
Our latest tutorials delivered straight to your inbox