In practice

We’ll review here just a few often used commands to create and manage the keys:

#Create a key and list the contents of the .gnupg directory afterwards to see what has been created
gpg --full-gen-key
tree .gnupg

#List keys
gpg --list-keys

#List secret keys with the full ID
gpg --list-secret-keys --keyid-format LONG

#Add another ID
gpg --edit-key
gpg --list-keys

#Create a subkey
gpg --edit-key
gpg --list-secret-keys --keyid-format LONG

#Export public key
gpg --armor --export

#Upload key to server. It will connect to one of the servers of the pool. We can also point to a particular server with the option '--keyserver'
gpg --send-key

#Search for someone's key
gpg --search-keys

#Download they key. In this case, we indicate a server.
gpg --keyserver --receive-keys

#Sign the key
gpg --sign-key

#Encrypt a file
gpg --encrypt --output message.txt.gpg --recipient [email protected] message.txt

#Sign a file
gpg --local-user [email protected] --output message.txt.gpg.sig --sign message.txt.gpg

#Revoke a key. To do this, we need the revokation certificate, which can be created with the key or afterwards with '--gen-revoke'.
gpg --list-keys
gpg --output revoke.asc --gen-revoke
cat revoke.asc
#We then import the revokation certificate (which effectively revokes the key) and then send the updated (revoked) key to the servers.
gpg --import revoke.asc
gpg --keyserver --send-keys

Where is this used?

There are many places where GnuPG is used. We will now list some of the most common.


GPG is used to sign and encrypt emails. Most email clients implement it or provide a plugin:

Each client has its own configuration and features. Mutt, for instance, can be configured to verify signatures automatically.

Package signing and checking

For Linux distributions, it is crucial to be able to verify that the software packages that users download are legitimate and coming from an authorized developer. We discuss a bit here the approaches used in Debian and RedHat (and their derivate distributions).


Apt is the package manager used in Debian systems. The process is the following:

GPG Introduction - CAPSiDE

GPG Introduction - CAPSiDE


With RPM (RedHat’s package manager), the packages are signed with the distribution’s key. The rpm package then checks the signature.

In this image we can see how to check a package’s signature:

GPG Introduction - CAPSiDE

And here we can see how to list the keys that RPM knows about:

GPG Introduction - CAPSiDE


In git, GPG is used to verify the author of a commit. To use it, you need to have your gpg config in place. We can sign commits (-S) and tags (-s):

GPG Introduction - CAPSiDE

Software distribution

As with software packages in official distros, when we download software from the internet, we can ensure that it is really what the author published and not something modified. For example, this CPAN distribution contains a file called SIGNATURE that is signed and that contains the sha256 of all the files of the distribution. We can then generate the SHA256 of all the files and compare them to the signed file.

GPG Introduction - CAPSiDE

GPG Introduction - CAPSiDE

Evidently, you can also check the gpg software when you download it as a tar from the gnupg website.

GPG Introduction - CAPSiDE

Best practices

Finally, we would like to point out some best practices regarding the use of GPG:


GPG is a great method, proven and trusted, to ensure integrity, confidentiality and authentication in the digital world. There are many uses for it, a lot of software supports it, and the basic usage of the command line tool is easy to learn. For developers and systems engineers it’s important to understand how it works and how to use it, to ensure trust in software, systems and communication. Additionally, since it’s been around for many years now, there’s a lot of documentation on it on the Internet.

TAGS: Cryptography, cybersecurity, Encryption, GnuPG, GPG, Keys, Labs, PGP, Pretty Good Privacy, privacy, Source code

speech-bubble-13-icon Created with Sketch.

Leave a Reply

Your email address will not be published. Required fields are marked *