Privacy Tools #gpg#pgp#email encryption

GPG Encryption for Email and Files: Complete Guide 2026

Master GPG encryption for securing emails and files. Key generation, signing, web of trust, Thunderbird integration, and command-line usage explained.

7 min read

GPG (GNU Privacy Guard) is the open-source implementation of the OpenPGP standard, used to encrypt files and emails so only intended recipients can read them. It also provides digital signatures to verify the authenticity and integrity of files and messages. This guide covers everything from key generation to email integration to command-line file encryption.

How GPG Works

GPG uses asymmetric cryptography: you have a public key (share freely) and a private key (never share). Anyone can encrypt a message using your public key, but only you — holding the private key — can decrypt it. The reverse applies to signatures: you sign with your private key, and anyone with your public key can verify the signature.

Installing GPG

Linux

# Debian/Ubuntu
sudo apt install gnupg

# Fedora
sudo dnf install gnupg2

# Arch
sudo pacman -S gnupg

Windows

Download Gpg4win from gpg4win.org. It includes GPG, Kleopatra (GUI), and GpgOL (Outlook integration).

macOS

brew install gnupg

Or install GPG Suite from gpgtools.org for macOS Mail integration.

Generating Your Key Pair

gpg --full-generate-key

When prompted:

  1. Key type: Select (1) RSA and RSA or (9) ECC (sign and encrypt) — ECC (ed25519/cv25519) is recommended for new keys
  2. Key size: For RSA, choose 4096 bits. For ECC, the curve is fixed
  3. Expiration: Set 2 years — you can always extend. Never set “never expire”
  4. Name and email: Use your real name and email address for keys you’ll share publicly

For ECC (modern, recommended):

gpg --full-generate-key --expert
# Select (9) ECC and ECC
# Select (1) Curve 25519
# Set expiration to 2y

View your new key:

gpg --list-secret-keys --keyid-format LONG

Output:

sec   ed25519/AABBCCDD11223344 2026-05-24 [SC] [expires: 2028-05-23]
      FINGERPRINT_HERE
uid           [ultimate] Your Name <you@example.com>
ssb   cv25519/EEFF00112233AABB 2026-05-24 [E]

Exporting and Sharing Your Public Key

Export to a File

gpg --armor --export you@example.com > your-public-key.asc

Share this file with anyone who wants to send you encrypted messages.

Upload to a Key Server

gpg --keyserver hkps://keys.openpgp.org --send-keys YOUR_KEY_ID

Use keys.openpgp.org — it requires email verification, preventing fake keys from being uploaded under your identity.

Importing Someone Else’s Public Key

# From a file
gpg --import their-key.asc

# From a key server
gpg --keyserver hkps://keys.openpgp.org --recv-keys THEIR_KEY_ID

Verify the fingerprint out-of-band (phone call, in person, secure messenger) before trusting the key:

gpg --fingerprint their@email.com

Encrypting Files

Encrypt for a Recipient

gpg --encrypt --recipient their@email.com --armor document.pdf
# Creates document.pdf.asc (ASCII-armored encrypted output)

Encrypt for Multiple Recipients

gpg --encrypt \
  --recipient alice@example.com \
  --recipient bob@example.com \
  --armor sensitive-data.zip

Encrypt and Sign Simultaneously

gpg --encrypt --sign \
  --recipient their@email.com \
  --local-user you@example.com \
  --armor document.pdf

This proves the file came from you and is readable only by the recipient.

Symmetric Encryption (No Key Pair Needed)

For encrypting files with just a passphrase (no recipient key required):

gpg --symmetric --cipher-algo AES256 --armor file.txt
# Creates file.txt.asc encrypted with a passphrase you choose

Decrypting Files

gpg --decrypt document.pdf.asc > document.pdf
# GPG prompts for your private key passphrase automatically

Signing Files

Create a Detached Signature

gpg --detach-sign --armor file.iso
# Creates file.iso.asc (signature only, not the file itself)

Distribute both file.iso and file.iso.asc. Recipients verify with:

gpg --verify file.iso.asc file.iso

Sign a Text Message (Clearsign)

gpg --clearsign message.txt
# Creates message.txt.asc with message text and signature inline

GPG for Email with Thunderbird

Thunderbird (version 78+) has built-in OpenPGP support — no Enigmail extension needed.

Setting Up Your Key in Thunderbird

  1. Open Thunderbird > Account Settings > End-to-End Encryption
  2. Click Add Key
  3. Select Use your existing key and choose your GPG key
  4. Or click Generate a new OpenPGP Key to create one within Thunderbird

Importing a Correspondent’s Key

  1. Click the OpenPGP button in the message compose window
  2. Click the key icon to manage keys
  3. Paste or import their public key file

Sending an Encrypted Email

Compose a message, then click Security > Require Encryption. Thunderbird will use the recipient’s public key automatically if it’s in your keyring.

Key Management Best Practices

Set a Revocation Certificate

Create a revocation certificate immediately after generating your key — if your key is compromised, you can revoke it:

gpg --gen-revoke you@example.com > revocation-cert.asc

Store this file somewhere safe and offline. To revoke:

gpg --import revocation-cert.asc
gpg --keyserver hkps://keys.openpgp.org --send-keys YOUR_KEY_ID

Extend Key Expiration

gpg --edit-key you@example.com
gpg> expire
# Follow prompts to set new expiration
gpg> save

Re-upload the updated key to key servers after extending.

Backup Your Private Key

gpg --armor --export-secret-keys you@example.com > private-key-backup.asc

Store this encrypted backup offline — on paper (printed QR code), a hardware token, or an air-gapped drive encrypted with LUKS.

Using a Hardware Security Key

Store your GPG private key on a YubiKey or Nitrokey hardware token. This means your private key never exists in RAM — the token performs cryptographic operations internally.

# Move subkeys to YubiKey
gpg --edit-key you@example.com
gpg> keytocard
# Select Authentication, Signing, or Encryption key

Once on the card, the key cannot be extracted — even if your computer is compromised.

Verifying Software Downloads

Many software projects sign their releases with GPG. Verify them:

# Import the project's public key
gpg --keyserver hkps://keys.openpgp.org --recv-keys SIGNING_KEY_ID

# Verify the signature
gpg --verify software-1.0.tar.gz.sig software-1.0.tar.gz

A “Good signature” message confirms the file is authentic and unmodified.

Final Thoughts

GPG provides battle-tested, mathematically sound encryption for files and email. While initial setup requires some investment, the result is communications that are private against mass surveillance, nation-state actors, and data breaches. Start with generating a key, backing it up properly, and encrypting your most sensitive files. Add email integration through Thunderbird for seamless encrypted correspondence with contacts who share your commitment to privacy.

#cryptography #file encryption #email encryption #pgp #gpg

// related articles

privacy-tools DNSCrypt-Proxy: Set Up Encrypted DNS on Any System 7 min read privacy-tools Faraday Bags and Physical Signal Blocking: Complete Guide 7 min read privacy-tools Firejail Linux App Sandboxing: Complete Security Guide 7 min read