How to Encrypt and Decrypt Files using GPG Command

encrypt and decrypt files using gpg command

There is no absolute security on the internet or through a network. Because our equipment is regularly connected to the internet and there is some communication, we need to protect the critical information we exchange. Encryption will be a welcome safeguard for whenever you, your family, or business partners need to communicate sensitive information from one side of the globe to the other. Encryption provides confidentiality although signing binds the identity of the message source to this message. It ensures data integrity, message authentication, and non-repudiation altogether.

The principles of encrypting and signing messages

Message encryption makes the whole message unreadable to anyone but the owner of the corresponding private key. When you sign a message, then it creates a fingerprint for the message just to make sure that the content hasn't been altered, but it has no effect on the message itself and the message will never be encrypted. The fingerprint can be verified against a public key. This does not make a message unreadable to anyone but can verify that the message really originated from the sender and was not altered since. Of course, this requires you to trust the public key.

The security is assured by private and public keys.  Any private key has one public key and any public key has one private key it is always one to one mapping. Establishing a secure communication means that you have already exchanged public keys with people or organization you trust in. So each party has their own private key and the other user's public key.

In our scenario, there are two persons who want to communicate and they put their public keys on keyserver:

  • ID_KEY BAC361F1
  • ID_KEY B6D7943C

It means that my_name@linoxide must import the public key of reader and vice versa. So to write to, will use reader's public key and vice versa.

$ gpg --keyserver --search-keys
gpg: searching for "" from hkp server
(1) reader <>
4096 bit RSA key B6D7943C, created: 2017-04-01

$ gpg --keyserver --recv-keys B6D7943C

The sender of a message ( can "sign" the message with his private key. The receiver ( uses the public key of the sender to verify that the signature is actually being sent by the indicated user. This can prevent a third-party from "spoofing" the identity of someone. It also helps to ensure that the message was transmitted in full, without damage or file corruption.

GPG Command to Encrypt and Decrypt Files

Encryption process always creates a file with.gpg or .asc extension. So take a look by listing the content folder when terminating an encryption command. It will not delete the original file so be careful. When decrypting, if we use --output parameter, the command will redirect the result in file specified which follows the option. Without the parameter, it will create the decrypted file with the same of the encrypted file but without  .gpg extension

Encrypt with a symmetric key

This method will ask you to enter a passphrase which you will give to your receiver in order to decrypt the file

$ gpg -c file_sym

Decrypt a symmetric encryption

$ gpg --output file-content file_sym.gpg

$ gpg file_sym.gpg

$ gpg -d file_sym.gpg
  • The first command creates a decrypted file named file-content
  • the second command creates decrypted file file_sym with the result.
  • gpg -d prints the result on the console.

Symmetric Decryption will ask for the passphrase used to encrypt the file and will put the result of the decrypted file

Encrypt with public key for a particular user

The encryption with public key means that you already have public keys of those with whom you want to communicate. So, you will first choose the recipient by listing public keys on your keyring so that you will use a value of his uid to encrypt file. --armor parameter is used for ASCI armored message, useless to send file by mail

$ gpg --encrypt --armor --recipient file_pub

Encrypt and signing with public key

When you want to sign a file to send, it means that your receiver and you have generated public keys that you have already exchanged. The sender have to know his own passphrase which gives him access to his private key that he will use to sign encrypted messages

$ gpg --sign --encrypt --armor --recipient file_pub_sign
You need a passphrase to unlock the secret key for
user: "reader <>"

See that reader@linoxide need his own passphrase to sign the encrypted file that he will send to

Encrypt multiples files with public key

To encrypt multiples files, there two parameters that we use: --encrypt-filesor --multifile (obligatory followed by --encrypt). You can see that we don't use --sign parameter. During my test, it seems doesn't work together.

$ gpg --encrypt-files --armor --recipient course car
$ gpg --multifile --encrypt --armor --recipient course car

Decrypt with private key

When you encrypt a file with the public key of your recipient, you send it to him by a communication way. To decrypt the received file, he will use the private key (referenced by his own passphrase) corresponding to his own public key that you have used to encrypt the file. To decrypt an encrypted file into digital content or not, the command is the same as you see below

$ gpg file_pub.asc

You need a passphrase to unlock the secret key for
user: "my_name (my-key-pair) <>"

$ gpg file_pub_sign.asc

You need a passphrase to unlock the secret key for
user: "my_name (my-key-pair) <>"

$ gpg --decrypt-files course.asc car.asc

The last command decrypts mutiple files

Encrypt Email

To encrypt and sign your email, you can write the message to a file, use gpg to encrypt and sign it with the methods that we have seen and you could send it by the normal way. Your receiver must have your public key in order to decrypt your message.

You can also install enigmail which can be used to encrypt email from thunderbird using the public key of the recipient that you have

# apt-get install enigmail

Launch thunderbird, it will launch the setup wizard for enigmail:

  • How will you like to configure enigmail: extended configuration
  • create or import opengpg keys: import existing public and secret keys
  • import opengpg keys: choose your public and private key file located in /home/username/.gnupg/. Choose pubring and secring files.
  • key selection: select recipients who will receive the encrypted e-mail :
Enigmail encrypts

Now that the setup is completed, you can write a new message to your recipient with thunderbird.

You will see that encryption will be automatically activated when you will choose the same recipient for email.


Now you know how to encrypt files and sign a document using gpg in linux. For good security, you must verify that the public key you receive exactly come from a person you know before adding it to your public keyring.

Read Also:

2 Comments... add one

Leave a Comment