How To Encrypt Your Own Documents Using gpg

If you have ever wanted to garuntee the utmost security of your emails and documents, then this is the guide for you! It should be noted that in some circles the tools used are more common than in others. These are the everyday tools of many privacy advocates and computer nerds.

If you have never used Linux however, then the method of doing this will be rather unfamiliar. This tutorial will be done on an Arch Linux machine, but it should be the same on Ubuntu, Fedora, CentOS, Debian, OpenBSD, FreeBSD, MacOSX, etc. The only operating system that does not include these tools by default (or easily accessible) is Windows.

This tutorial makes heavy use of the terminal. You have been warned.

Let us…begin!


  • ASCII armour — A way to encode OpenPGP documents so they are readable by humans. These files end in .asc
  • (Open)PGP — An open standard for encoding pulbic keys and encrypted documents.
  • GPG — GNUPrivacyGaurd is an implementation of OpenPGP. It is installed by default on most Linux distrobutions.

Step 0: Setup

We will be using the utility gpg for this tutorial.

The other thing to note: The character ‘$’ (dollar sign) is usually not typed when shown in a command. It simply indicates that you do not need administrative privilages to run these commands.

Test to see if you get this output in your terminal.

$ gpg --version

gpg (GnuPG) 2.2.20
libgcrypt 1.8.5
Copyright (C) 2020 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <https://gnu.org/licenses/gpl.html>


If this is not successful look into how to install these tools on your system.

Step 1: Get/Create A Public Key!

Get Somebody Else’s

Step one is having somebody to send your encrypted message to. Maybe this is a friend, a journalist, or a whistleblower.

To encrypt a document with somebody’s public key, you need to first obtain it. My public key is available at this link, and you can use it to send me encrypted stuff.

If you are on a linux terminal, you can use the curl or wget command to download it.


$ wget https://tait.tech/public-key.asc


$ curl https://tait.tech/public-key.asc -o public-key.asc

Make Your Own (optional)

The following section is quite long, so if you don’t want to create your own keypair, then feel free to skip to Step #2.

If you want to encrypt your own documents, or you want others to be able to send you encrypted messages, then you can create your own public/private key pair. You can use these to encrypt your documents, and you can send our public key to others so that they can securely communicate with yourself.

Run the following command in your terminal, and follow the steps I outline to get you started.

$ gpg --full-gen-key

This will produce the following dialog:

gpg (GnuPG) 2.2.20; Copyright (C) 2020 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Please select what kind of key you want:
  (1) RSA and RSA (default)
  (2) DSA and Elgamal
  (3) DSA (sign only)
  (4) RSA (sign only)
  (14) Existing key from card
Your selection? 

Select the option 1. You want two keys, both RSA.

Next we will select the key size:

RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048) 

Type the number 2048.

Next it will ask you how long you want the key to be valid.

Requested keysize is 2048 bits
Please specify how long the key should be valid.
          0 = key does not expire
       <n>  = key expires in n days
       <n>w = key expires in n weeks
       <n>m = key expires in n months
       <n>y = key expires in n years
Key is valid for? (0)

Type the number 1. This will enable you time to test it, but it will make the key expire within 24 hours so that if you accidentally share your private key, or delete your VM and no longer have access to it, you will be fine.

It will ask your if you are sure about the expiry date.

Key expires at Tue Apr  7 02:24:23 2020 UTC
Is this correct? (y/N) 

Type y to confirm your choice.

Now gpg is going to ask you to create a user id to indetify this key. Use some test data for now. User input is in bold, feel free to follow along or to put your own test data in.

Once you are more comfortable with the tools, then you can create a public/private keypair that you will keep for some time.

GnuPG needs to construct a user ID to identify your key.

Real name: Mr. Tester
Email address: test@test.org
Comment: for testing only
You selected this USER-ID:
    "Mr. Tester (for testing only) <test@test.org>"

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O

It will then ask you for a password. If you are simply using this for test purposes, then you can feel free to set it to something like “test”. When create a long-term use pulbic key make sure to make the password very secure.

During the process of creating your key, gpg may warn you with this message:

We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.

If this happens, feel free to smash your keyboard (lightly), watch a YouTube video on the machine, browse the web with w3m, etc. until the key is generated.

You will know it is done when you see this message (or something similar):

gpg: key EACCC490291EA7CE marked as ultimately trusted
gpg: revocation certificate stored as '/home/tait/.config/gnupg/openpgp-revocs.d/FFA7D7525C6546983F1152D8EACCC490291EA7CE.rev'
public and secret key created and signed.

pub   rsa2048 2020-04-06 [SC] [expires: 2020-04-07]
      uid                      Mr. Tester (for testing only) <test@test.org>
      sub   rsa2048 2020-04-06 [E] [expires: 2020-04-07]

Tada! You have your own public/private keypair!

Sharing a keypair that will expire soon is not a good idea, however, if you are ready, then you can use this command to generate a public key file to share with others.

Feel free to substitute “Mr. Tester” for any other identifying part of your key. Remember that to use the email, you must enclose it in < and >.

$ gpg --export --armour "Mr. Tester" > public-key.asc

To use the email as the identifier:

$ gpg --export --armour "<test@test.org>" > public-key.asc

Step 2: Import Public Key

This list of keys that gpg keeps on tap so to speak, is called our “keyring”. Your will need to import a new public key to encrypt files with gpg.

If you already created your own public key, then this step is not necessary unless you want to also encrypt something for me :)

A keyring holding eight allen keys.
A keyring holding eight allen keys.

To import a public key to use for encrypting files, use the --import option of gpg. Like so:

$ gpg --import public-key.asc
gpg: key 64FB4E386953BEAD: public key "Tait Hoyem <tait.hoyem@protonmail.com>" imported
gpg: Total number processed: 1
gpg:               imported: 1

Now that we have imported a public key, we can make a message to send!

Step 3: Have A Message To Encrypt

You can make a new file which holds some important, secret data. Feel free to use a graphical editor if you have one, if not, nano works alright too.

  Rules Of A Good Life:

  1. Wash your hands!
  2. Work hard!
  3. Be firm.
  5. Have good friends!

Save this file as something like test-pgp.txt, and we’ll use that name later.

Step 4: Encrypt A Message

Now that we have a message to send and person to send to, all we have to do is encrypt this message and it’ll be on its merry way! To do so, we must specify two new options to gpg.

The first is --recipient. This tells gpg to encrypt using a certin public key that we have in our keyring. You can use the person’s name, email address, or the key’s uid.

The second is --encrypt.

You will also specify the --armour option to use ASCII armoured files. Put this option after --encrypt, and put the file name after --armour. See below.

You can either use your own public key name to encrypt a document (allowng only you to decrypt it), or you can use my public key that we imported earlier (allowing only me to decrypt it). Either way works fine.

This is the big one!

$ gpg --recipient "Tait Hoyem" --encrypt --armour test-gpg.txt

“But there is no output!” you might say! Yes, that is because our new (encrypted) file has already been saved. Let’s look at it with cat.

$ cat test-gpg.txt.asc


Step 5: Decryption (optional)

If you created your own public/private keypair in step 1, and you encryped using --recipient "Your Test Name", then you can decrypt your document as well!

You will need to specify --decrypt, and that’s all folks!

$ gpg --decrypt test-gpg.txt.asc

A password dialog will then come up asking for your previously created password. As long as you remember your password from before and enter it correctly: voila!

gpg: encrypted with 4096-bit RSA key, ID 6989B986FCBE4225, created 2020-01-02
      "Tait Hoyem <tait.hoyem@protonmail.com>"
Rules Of A Good Life:

1. Wash your hands!
2. Work hard!
3. Be firm.
5. Have good friends!

Step 6: Finale!

Ladies and gentleman, you have done it! You have encrypted our very own document. (And maybe even decrypted it yourself too :)

If you encrypted using my public key, feel free to send it to my email. I am happy to verify if it worked.

For more information on this subject, check out gnugp.org’s guide on using GPG. They are the ones that make these tools available, and the GNU Project has been instrumental in creating the open-source world as it exists today. Give ‘em some love, eh!

Thank you so much for sticking through this whole thing! Let me know if there is anything that doesn’t make sense. I am happy to improve this guide as time goes on if that is necessary.

Happy hacking :)