🏄‍♀️ Back to index learnings.bolmaster2.com

Encrypt and decrypt PGP/GPG with ease in the terminal

Published by bolmaster2

PGP? GPG? Say what?

gpg isn’t the most easy to use CLI’s. It doesn’t really behave as you expect, at least not for me. I won’t go into the concepts of PGP or GPG. Read about them on wikipedia if you don’t know. This is more of a reminder of the different commands you can use with gpg. I’m using version 2.2.11 in those examples.

Find key fingerprint to be able to target key

You can list private keys with:

gpg -K

but that won’t give you a fingerprint. It doesn’t mention that at all. The easiest choice I think is to use the key’s fingerprint as it’s widely used.

Get the fingerprint by listing the public keys with a lower cased k instead of an upper cased. The fingerprint is next to the pub, after specifying the algorithm used and the expire date of the key.

gpg -k
# ...
# pub   rsa4096 2018-01-13 [SC] [går ut: 2019-01-13]
#       2E3B489DC7BEBCD185F598E9CD01DE5C59082A78
# uid           [förbehållslös] Joel Larsson (Key for 2018) <[email protected]>
# sub   rsa4096 2018-01-13 [E] [går ut: 2019-01-13]
# ...

2E3B489DC7BEBCD185F598E9CD01DE5C59082A78 is the complete fingerprint. Usually shorter ones are used. Like the 64-bit, that look like this: CD01DE5C59082A78. It’s grabbed from the back. Called the lower bits. So this is called the lower 64 bits. Even though this is hexadecimal. Easy rule to remember: one hex pair equals to one byte. So divide the number of characters by two and then multiply it by eight (one byte = eight bits) and there you go. You have the number of bits.

You can use an even shorter one. 32-bit. Just take half of them: 59082A78.


With fingerprint

# Complete fingerprint
gpg -e -r 2E3B489DC7BEBCD185F598E9CD01DE5C59082A78 file.txt
# 64 bit fingerprint
gpg -e -r CD01DE5C59082A78 file.txt
# 32 bit fingerprint
gpg -e -r 59082A78 file.txt

By default. gpg creates the same filename suffixed with .gpg as the original file. So the above command created the file file.txt.gpg.

Encrypt and sign

Add the option -s as well to sign the encrypted message:

gpg -se -r 59082A78 file.txt

Encrypt, sign and make it portable

Without adding the option --armor, the encrypted result is binary. That’s not very portable between different system. When you apply --armor or -a you wrap the binary data in a text format. It’s base64 encoded and begins with -----BEGIN and ends with -----END. Often it looks like this. It contains line breaks, yes.



This particular message is protected with symmetric encryption. Guess the password! Clue: It’s six characters long and rated the most common by several sources. Learn how to decrypt it here.

To encrypt data as text you do it like this, it will create a file with a .asc instead of a .gpg extension:

gpg -sea -r 59082A78 file.txt

Output to stdout

Change output with --output or -o. The value - makes it output to stdout:

gpg -sea -o - -r 59082A78 file.txt

Symmetric encryption

I don’t think of symmetric encryption when I think of PGP/GPG. But it is valid. You do it by adding the --symmetric or -c option:

gpg -ca file.txt

From stdin to stdout:

echo "Hello 👋" | gpg -ca

Interactive input:

gpg -ca

Enter password. Then enter content to encrypt. When done, use Ctrl + D to exit.


To decrypt a file you use --decrypt or -d. This works the same with symmetric encryption content as well as with asymmetric encryption.

gpg -d file.txt.gpg

You don’t have to specify the key since it will find it automatically, if you have it. Otherwise it will print an error. If it’s symmetric encrypted, you will be prompted for a passphrase.

Interactive decryption:

gpg -d

Paste encrypted content. It will automatically decrypt it and display it. To exit, use Ctrl + D.