--- title: GPG Basics description: Overview of core GnuPG concepts, key management, and common operational workflows tags: - security - gpg - encryption category: security created: 2026-03-14 updated: 2026-03-14 --- # GPG Basics ## Introduction GPG, implemented by GnuPG, is used for public-key encryption, signing, and verification. It remains common for signing Git commits and tags, exchanging encrypted files, and maintaining long-term personal or team keys. ## Purpose This document covers: - What GPG keys and subkeys are - Common encryption and signing workflows - Key management practices that matter operationally ## Architecture Overview A practical GPG setup often includes: - Primary key: used mainly for certification and identity management - Subkeys: used for signing, encryption, or authentication - Revocation certificate: lets you invalidate a lost or compromised key - Public key distribution: keyserver, WKD, or direct sharing The primary key should be treated as more sensitive than everyday-use subkeys. ## Core Workflows ### Generate a key Interactive generation: ```bash gpg --full-generate-key ``` List keys: ```bash gpg --list-secret-keys --keyid-format=long ``` ### Export the public key ```bash gpg --armor --export KEYID ``` ### Encrypt a file for a recipient ```bash gpg --encrypt --recipient KEYID secrets.txt ``` ### Sign a file ```bash gpg --detach-sign --armor release.tar.gz ``` ### Verify a signature ```bash gpg --verify release.tar.gz.asc release.tar.gz ``` ## Configuration Example Export a revocation certificate after key creation: ```bash gpg --output revoke-KEYID.asc --gen-revoke KEYID ``` Store that revocation certificate offline in a secure location. ## Troubleshooting Tips ### Encryption works but trust warnings appear - Confirm you imported the correct public key - Verify fingerprints out of band before marking a key as trusted - Do not treat keyserver availability as proof of identity ### Git signing fails - Check that Git points to the expected key ID - Confirm the GPG agent is running - Verify terminal pinentry integration on the local system ### Lost laptop or corrupted keyring - Restore from secure backups - Revoke compromised keys if needed - Reissue or rotate subkeys while keeping identity documentation current ## Best Practices - Keep the primary key offline when practical and use subkeys day to day - Generate and safely store a revocation certificate immediately - Verify key fingerprints through a trusted secondary channel - Back up secret keys securely before relying on them operationally - Use GPG where it fits existing tooling; do not force it into workflows that are better served by simpler modern tools ## References - [GnuPG Documentation](https://www.gnupg.org/documentation/) - [The GNU Privacy Handbook](https://www.gnupg.org/gph/en/manual/book1.html) - [GnuPG manual](https://www.gnupg.org/documentation/manuals/gnupg/)