A Practical Guide to GPG – Part 3 Working with Public Key

In part 2 of this GPG tutorial series, you learned how to encrypt message with public key and decrypt message with private key. In part 3, you will learn how to publish your public key to the world so others can send to you encrypted message that only can be decrypted with your private key. We will also look at how to import and verify other’s public key and manage your keyring.

Publish Your Public Key on Public Keyserver

Remember you should never publish your private key, only publish your public key.

There’re hundreds of public keyserver around the world. Ubuntu has their own. MIT has one.

Use the following command to publish key on keyserver.

gpg --send-key <key-id>

It will publish your public key to the default keyserver keys.gnupg.net. You can select a different public keyserver with –keyserver option.

gpg --keyserver hkp://keyserver.ubuntu.com --send-key <key-id>

Import Others’ Public Key to Your Keyring

The keyring contains your public key and imported public keys.

Import from a file:

gpg --import <public-key-file>

Import from keyserver

If you know the key ID beforehand, use –recv-keys options to import key from keyserver.

gpg --recv-keys <key-id>

Use the following command to search public keys on keyserver. User ID is email address.

gpg --search <user-id>

To specify a particular key server, us the –keyserver option like below.

gpg --keyserver hkp://keyserver.ubuntu.com --search <user-id>

Once you find the requested public key, you can import it to your keyring.

Validate Public Keys

When somebody give you his/her public key, how do you know the public key really belongs to that person? Once you imported other’s public key, you should validate the key’s authenticity.

Here’s how the validation process works:

  • You view the fingerprint of the public key with command: gpg –fingerprint <user-id>
  • You contact the key’s owner over the phone, in person or other means as long as you make sure you contact the key’s true owner and you ask the owner what’s the fingerprint of his/her key.
  • Compare the two fingerprints.
  • If the two fingerprints match, then you can be sure you get the correct public key and then you sign the key to certify it as a valid key. To sign a key, use command gpg –sign-key <key-id>

The fingerprint is a hash of public key. Its length is much shorter than the length of public key, therefore it’s easy for you to compare fingerprints. You must have you own private key in order to sign other’s public key.

Manage Your Keyring

List all keys in your public keyring

gpg --list-keys


pub rsa2048/4F0BDACC 2016-02-01 [SC] [expires: 2018-01-31]
uid [ultimate] Xiao Guoan <[email protected]>
sub rsa2048/E02A4EED 2016-02-01 [E] [expires: 2018-01-31]

List all keys with signature

gpg --list-sigs


 pub rsa2048/4F0BDACC 2016-02-01 [SC] [expires: 2018-01-31]
 uid            [ultimate] Xiao Guoan <[email protected]>
 sig 3         4F0BDACC 2016-02-01 Xiao Guoan <[email protected]>
 sub  rsa2048/E02A4EED 2016-02-01 [E] [expires: 2018-01-31]
 sig 4       F0BDACC 2016-02-01 Xiao Guoan <[email protected]>

As you can see, the keyring file is located at ~/.gnupg/pubring.kbx. Your public keyring file may be ~/.gnupg/pubring.gpg if you are using an old version of GPG.

To delete a key

gpg --delete-key <key-id>

bonus tip: list keys in your private keyring

gpg --list-secret-key


 sec   rsa2048/4F0BDACC 2016-02-01 [SC] [expires: 2018-01-31]
 uid         [ultimate] Xiao Guoan <[email protected]>
 ssb  rsa2048/E02A4EED 2016-02-01 [E] [expires: 2018-01-31]

In this part, you learned how to publish keys, import other’s keys and key validation. In part 4 of this GPG tutorial series, we will look at using GPG for signing.

Rate this tutorial
[Total: 1 Average: 5]