A Practical GPG Guide – Part 2 Encrypt and Decrypt Message

This is part 2 of my tutorials on GPG. In part 1, you generated your public/private keypair and a revocation certificate. In this post, you will learn how to encrypt message with public key and decrypt it with private key.

I will send my public key to my remote Debian box and encrypt a file on Debian using my public key. Then I send the encrypted file to my archlinux box which is installed on my laptop. Finally I will decrypt the file with my private key.

Send Public Key to Remote Debian box

I use scp utitlity to send my public key to my remote Debian box.

scp pubkey.asc [email protected]:~

Now I log into Debian.

ssh [email protected]

Import the public key on Debian

gpg --import pubkey.asc


gpg: key 4F0BDACC: public key "Xiao Guoan <[email protected]>" imported
gpg: Total number processed: 1
gpg:                           imported: 1 (RSA: 1)

Confirm the fingerprint

gpg --fingerprint <user-id>


pub   2048R/4F0BDACC 2016-02-01 [expires: 2018-01-31]
          Key fingerprint = F046 1D8F 7F64 F70A 5BBE D42E 02C8 7F19 4F0B DACC
uid                   Xiao Guoan <[email protected]>
sub    2048R/E02A4EED 2016-02-01 [expires: 2018-01-31]

The fingerprint is correct.

When you receive other’s public key, you should contact them by email, over the phone or in person to ask them if it’s the correct fingerprint. If the two fingerprints matches, then you get the correct public key. This is important!

Encrypt File With Public Key

To encrypt for a single recipient. --armor means the file will be ASCII armored instead of creating a binary file.

gpg --recipient <user-id> --encrypt --armor <file-name>

For multiple recipients

gpg --recipient <user-id1> --recipient <user-id2> --encrypt --armor <filename>

I encrypt a file named linuxbabe.conf on Debian 8 with my public key:

gpg --recipient [email protected] --encrypt --armor linuxbabe.conf


gpg: E02A4EED: There is no assurance this key belongs to the named user

pub 2048R/E02A4EED 2016-02-01 Xiao Guoan <[email protected]>
Primary key fingerprint: F046 1D8F 7F64 F70A 5BBE D42E 02C8 7F19 4F0B DACC
Subkey fingerprint: 372E A3B9 02C8 CB1F E324 3572 CCB8 DEFC E02A 4EED

It is NOT certain that the key belongs to the person named
in the user ID. If you *really* know what you are doing,
you may answer the next question with yes.

Use this key anyway? (y/N)

Notice the warning “There’s no assurance this key belongs to the named user.” Press y and Enter. It will create a .asc file which is the encrypted file also know as ciphertext.

[email protected]:~# ls
 linuxbabe.conf   linuxbabe.conf.asc

Decrypt File with Private Key

Now I send the encrypted .asc file back to my archlinux box and enter the following command to decrypt it.

gpg --decrypt linuxbabe.conf.asc > linuxbabe.conf

linuxbabe.conf.asc is the encrypted file. I output the plaintext content to a file named linuxbabe.conf. It asks me to enter the passphrase to unlock my private key. After I enter the passphrase, the plaintext is sent to linuxbabe.conf file.

gpg: encrypted with 2048-bit RSA key, ID E02A4EED, created 2016-02-01
 "Xiao Guoan <[email protected]>"

In the decryption process GPG tells me the file is encrypted with 2048-bit RSA key and its key ID.

This is part2. In part 3 of GPG tutorial series, you will learn how to publish your public key to the world so others can send to you encrypted message that only can be decrypted with your private key. We will also look at how to import and verify other’s public key and manage your keyring. Catch you later!

Rate this tutorial
[Total: 1 Average: 5]