Skip to main content
Hashnode#Cryptography Series

Command Palette

Search for a command to run...

GNU Privacy Guard(GPG) Explained

Updated
3 min read
M
Mohamed Ismail
I want to build my career as Cyber Security Professional,mainly focus on penetration testing and web security to improve myself by solving real world problems.

What are GPG keys?

GPG stands to GNU privacy guard.

It is used to verify the authenticity and integrity of a file.It is open source software and follows the OpenPGP standard.

It is used to encrypt the data and digitally sign the files to ensure this is come from trusted source.

GPG keys are mainly consists of two keys:

Private Key

Private key should keep it secret and it should not shared.

It is used to sign the file to tell the community,this file is from trusted source.

Public Key

Public Key is shared through entire community.

It is used to verify the integrity of the file that is signed by the developer.

If verification is success then this file is directly from the trusted source.

If verification is failed then the file is tamper with malicious software.

Security Threat

Incase if private key of the trusted source is shared or leaked then attacker can impersonate as developer and change the file into compromised software.

How GPG keys works?

To understand the working of gpg keys, we have to simulate the process by generating a private key and public key to sign the files.

gpg --full-generate-key

What it does:

This command:

  1. Asks which algorithm to use (RSA, ECC, etc.),

  2. Asks key size (e.g., 3072 or 4096 bits).

  3. Asks expiration time.

  4. Asks your name & email.

  5. Asks for a passphrase.

What happens internally:

  • GPG generates:

    • A private key

    • A public key

  • The private key is encrypted with your passphrase.

  • Keys are stored in ~/.gnupg/ as hidden folder.

gpg --list-keys

What it does:

This command displays the list of the public keys stored in a system.

Internally:

  • Reads keyring database in:

    ~/.gnupg/pubring.kbx

  • Shows:

    • Key ID

    • Fingerprint

    • Expiration

    • Associated email

Fingerprint is very important — it uniquely identifies the key

gpg --armor --export your@mail.com

What it does:

Exports your public key.

What --armor means:

Converts binary key into ASCII format.

That’s why exported key looks like:

-----BEGIN PGP PUBLIC KEY BLOCK-----
...
-----END PGP PUBLIC KEY BLOCK-----

Internally:

  1. Takes your public key

  2. Encodes it in Base64

  3. Makes it shareable via email, GitHub, websites

This is the key others use to verify you.

gpg --sign file.txt

What it does:

Creates a digitally signed version of the file.

Internally:

  1. GPG hashes the file (e.g., SHA-256)

  2. Encrypts that hash using your private key

  3. Attaches signature to the file

This proves:

  • File integrity

  • Identity of signer

If file changes → hash changes → verification fails.

gpg --verify file.txt.gpg

What it does:

Checks if signature is valid.

Internally:

  1. Extracts signature

  2. Decrypts signature using sender’s public key

  3. Recalculates file hash

  4. Compares both hashes

If they match:
File is authentic
If not:
File was modified

This is digital trust in action.

2 views

Comments

Join the discussion

No comments yet. Be the first to comment.

More from this blog

#Cryptography Series

2 posts