PGP is the only known communication method capable of creating messages that cannot be read by anyone other than the intended recipient. Any other so-called "encrypted" messaging "app" can and should be assumed compromised, otherwise it wouldn't be allowed on your botnet phone in the first place, let alone constantly promoted by celebrity "dissidents" and other social media influencers.
Luckily PGP is still around, still works, and is fairly easy to use.
To install GnuPG (GPG), the most widely used implementation of PGP, follow these instructions depending on your operating system1. Before proceeding, first check to see if you already have a working copy of GPG on your machine. Open your terminal and execute:
If the output describes your installation of GPG then you're good to go and you can skip to the next section. If it says "command not found" you'll need to first install GPG.
First install Homebrew, then use it to install GPG.
brew install gnupg
Linux - Ubuntu
apt-get install gnupg
If you're using any version of Linux other than Oogabuntu it's assumed you already know how to install packages and have likely skipped this section anyway. After you've installed GPG, run the version check command again to verify that it's in your
PATH and working properly. The output should look something like this:
gpg (GnuPG) 2.2.40 libgcrypt 1.10.1-unknown Copyright (C) 2022 g10 Code GmbH License GNU GPL-3.0-or-later <https://gnu.org/licenses/gpl.html> This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law.
2. Key Creation
If you're already familiar with Bitcoin private keys then just know that you can think of PGP keys in the same way. Private keys are meant to be kept private. Depending on your level of risk and/or paranoia you may want to keep your private key(s) offline, or you may be fine with storing it on your everyday machine—that part is up to you. Unlike Bitcoin keys, you likely won't be generating hundreds, or even dozens. One or two should be all you need. Maybe down the road you'll generate a couple more for different use cases, but it doesn't share the same disposable model that most people are used to with Bitcoin.
To generate your keypair run the following command and follow the prompts to set a passphrase and whatever else it asks for. Other than the passphrase, the information collected is strictly for labeling and organizational purposes, so don't feel obligated to enter your IRL name or email, for example.
gpg --default-new-key-algo rsa4096 --gen-key
3. Key Importing
In order to create encrypted messages for one of your contacts you will first need their PGP public key. If they've sent your their key in an email or other communication channel simply save the entire block to a file and import with:
gpg --import /path/to/example.asc
If you're importing a key that is shared online, you can skip the step of saving to a file and simply fetch/import it with one line. For example, to import my public key, which is available at http://wot.deedbot.org/F5E9580D424CB952E67CBF6F2BBEFC527DC1FE40.asc, you would use:
curl -s "http://wot.deedbot.org/F5E9580D424CB952E67CBF6F2BBEFC527DC1FE40.asc" | gpg --import
Which uses the
curl command to fetch the data and then pipes it into the
4. Signing Messages and Other Data
If you want someone else to be able to verify that a message (or program, or any other piece of data) was authored by you and has not in the interim been tampered with by anyone else you can use GPG to "sign" the data. Anyone who has your public key, and the signed piece of data, will be able to verify that it is indeed from you and is in its original condition. To sign a piece of data use:
gpg -ab data-to-be-signed
As a real-world example, let's say I want to be sure that anyone following this guide can know that they're reading my original instructions, and that no bad actor has somewhere modified what they're reading and inserted malicious commands, such as
bitcoin-cli sendallmycoinstoh4x0r1. If I wanted to provide that level of assurance I might offer a signed copy of the body html of this article, using:
gpg -ab pgp-for-beginners.html
This will produce a file called
pgp-for-beginners.html.asc, which, if shared along with the original
pgp-for-beginners.html, can be used to verify the authenticity and integrity of the data contained therein.
5. Verifying Signatures
Verifying the signature of a piece of data is equally straightforward, simply use:
gpg --verify signature.asc signed-data
To try this out for yourself, you can use the files I generated for the previous step. Right-click > save the following two files:
And now run this command from the directory where the files are located:
gpg --verify pgp-for-beginners.html.asc pgp-for-beginners.html
Assuming you have my key imported the output should look like this:
gpg: Signature made Sun Mar 5 09:58:14 2023 CST gpg: using RSA key F5E9580D424CB952E67CBF6F2BBEFC527DC1FE40 gpg: Good signature from "billymg <firstname.lastname@example.org>" [unknown] gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: F5E9 580D 424C B952 E67C BF6F 2BBE FC52 7DC1 FE40
You can ignore the WARNING. It's just saying that you don't know for sure that my key really belongs to me. So the signature may be valid, but the signing key may not actually be mine. Which is, in fact, true. The only way to know for sure is to meet me in person, in the real world, and confirm that my key's fingerprint matches what you have for my alleged key.
Since in many cases this is unrealistic, the usage of a WoT2 gets rid of most of the doubt. So even though you've never met the person, and don't really know if the person signing a given message is who they say they are, you can at least look at their history and see that they3 have been in good standing for a fair amount of time.
6. Encrypting Messages
In order to send someone an encrypted message that they—and only they—will be able to read, you will need their public key. Import their key into your GPG keychain by following Section 3, draft your message4, then run the following command:
gpg -ear recipient-key message-to-encrypt.txt
recipient-key can be the name, email, or ID/fingerprint of the key. To check how the key is labeled in your keychain, simply use:
This will print a list of the public keys in your keychain5. Let's say you have my public key and you want to send me a message that you've saved as
msg-to-billymg.txt6. Assuming you're in the same directory as the file, you can run the following command to encrypt the message to my key:
gpg -ear billymg msg-to-billymg.txt
This will encrypt the message and save it to a new file called
msg-to-billymg.txt.asc. YOU WILL NOT BE ABLE TO READ THIS MESSAGE, and neither will anyone else. It seems weird at first—"I encrypted it, shouldn't I be able to decrypt it??"—but it illustrates how asymmetric encryption works, and why it's so powerful. You can now safely paste the contents of
msg-to-billymg.txt.asc in an email, a WhatsApp message, or even out in the open on the public internet, and be assured that only I will be able to read it7. I personally like to use paste.deedbot.org because it's fast, simple, and it justwerks. The result is a short URL you can easily share with the intended recipient over whatever communication channel you normally use.
7. Decrypting Messages
When you're in possession of a message8 encrypted to a public key for which you have the corresponding private key, you will be able to decrypt the data with the following command:
gpg -d msg-to-decrypt.txt.gpg
This will output the decrypted contents directly to the console. If the content is binary data you won't want to do this, instead you'll want to specify an output file with
-o, like so:
gpg -d -o decrypted.tgz file-to-decrypt.tgz.gpg
A shorter version of this would be to run
gpg without any options, like so:
GPG will guess what you're trying to do, automatically decrypt the file, and write it to
If the sender pasted the message for you on paste.deedbot.org, you can fetch and decrypt the message in a single line with
curl -s "http://paste.deedbot.org/p4573iD" | gpg -d
8. Drafting Messages with 'Pass'
As mentioned in Section 6, drafting your private communications and saving the cleartext version to disk is not ideal9. Thankfully, there's an easy way to get around this with a program called Pass. Pass is a password manager, and a very good one, but it's also useful for drafting private documents in order to avoid ever having the cleartext version touch your disk.
8.1. Install Pass
Follow the instructions on the Pass website for your operating system.
8.2. Initialize the Password Store
pass init my-gpg-id
my-gpg-id with the ID of one of your private keys. Don't use the same one you also use for signing and private communication. If you need to create a new one follow step 2 again.
8.3. Create a Blank Message
pass insert pgpgrams/my-message-draft
Press 'enter' twice when prompted for a password to create a blank encrypted document stored at
8.4. Draft Your Message
pass edit pgpgrams/my-message-draft
After drafting your message, save normally. You can edit again at anytime with the same command. You now have a saved draft that ONLY YOU can read, avoiding the non-ideal scenario of letting a cleartext copy touch your disk.
8.5. Encrypt the Message for the Recipient
pass show pgpgrams/my-message-draft | gpg -ear recipient
You now have a new encrypted version of the message, this time that only the intended recipient can read. Share with the recipient however you like.
That's it, pretty simple.
- If you're using Windows, first uninstall Windows, then install Gentoo, then run
emerge -av app-crypt/gnupgto install GPG. [↩]
- Web of Trust [↩]
- Or rather, their key [↩]
- For now this just means saving a plaintext file to your disk somewhere. [↩]
- You can use
gpg -K(with a capital 'K') to get a list of private keys. [↩]
- This if fine for now, while you're learning, but requires saving an unencrypted version of the message to disk, which is not ideal for highly sensitive communications. [↩]
- Or anyone with my private key, which afaik is only me. [↩]
- Or any kind of data [↩]
- Yes, even if you immediately delete them after you're finished. Who knows how long bits can stick around on your HDD or SSD once written. [↩]