Have you ever sent a sensitive email and just hoped nobody intercepted it? Or do you need to digitally sign a contract without relying on third-party cloud services? The solution is GPG (GNU Privacy Guard), the open-source implementation of the OpenPGP standard. We, at Meteora Web, use it daily to protect client communications and internal email. In this guide we show you how to set up and use GPG to encrypt files, sign documents, and secure emails, with precise commands and real configurations.
What is GPG and why use it for signing and encrypting?
GPG is an asymmetric cryptography system: you get a key pair – a public key (to share) and a private key (keep secret). You encrypt a file or message with the recipient's public key; only they can decrypt with their private key. To sign, you use your private key and anyone with your public key can verify authenticity and integrity.
Why not just a password?
Symmetric encryption (e.g., AES with password) requires sharing the password – a risk. With GPG you share only the public key. Digital signatures guarantee integrity and authenticity. We see it every day: companies exchanging financial documents via email unencrypted. A costly mistake.
Sponsored Protocol
Difference between encryption and signing
- Encryption: makes content unreadable. Only the recipient can read it.
- Signing: does not hide content, but certifies the message comes from you and hasn't been altered.
- Both: can be combined – sign first, then encrypt.
A real example: when we manage the ERP of a clothing client, inventory reports with prices and suppliers are encrypted and signed before being sent to an external consultant.
How to install and configure GPG on Linux, macOS, and Windows?
GPG is available on all platforms. Installation is simple, but initial setup needs attention.
Installation
# Linux (Debian/Ubuntu)
sudo apt install gnupg
# macOS (with Homebrew)
brew install gnupg
# Windows: download Gpg4win from https://www.gpg4win.org/
Verify with gpg --version. On Windows, Gpg4win includes an Outlook plugin (GpgOL).
Generate a key pair
gpg --full-generate-key
Choose RSA and RSA (default), key length 4096. Passphrase is mandatory – use a long, memorable phrase. Without a passphrase, if someone steals your private key they have full access.
Sponsored Protocol
After generation, you get a key ID (e.g., 1A2B3C4D5E6F7890). Export your public key to share:
gpg --export --armor you@email.com > public-key.asc
Common mistake: not setting trust level
When you import someone else's public key, assign a trust level. GPG doesn't automatically know if that key is authentic. Use:
gpg --edit-key RECIPIENT_ID
trust> 5
Verify fingerprints through a different channel (phone call, in person).
How to encrypt and sign a file with GPG?
Here are the essential commands we use every week.
Encrypt a file for a specific recipient
gpg --encrypt --recipient recipient@email.com document.pdf
Output: document.pdf.gpg. You can specify multiple recipients: --recipient a@b.com --recipient c@d.com.
Sign a file (without encryption)
gpg --sign document.pdf
Creates document.pdf.gpg with binary signature. For a clearsign (file remains readable, signature appended):
gpg --clearsign document.pdf
Sign and encrypt in one command
gpg --sign --encrypt --recipient recipient@email.com document.pdf
Decrypt and verify
gpg --decrypt document.pdf.gpg
If signed, verification happens automatically. To verify separately:
Sponsored Protocol
gpg --verify signed-file.gpg
Real case: an e-commerce client asked us to encrypt database backups before uploading to cloud. One cron line: pg_dump ... | gpg --encrypt --recipient admin@company.com > backup.$(date +%Y%m%d).sql.gpg.
How to send encrypted emails with GPG and Thunderbird or Outlook?
The most operational part for daily work.
Thunderbird: install the extension
From Thunderbird 78 onward, OpenPGP support is built in. Go to Account Settings → End-to-End Encryption → Add OpenPGP Key. If you already have a GPG key, import it. Otherwise create one directly. When composing an email, click the security icons to sign or encrypt.
Outlook: use GpgOL (part of Gpg4win)
After installing Gpg4win, restart Outlook. You'll see a new toolbar with “Sign” and “Encrypt” buttons. Configuration is automatic if you import your private key into Kleopatra (the included management tool).
Sponsored Protocol
Exchanging public keys
To encrypt an email, you need the recipient's public key in your keyring. Ask contacts to send you their key (.asc file) or search a public keyserver:
gpg --search-keys name@email.com
Warning: keyservers don't guarantee authenticity. Always verify the fingerprint through a second channel.
Common error: “No secret key”
If you see this when trying to decrypt an email, you haven't imported your private key. Check with gpg --list-secret-keys.
What are common mistakes in GPG key management?
We've made them too. Here's what to avoid.
Weak or forgotten passphrase
Without a passphrase you can't use your private key. Use a password manager. We suggest writing the passphrase on paper and storing it in a safe – not in the cloud.
Outdated public key
If you lose your private key or it's compromised, revoke it with gpg --gen-revoke and distribute the revocation certificate. Then generate a new pair.
Not signing others' public keys
Web of Trust works only if you sign keys you've verified. Use gpg --sign-key ID to certify that the key truly belongs to that person.
Sponsored Protocol
Missing backup
Copy the ~/.gnupg directory to an offline encrypted USB drive. If your disk dies, you lose all keys.
What to do now
- Install GPG on your system (Linux, macOS, Windows) and verify with
gpg --version. - Generate your key pair (4096-bit):
gpg --full-generate-key. - Export your public key and share with colleagues or clients:
gpg --export --armor you@email.com > my-key.asc. - Configure your email client (Thunderbird or Outlook) to use your key.
- Exchange a test email – sign and encrypt a simple message, then ask the recipient to verify the signature.
- Store an offline backup of the
~/.gnupgdirectory and your passphrase.
Security in Italian SMEs is systematically underestimated. GPG is a mature, free, and powerful tool – but only if you learn to use it. We, at Meteora Web, integrate it into workflows for clients handling sensitive data. For a broader overview, check our pillar guide on cryptography and data security.