f in x
Encrypt and Sign Files and Emails with GPG — Protect Data and Communications Using Asymmetric Cryptography
> cd .. / HUB_EDITORIALE
Sicurezza Informatica

Encrypt and Sign Files and Emails with GPG — Protect Data and Communications Using Asymmetric Cryptography

[2026-07-05] Author: Ing. Calogero Bono
Zenithby Meteora Web The operating system for your business. Social, clients, bookings and invoices in one platform. Gyms, barbers, professionals. Discover Zenith Free demo · no card

Have you ever sent a sensitive email and just hoped nobody intercepted it? Or do you need to digitally sign a contract without relying on third-party cloud services? The solution is GPG (GNU Privacy Guard), the open-source implementation of the OpenPGP standard. We, at Meteora Web, use it daily to protect client communications and internal email. In this guide we show you how to set up and use GPG to encrypt files, sign documents, and secure emails, with precise commands and real configurations.

What is GPG and why use it for signing and encrypting?

GPG is an asymmetric cryptography system: you get a key pair – a public key (to share) and a private key (keep secret). You encrypt a file or message with the recipient's public key; only they can decrypt with their private key. To sign, you use your private key and anyone with your public key can verify authenticity and integrity.

Why not just a password?

Symmetric encryption (e.g., AES with password) requires sharing the password – a risk. With GPG you share only the public key. Digital signatures guarantee integrity and authenticity. We see it every day: companies exchanging financial documents via email unencrypted. A costly mistake.

Sponsored Protocol

Difference between encryption and signing

  • Encryption: makes content unreadable. Only the recipient can read it.
  • Signing: does not hide content, but certifies the message comes from you and hasn't been altered.
  • Both: can be combined – sign first, then encrypt.

A real example: when we manage the ERP of a clothing client, inventory reports with prices and suppliers are encrypted and signed before being sent to an external consultant.

How to install and configure GPG on Linux, macOS, and Windows?

GPG is available on all platforms. Installation is simple, but initial setup needs attention.

Installation

# Linux (Debian/Ubuntu)
sudo apt install gnupg
# macOS (with Homebrew)
brew install gnupg
# Windows: download Gpg4win from https://www.gpg4win.org/

Verify with gpg --version. On Windows, Gpg4win includes an Outlook plugin (GpgOL).

Generate a key pair

gpg --full-generate-key

Choose RSA and RSA (default), key length 4096. Passphrase is mandatory – use a long, memorable phrase. Without a passphrase, if someone steals your private key they have full access.

Sponsored Protocol

After generation, you get a key ID (e.g., 1A2B3C4D5E6F7890). Export your public key to share:

gpg --export --armor you@email.com > public-key.asc

Common mistake: not setting trust level

When you import someone else's public key, assign a trust level. GPG doesn't automatically know if that key is authentic. Use:

gpg --edit-key RECIPIENT_ID
trust> 5

Verify fingerprints through a different channel (phone call, in person).

How to encrypt and sign a file with GPG?

Here are the essential commands we use every week.

Encrypt a file for a specific recipient

gpg --encrypt --recipient recipient@email.com document.pdf

Output: document.pdf.gpg. You can specify multiple recipients: --recipient a@b.com --recipient c@d.com.

Sign a file (without encryption)

gpg --sign document.pdf

Creates document.pdf.gpg with binary signature. For a clearsign (file remains readable, signature appended):

gpg --clearsign document.pdf

Sign and encrypt in one command

gpg --sign --encrypt --recipient recipient@email.com document.pdf

Decrypt and verify

gpg --decrypt document.pdf.gpg

If signed, verification happens automatically. To verify separately:

Sponsored Protocol

gpg --verify signed-file.gpg

Real case: an e-commerce client asked us to encrypt database backups before uploading to cloud. One cron line: pg_dump ... | gpg --encrypt --recipient admin@company.com > backup.$(date +%Y%m%d).sql.gpg.

How to send encrypted emails with GPG and Thunderbird or Outlook?

The most operational part for daily work.

Thunderbird: install the extension

From Thunderbird 78 onward, OpenPGP support is built in. Go to Account Settings → End-to-End Encryption → Add OpenPGP Key. If you already have a GPG key, import it. Otherwise create one directly. When composing an email, click the security icons to sign or encrypt.

Outlook: use GpgOL (part of Gpg4win)

After installing Gpg4win, restart Outlook. You'll see a new toolbar with “Sign” and “Encrypt” buttons. Configuration is automatic if you import your private key into Kleopatra (the included management tool).

Sponsored Protocol

Exchanging public keys

To encrypt an email, you need the recipient's public key in your keyring. Ask contacts to send you their key (.asc file) or search a public keyserver:

gpg --search-keys name@email.com

Warning: keyservers don't guarantee authenticity. Always verify the fingerprint through a second channel.

Common error: “No secret key”

If you see this when trying to decrypt an email, you haven't imported your private key. Check with gpg --list-secret-keys.

What are common mistakes in GPG key management?

We've made them too. Here's what to avoid.

Weak or forgotten passphrase

Without a passphrase you can't use your private key. Use a password manager. We suggest writing the passphrase on paper and storing it in a safe – not in the cloud.

Outdated public key

If you lose your private key or it's compromised, revoke it with gpg --gen-revoke and distribute the revocation certificate. Then generate a new pair.

Not signing others' public keys

Web of Trust works only if you sign keys you've verified. Use gpg --sign-key ID to certify that the key truly belongs to that person.

Sponsored Protocol

Missing backup

Copy the ~/.gnupg directory to an offline encrypted USB drive. If your disk dies, you lose all keys.

What to do now

  1. Install GPG on your system (Linux, macOS, Windows) and verify with gpg --version.
  2. Generate your key pair (4096-bit): gpg --full-generate-key.
  3. Export your public key and share with colleagues or clients: gpg --export --armor you@email.com > my-key.asc.
  4. Configure your email client (Thunderbird or Outlook) to use your key.
  5. Exchange a test email – sign and encrypt a simple message, then ask the recipient to verify the signature.
  6. Store an offline backup of the ~/.gnupg directory and your passphrase.

Security in Italian SMEs is systematically underestimated. GPG is a mature, free, and powerful tool – but only if you learn to use it. We, at Meteora Web, integrate it into workflows for clients handling sensitive data. For a broader overview, check our pillar guide on cryptography and data security.

Ing. Calogero Bono

> AUTHOR_EXTRACTED

Ing. Calogero Bono

Ingegnere informatico, fondatore di Meteora Web e Zenith OS. System administrator e progettista di piattaforme, app e CMS proprietari, con esperienza in sviluppo full-stack, marketing digitale ed ecosistema Google.
[ Read Full Dossier ]

> METEORA_WEB // DIGITAL AGENCY

We build the digital presence your business deserves.

Websites, social media, online advertising, e-commerce and high-performance hosting, engineered with method by computer engineers in Sciacca, for all of Italy.

> MW_JOURNAL

> READ_ALL()