Sharing Secrets with GPG

Sharing Secrets with GPG

Aaron Lahey

October 23, 2018


As software developers, we're often given access to various pieces of sensitive information in order to do our job. This could be anything from database passwords, API keys, TLS certificates, or even private SSH keys to our servers. Also, there's likely going to come a time when we need to share these secrets with our colleagues who don't have them. Maybe they're new to the team, or maybe they're working on a story which requires this information for the first time. Either way, this puts us in a pickle!

It's tempting to simply attach this information to an email or paste/upload it to Slack and assume that everything will be ok. But will it? How can we be sure? Is it worth risking our job, our company's reputation, or our users' privacy?

This blog is meant to be a simple introduction to gpg and a walkthrough of how to get set up, generate your own encryption keys, and send secrets over insecure forms of communication. It assumes a working knowledge of the command line and enough of an understanding of your operating system's package manager to install programs.

Public Key Cryptography

GPG uses a form of cryptography called public-key cryptography. Cryptography is a complex topic, but fortunately for us, a deep understanding of the math and theory behind it isn't necessary to grasp how it works at a high level.

In public key cryptography, we generate two encryption keys. One of these keys is called our private key, which—as the name suggests—we want to keep a secret. The other is our public key, which we can publish for the world to see. These two separate keys let us do some interesting things. First, we can encrypt data using our private key, send it to someone, and using our public key they can decrypt the message and gain a reasonable level of assurance that it was actually us who authored the message. We call this process signing. Similar to signing a document using our written signature, we're signing the message using our cryptographic signature. Conversely, anyone in the world can encrypt some data with our public key, send it back to us, and have a reasonable level of assurance that only we can decode it. We refer to this is as encryption (even though they're both technically encryption).

Installing GPG

GPG can be installed using GPG Tools or from the package manager for your specific operating system. Here are some examples...


brew install gnupg


sudo apt-get install gnupg

Generating Your Own Keypair

Although one doesn't technically need their own public and private keys to encrypt a message to someone else, it's a good idea to generate them. We'll need them if we want to receive encrypted messages at some point in the future, and we'll need our own private key for one small step later in the process. To generate a key, run the following command...

gpg --full-generate-key

This command will start the key generation process and prompt you with a few questions...

gpg (GnuPG) 2.2.8; Copyright (C) 2018 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Please select what kind of key you want:
	(1) RSA and RSA (default)
	(2) DSA and Elgamal
	(3) DSA (sign only)
	(4) RSA (sign only)
Your selection?

The default selection of RSA and RSA is ok here.

RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048)

Type 4096 and press enter.

Please specify how long the key should be valid.
0 = key does not expire
<n> = key expires in n days
<n>w = key expires in n weeks
<n>m = key expires in n months
<n>y = key expires in n years
Key is valid for? (0)

Let's pick a reasonable expiration time of 1 year by typing 1y and pressing enter.

Key expires at Sat Oct 5 20:35:44 2019 CDT
Is this correct? (y/N)

Type y, press enter, and then proceed to fill out the requested information...

GnuPG needs to construct a user ID to identify your key.

Real name: Aaron Lahey
Email address:
You selected this USER-ID:
"Aaron Lahey <>"

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit?

Type O and press enter. When presented with the password screen, type a password and press enter. This is the password you'll use to unlock your private key when you want to sign or decrypt anything.

Creating Our Secret

Before we begin encrypting files we first need something to encrypt. Let's create a text file with some fake sensitive data using the following command...

$ echo 'secretpassword' > password.txt

Once the file is created, let's make sure it's correct...

$ cat password.txt

Looks good! Let's imagine I want to send this file to my new teammate Ben. I might be tempted to attach it to an email or upload it to Slack, but remember, this file contains sensitive information—-perhaps a production database password! We need a way to encode this file so that Ben is the only one who can decode and read it.

Importing a Public Key

To do that, we encrypt the file using Ben's public key. Since Ben possesses the corresponding private key and he's taken precautions to keep it safe, only he'll be able to decrypt it. Before we do that, let's make sure we have his public key on our computer...

$ gpg --list-keys --quiet
pub rsa4096 2018-09-11 [SC] [expires: 2019-09-11]
uid [ultimate] Aaron Lahey <>
sub rsa4096 2018-09-11 [E] [expires: 2019-09-11]

Uh oh! The only public key we have on our computer is our own! Since Ben is relatively new to gpg, maybe we can offer a few suggestions. First, let's figure out his key ID by executing the same list command as above on his computer...

$ gpg --list-keys --quiet
pub rsa2048 2018-09-21 [SC] [expires: 2020-09-20]
uid [ultimate] Ben Smith <>
sub rsa2048 2018-09-21 [E] [expires: 2020-09-20]

This command prints a brief summary of each public key and actually includes more information than necessary. All Ben needs to worry about is the ID, which in this case is 765312983429D55B17AFD25DC4B96D7E4D5256FE. Once we have the ID, we can export his public key...

$ gpg --export 765312983429D55B17AFD25DC4B96D7E4D5256FE
/SHw!Ben Smit <>!vS4)[]

Ĺm~MRVLȄhI@g DH.%|sR^Rj6[ԀaAF2T^)zwEWU5y[```~aSCmA{q}x=Zg#V_wޥyI/6}r6
Ĺm~MRVtvZ{>#mzNDgArH;D߷ɭr[ϘXݭқLd~e;Cyd+XScl;&?DK8#ߋ#忘WVZc_/]n麏iknK`V52ߤ%V)vů;u=&-u#G<`eιS]*Ѕ6~E\ [$

Yikes! What is all this garbage gpg printed on his screen? By default, gpg exports keys in a binary format, and this is how it happens to print at the command line. Let's ask Ben to add the --armor flag to export a textual encoding of his key...

$ gpg --armor --export 765312983429D55B17AFD25DC4B96D7E4D5256FE


Great! All that's left is to have Ben send us this key and we can import it into our own local copy of gpg. Remember, since this is Ben's public key, he doesn't need to be at all concerned about security when handling it. He could email it, send it over Slack, upload it to a public key server, post it on his personal website, whatever!

For our purposes, however, we need to give a moment of thought to the security implications of our particular mode of communication. If we're chatting on Slack, am I sure it's him at his computer? Am I sure his Slack account wasn't compromised and I'm actually receiving a public key for someone else? If it is him, and he sends the key using email or Slack, are we positive that someone at Google or Slack hasn't intercepted the message and injected their own public key? Likely none of those things are true, but depending on the information you're exchanging and how likely you are to be targeted, it's probably wise to have a relative level of skepticism.

Let's assume we are 100% sure this public key is Ben's. Go ahead and save this key to a file called ben.asc and import it...

$ gpg --import ben.asc
gpg: key C4B96D7E4D5256FE: public key "Ben Smith <>" imported
gpg: Total number processed: 1
gpg: imported: 1

...and ensure it's there...

$ gpg --quiet --list-keys
pub rsa4096 2018-09-11 [SC] [expires: 2019-09-11]
uid [ultimate] Aaron Lahey <>
sub rsa4096 2018-09-11 [E] [expires: 2019-09-11]

pub rsa2048 2018-09-21 [SC] [expires: 2020-09-20]
uid [unknown] Ben Smith <>
sub rsa2048 2018-09-21 [E] [expires: 2020-09-20]

Trusting a Public Key

Nice! We can now use this public key to encrypt a message to Ben! To make things a bit easier, we can refer to this key using Ben's email address. Also, let's not forget the --armor flag. Just like exporting a key, encrypting a message will output binary data by default. Here's the command...

$ cat password.txt | gpg --encrypt --armor --quiet --recipient
gpg: FCBCAAE5AA521807: There is no assurance this key belongs to the named user
sub rsa2048/FCBCAAE5AA521807 2018-09-21 Ben Smith <>
Primary key fingerprint: 7653 1298 3429 D55B 17AF D25D C4B9 6D7E 4D52 56FE
Subkey fingerprint: 3D74 62B3 DC49 9C07 E208 A344 FCBC AAE5 AA52 1807

It is NOT certain that the key belongs to the person named in the user ID. If you *really* know what you are doing, you may answer the next question with yes.

Use this key anyway? (y/N)

Hmmmm. It seems that even though we're sure the key is authentic, gpg has its doubts. To inform gpg that this is a public key we trust we need to sign it (please be sure to validate this key's authenticity first). Remember from earlier, when we sign something, we're actually encrypting it with our secret key. To sign a key, we need open the interactive gpg prompt...

$ gpg --edit-key
gpg (GnuPG) 2.2.8; Copyright (C) 2018 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

pub rsa2048/C4B96D7E4D5256FE
	created: 2018-09-21 expires: 2020-09-20 usage: SC
	trust: unknown validity: full
sub rsa2048/FCBCAAE5AA521807
	created: 2018-09-21 expires: 2020-09-20 usage: E
[ full ] (1). Ben Smith <>


At this prompt, type sign and confirm our choice...

gpg> sign
gpg: using "B204475FD47FBA3371E656AFF4496594665C6136" as default secret key for signing

pub rsa2048/C4B96D7E4D5256FE
	created: 2018-09-21 expires: 2020-09-20 usage: SC
	trust: unknown validity: unknown
	Primary key fingerprint: 7653 1298 3429 D55B 17AF D25D C4B9 6D7E 4D52 56FE

Ben Smith <>

This key is due to expire on 2020-09-20.
Are you sure that you want to sign this key with your
key "Aaron Lahey <>" (B204475FD47FBA33)

Really sign? (y/N) y


Once that's done, we can save the key by typing save and pressing enter.

gpg> save

Encrypting and Decrypting Our Secret

Now that we've instructed gpg to trust Ben's public key, let's give encrypting that password another try...

$ cat password.txt | gpg --encrypt --armor --quiet --recipient


Success! We can send this to Ben in an email or via a Slack message and nobody except him will be able to decipher it! Unfortunately, it looks like Ben is struggling to decrypt this message. We can help him out by telling him to run the following command...

cat encrypted-password.txt | gpg --quiet --decrypt


This might seem like a lot of work just to send a message to someone, but here's the good news: If we want to send any more encrypted messages to Ben, the majority of the work is already done! We only need to repeat the steps from the previous section.

It's also worth looking at tools like Keybase. Keybase aims to make this process much more user-friendly. It also aims to solve the public key trust problem mentioned above. You can upload public keys to Keybase and then correlate your Keybase identity with your identity on various social platforms, such as Twitter or Github.

If you're interested in this stuff, this GPG Tutorial is an excellent resource and will guide you through more advanced topics, such as generating a revocation key.

Keeping our company and our client's secrets private is important! So remember, regardless of whether you use gpg directly or you move to a tool like Keybase: dance like no one's watching and encrypt like everyone is.

Aaron Lahey

Principal Crafter

Aaron Lahey is an experienced technical team lead and software engineer with a proven record of successfully delivering software systems despite tight deadlines and myriad constraints. He is a full-stack developer and polyglot with a particularly rich set of experiences in system integration, legacy system migration, and cloud infrastructure. He generously shares his knowledge and frequently mentors his 8th Light and client colleagues who are at different stages in their career.