How to Use GPG Encryption on Fedora for Files and Email

You have sensitive data to move

You have a configuration file with database credentials. You need to send it to a teammate over email. Copy-pasting it into the body is a bad idea. Attaching it as plain text is worse. You need encryption that guarantees only the recipient can read it. GPG is the tool. Fedora ships with GnuPG pre-installed. This article covers generating keys, encrypting files, signing artifacts, and integrating with Thunderbird.

How GPG protects your data

GPG implements the OpenPGP standard. It uses asymmetric cryptography. You generate a key pair. The public key acts as a lock. Anyone can use it to encrypt data. Only your private key can unlock that data. You share the public key freely. You guard the private key.

Signing works in reverse. You sign data with your private key. Anyone with your public key can verify the signature. This proves the data came from you and has not been altered. Think of the public key as a mailbox slot. Anyone can drop a letter inside. Only you have the key to open the box. Signing is like sealing a letter with a unique wax seal. Anyone can compare the seal to a sample to confirm it is yours.

Generate a key pair

Run the full generation wizard to create a robust key pair. Fedora supports both RSA and Ed25519 algorithms. RSA 4096-bit offers broad compatibility. Ed25519 provides smaller keys and faster operations with modern security. Choose Ed25519 if your workflow supports it. Set an expiration date to force periodic key rotation. Protect the key with a strong passphrase. GPG stores the passphrase nowhere. Losing it locks you out of your private key permanently.

gpg --full-generate-key
# --full-generate-key invokes the interactive wizard with all algorithm options visible.
# Default is RSA. Select option 4 for Ed25519 if available for modern efficiency.
# Set a key size of 4096 for RSA or accept default for Ed25519.
# Choose an expiration date to enforce key lifecycle management.
# Enter a strong passphrase. This encrypts the private key on disk.

The key material lives in ~/.gnupg/. GPG creates this directory automatically. Ensure the directory permissions are strict. Run chmod 700 ~/.gnupg if the directory exists before generation. GPG will refuse to operate if permissions are too open.

Back up your keyring. Losing the private key means losing access to encrypted data forever.

Manage and verify keys

List your keys to confirm generation and check trust status. Use the long key ID format to avoid collisions. Short key IDs can match multiple keys in large keyrings. The long format shows more of the fingerprint, reducing ambiguity.

gpg --list-keys --keyid-format long
# --keyid-format long displays the full key ID segment.
# Output lists public keys in the local keyring with their trust markers.
# [ultimate] indicates a key you generated and fully trust.

gpg --list-secret-keys --keyid-format long
# Lists private keys available for signing and decryption.
# Verify the key ID matches the public key you intend to use.
# Secret keys must be present for signing operations to succeed.

Import recipient keys before encrypting for them. Verify the fingerprint with the recipient over a separate channel. Keyservers can contain spoofed keys. Never trust a key solely based on the email address match.

gpg --import recipient_public_key.asc
# Imports the public key into your local keyring.
# Check the output for the fingerprint and UID.
# Confirm the fingerprint matches what the recipient provided.

Check the fingerprint with the recipient over a separate channel. Keyservers can be spoofed.

Encrypt and decrypt files

Encrypt a file for a specific recipient. GPG looks up the recipient by email or key ID. The output file gets a .gpg extension. The original file remains unchanged. You can encrypt for multiple recipients by repeating the --recipient flag.

gpg --encrypt --recipient recipient@example.com report.txt
# Encrypts report.txt for the specified recipient.
# Produces report.txt.gpg. The original file is preserved.
# --recipient targets the encryption to a specific key ID or email.
# GPG fails if no valid public key matches the recipient.

Decrypt the file to recover the plaintext. GPG prompts for your passphrase to unlock the private key. Redirect stdout to a file to save the result. Piping to stdout can truncate data if the terminal buffer fills or if the output contains binary content.

gpg --decrypt report.txt.gpg > report.txt
# Decrypts the file and writes output to stdout.
# Redirect to a file to recover the plaintext safely.
# GPG prompts for your passphrase to unlock your private key.
# Check the exit code. Non-zero indicates decryption failure.

Redirect output to a file. Piping to stdout can truncate data if the terminal buffer fills.

Sign and verify artifacts

Sign files to prove authorship and integrity. Use detached signatures for scripts, binaries, or documents where you want to keep the signature separate. A detached signature creates a .sig file. The recipient verifies the signature against the original file.

gpg --detach-sign script.sh
# Creates a detached signature file named script.sh.sig.
# The original file remains untouched.
# Use this for distributing software where the recipient verifies integrity.
# GPG uses your default secret key for signing.

Verify signatures before executing downloaded content. GPG checks the signature against the file and reports the result. A good signature means the file matches the signer and has not changed.

gpg --verify script.sh.sig script.sh
# Checks the signature against the file.
# Output indicates "Good signature" and the signer's identity.
# A mismatch indicates tampering or a corrupted file.
# Verify the trust level. "WARNING" means the key is not trusted.

Verify signatures before executing downloaded scripts. Trust but verify is the only policy that works.

Share your public key

Export your public key to share with others. Use the --armor flag to encode the key as ASCII text. This makes the key safe for email or web hosting. Upload the key to a keyserver for global discovery. Keys.openpgp.org is the recommended keyserver. It requires email verification before publishing. Keyservers are distributed. Once a key is uploaded, it replicates across the network and cannot be deleted.

gpg --armor --export your@email.com > my_public_key.asc
# --armor encodes the binary key as ASCII text for easy sharing.
# Export the public key to a file you can email or host.
# The file contains only the public key, safe for distribution.

gpg --keyserver keys.openpgp.org --send-keys YOUR_KEY_ID
# Uploads the public key to a keyserver for global discovery.
# Keyservers replicate globally. The key cannot be removed later.
# Use keys.openpgp.org to ensure email verification prevents spam.

Upload your public key once. Keyservers replicate globally and keys cannot be removed.

Email encryption with Thunderbird

Fedora's Thunderbird packages include built-in OpenPGP support. You do not need the Enigmail plugin. Go to Account Settings, select End-To-End Encryption, and import your existing key or generate a new one in the UI. Thunderbird manages the keyring integration automatically. It signs outgoing messages by default. It encrypts messages when the recipient's public key is available. Check the lock icon in the compose window to confirm encryption is active.

Use Thunderbird's built-in OpenPGP when you want seamless email encryption without command-line interaction.

Symmetric encryption for quick tasks

Use symmetric encryption when you do not need a key pair. This mode encrypts with a passphrase. Both sender and recipient must share the passphrase securely. GPG does not protect the passphrase transmission. Use this only when you can exchange the passphrase through a trusted channel. Specify AES256 for strong encryption.

gpg --symmetric --cipher-algo AES256 secrets.txt
# Encrypts using a passphrase instead of a key pair.
# --cipher-algo AES256 enforces a strong symmetric algorithm.
# Produces secrets.txt.gpg. The original file remains.
# Both parties must know the passphrase to decrypt.

Use symmetric encryption only when you can share the passphrase securely. GPG does not protect the passphrase transmission.

Verify your workflow

Test encryption and decryption locally. Encrypt a file, decrypt it, and compare the result. Use diff to confirm the files match. No output from diff means the content is identical. Test signing and verification. Sign a file, verify it, and check for "Good signature". Ensure the signer matches your key. Test key export. Export the public key and import it into a temporary keyring to confirm the key structure is valid.

gpg --decrypt report.txt.gpg | diff - report.txt
# Decrypts and compares against the original file.
# diff returns no output if the files are identical.
# Non-zero exit code indicates corruption or mismatch.

Run the diff test. Silent output means your encryption and decryption pipeline is intact.

Common pitfalls and errors

GPG prints gpg: decryption failed: No secret key when you try to decrypt a file encrypted for a key you do not possess. Import the correct private key or ask the sender to encrypt for your public key.

GPG prints gpg: bad signature when the file has been modified or the signature does not match. Verify the file source. The file may be corrupted or tampered with.

GPG prints gpg: key 12345678: public key not found when you try to encrypt for a recipient whose key is missing. Import the recipient's public key before encrypting.

Key ID collisions occur when short key IDs match multiple keys. Use --keyid-format long in all commands. This reduces the risk of targeting the wrong key.

Trust warnings appear during verification. GPG prints WARNING: This key is not certified with a trusted signature. This means you have not established trust in the key. Verify the fingerprint manually and set the owner trust if appropriate. Run gpg --edit-key KEY_ID and use the trust command to adjust trust levels.

Permissions errors occur if ~/.gnupg is world-readable. GPG refuses to run. Run chmod 700 ~/.gnupg and chmod 600 ~/.gnupg/* to fix permissions.

Generate a revocation certificate immediately. Store it offline. You need it if your private key is compromised.

gpg --gen-revoke YOUR_KEY_ID > revocation_cert.asc
# Generates a revocation certificate for your key.
# Select reason for revocation. "Key has been compromised" is common.
# Save the certificate to a secure, offline location.
# Import this certificate to invalidate the key if necessary.

Generate a revocation certificate immediately. Store it offline. You need it if your private key is compromised.

Choose the right tool

Use GPG when you need standard OpenPGP compatibility for email and files. Use openssl when you are scripting low-level cryptographic operations or managing certificates. Use age when you want a simpler command-line interface for file encryption without key management overhead. Use Thunderbird's built-in OpenPGP when you want seamless email encryption without command-line interaction. Stick to GPG when you are maintaining compatibility with legacy systems or enterprise key servers.

Where to go next

• How to Sign RPM Packages with GPG Keys
• How to Configure firewalld Using the GNOME Firewall GUI
• How to Install and Configure a Firewall on Fedora

GPG is a tool that locks your files and emails so only the right person can open them, and it proves you sent them. Think of it like sealing a letter with a wax stamp that only you have the mold for. You use it on Fedora to secure your data before sharing it with others.