File and Email Encryption With GnuPG (PGP) Part Four

How PGP Keys Divide and Conquer: Public, Private, and the Role of GnuPG

When you start working with GnuPG you’ll quickly learn that every encryption and signature operation relies on a pair of keys. Think of the public key as a lock that anyone can lock onto, while the private key is the corresponding key that only you hold. This split is the core of PGP’s security model: the public key can be shared freely, the private key must stay hidden and protected by a strong passphrase. GnuPG makes managing these keys surprisingly straightforward, but the mechanics behind encryption and signing still deserve a close look.

Encryption with GnuPG is simply a matter of feeding the data you want to hide into the program along with the recipient’s public key. The data is transformed into ciphertext that only someone possessing the matching private key can turn back into readable text. Signing, on the other hand, does not hide the data; it attaches a small block of information to the file that proves the file came from you and has not been tampered with. When a receiver opens the signed file, GnuPG uses the public key of the signer to verify the signature. If the verification succeeds, the user knows the data is authentic; if it fails, the file is suspect.

Because GnuPG uses two distinct keys for encryption and signing, it’s common to generate a single key pair and mark the public key as both “encryption” and “signing” capable. In practice this means you can use the same key to receive encrypted mail and to sign outgoing messages. Some users, however, create separate keys for each purpose to enforce tighter security boundaries. Regardless of how you choose to structure your key pairs, the workflow for sending encrypted messages remains the same: you need the recipient’s public key, and you need your private key locked behind a passphrase.

When you first create a key pair in GnuPG, the program writes two files to the ~/.gnupg directory: one for the public key and one for the private key. The public key file is safe to distribute; you can paste it into an email, publish it on your website, or upload it to a public keyserver. The private key file, however, is protected by a passphrase that you must remember. If you forget this passphrase, you lose access to all encrypted data that was secured with that key.

GnuPG’s design encourages a simple key distribution model: the public key travels freely while the private key stays offline. This separation is the foundation of trust in PGP systems. The next step is to figure out how to share public keys with the people you want to communicate with, and how to pull them from keyservers when you need them.

Pulling Public Keys From Keyservers: The “--recv-key” Command and its Configuration

If someone has already uploaded their key to a public keyserver, retrieving it is a matter of a single command. Suppose you know a colleague’s key ID is D5D3BDA6. You can fetch it with:

After a moment, GnuPG will report that it has imported the key:

Behind the scenes, GnuPG contacts a keyserver, downloads the public key, and stores it in your keyring. The next time you encrypt a file for that person, GnuPG will use the imported key automatically.

To make this process work, GnuPG needs to know which keyserver to contact. By default it may try a few well‑known servers, but you can pin a specific one in your configuration file. Add the following line to either ~/.gnupg/gpg.conf or ~/.gnupg/options:

Keyservers are interconnected; they sync keys between each other, so you can pick one that’s geographically close to you or simply one that you trust. The command above tells GnuPG to look on wwwkeys.us.pgp.net when you run --recv-key.

Once you have a key in your keyring, you can verify its authenticity before trusting it. In the next section we’ll cover how to import keys you receive by other means and how to export your own public key so others can add you to their own keyrings.

Managing Keys Locally: Importing, Exporting, and Inspecting

Sometimes a public key arrives in a file - perhaps attached to an email or downloaded from a colleague’s website. GnuPG handles this scenario with the --import command. If the file is called john_pgp_public_key.asc, you would run:

GnuPG reports the key’s import status, including the key ID and the user’s name and email address. Once the key is in your keyring, you can immediately use it for encryption or signature verification.