The GNU Privacy Guard (GPG) is very easy to use, more people should know how. So here is a very short HOWTO for the command line program. You may not need to use the command line: some mail clients have GPG support (e.g. mutt, KMail, Evolution), and dedicated GUIs for file encryption and key management are becoming available. For more information, visit (there is a more complete Mini HOWTO in several languages there), or try man gpg.

First: if you haven't run gpg before, just execute


This makes the .gnupg directory and .gnupg/options file. Then follow a recipe below.

Encrypt text for me using GPG, in two easy steps

  1. gpg --import < da-pubkey.asc
  2. gpg --encrypt -r da@inf.ed --armour < input.txt -o output.txt
  1. Add my public key onto your keyring, from a file da-pubkey.asc (click to download).
  2. Encrypt the file input.txt into the file output.txt, for the recipient da@inf.ed. Now output.txt will only be readable by me, using my private key.

GPG will ask for confirmation at step 2, because no trust has yet been given to my key. Later on, if you believe the key you added is really mine, you could sign it with your own key. One way to be sure is to check key fingerprints. Mine are shown below. (But if you downloaded the key data and these fingerprints from the same place, there is always the risk that both may be imposters...)

Check my signature on some text, in two easy steps

  1. gpg --import < da-pubkey.asc
  2. gpg --verify < message.txt
  1. As above.
  2. Verify a signed message in file message.txt.

Again, GPG will warn that you haven't yet assigned trust to my key to say that it is really mine.

Make and distribute your own keys, in two easy steps

  1. gpg --gen-key
  2. gpg --armour --export uid > uid-pubkey.asc
  1. Make a new key pair. GPG will ask a bunch of questions, you can simply accept the suggested defaults, which will generate a separate encryption and signing key.
  2. Export an `ASCII armoured' copy of your key, where uid is your user ID, used to match against the identity you gave above.

Make use of a public keyserver, in three easy steps

  1. Edit ~/.gnupg/options and uncomment the line
  2. Import keys with: gpg --search-keys Aspinall
  3. Export keys with: gpg --send-keys da@inf.ed

My public key fingerprints

 Primary UID: David R. Aspinall <>

 Signing (1024 bit DSA, id 32CAF9A9):          0D2B 49CB A37C 145E EC2C  8654 8DFD 20AF 32CA F9A9

 Encryption  (1024 bit ElGamal, id CA7F6912):  5B3A 44DB E87B 68AC 61FB  7B0D FA41 8929 CA7F 6912

(Usually you only need to check the signing key since that's used to sign the encryption key).

NB: This is the fingerprint for a new key generated on 2005-05-02. My previous key has been revoked.
If you imported my previous key, please delete it with: gpg --delete-key

my Vcard
David R. Aspinall, email
Contact GPG key (Instant HOWTO)