GPG

GPG is an encryption standard – for digital signatures, confidentiality, and integrity.

For tech-savvy users, it’s a tool. For security professionals: a proven standard. For us: a natural part of digital communication.

What does GPG mean?

GPG stands for GNU Privacy Guard – a free cryptographic tool that uses asymmetric encryption. It enables two core capabilities:

Digital signatures: Proof that a message came from a specific person and hasn’t been altered.
Encryption: Protection of content from third-party access.

Technically, GPG is based on the OpenPGP standard – the open counterpart to proprietary solutions like S/MIME.

GPG, OpenPGP and PGP – what's the difference?

PGP (Pretty Good Privacy) was the first widely used software for asymmetric email encryption. It was developed in the 1990s – initially as proprietary software.
OpenPGP is the open standard it’s based on, published as an RFC. It defines formats and functionality independent of any specific implementation.
GPG (GNU Privacy Guard) is a free, open-source implementation of that standard – and today the de facto standard in the open-source ecosystem.

So when you find a file like /.well-known/pgp-key.txt, it usually contains a GPG-compatible OpenPGP key – and that’s also the case with us.

In short: We use GPG – it speaks OpenPGP – and is compatible with PGP.

How does GPG work?

GPG uses a key pair:

Public key: freely shareable, used to verify and encrypt.
Private key: kept secret, used to sign and decrypt.

For example, you can sign an email – recipients can verify its authenticity and integrity without having to blindly trust you.

Security doesn’t rely on secrecy – but on mathematically verifiable principles.

Where is GPG used?

Common use cases include:

Signed emails (authenticity & integrity)
Encrypted communication
Software signatures (e.g. in package managers)
Verification of security.txt and sensitive files

At RiKuWe, GPG is a core part of secure communication. You can find more details on our Trust & Security page.

What GPG is not

Not an end-to-end platform: GPG is a tool, not a messaging service.
No obfuscation: It protects content – but not the fact that communication happened.
Not necessarily simple: It requires some initial understanding – but offers full independence in return.

GPG in practice: creating & using a key

Here's a short guide for the Linux command line.

1. Generate a GPG key

gpg --full-generate-key

Type: 1 (RSA and RSA)
Key size: 4096
Expiry: e.g. 1y for 1 year (don’t forget the unit!)
Name & email: fill out meaningfully
Passphrase: choose a strong passphrase

2. Export the public key

gpg --armor --export email@domain.tld > publickey.asc

You can send the publickey.asc file via email or upload it using a secure form.

3. Decrypt an encrypted file

Let’s say you received config.yaml.gpg:

gpg --decrypt config.yaml.gpg > config.yaml

The file will only decrypt if you have the corresponding private key.

4. Encrypt a file (for someone else)

If you want to send someone a file and have their public key (publickey.asc):

Import the key:

gpg --import publickey.asc

Encrypt the file:

gpg --encrypt --recipient email@domain.tld --output secret.txt.gpg secret.txt

Optional: Use --armor to generate an ASCII-formatted file that’s easier to send via email.

Enterprise usage advice

In security-critical environments – e.g., when working with customer infrastructure or strict offboarding requirements – we recommend:

Use primary and subkeys: The primary key should only be used to create and sign subkeys – and stored offline (e.g., on a USB stick or air-gapped machine).
Use subkeys for daily use: Signing, decrypting, etc. should be done only with subkeys. These can be replaced easily in case of loss or expiration.
A company GPG key as trusted authority: The central company key should sign all employee keys and be able to trigger revocation in case of offboarding or key loss.
Always generate a revocation certificate when creating a new key.

Frequently asked questions

What does GPG stand for?

GPG stands for GNU Privacy Guard – a tool for digital signatures and encryption. It’s based on the OpenPGP standard.

What’s the benefit of a digital signature?

It proves that the message really came from the sender – and that it hasn’t been altered. This is especially important for sensitive content.

How is GPG different from other encryption methods?

Unlike password-based encryption, GPG uses asymmetric cryptography. This offers better security and more flexibility – e.g., no need to share a password beforehand.

Can I use GPG without technical expertise?

Yes. Tools like Thunderbird or Mailvelope make GPG usable without the terminal. It requires a bit of learning – but gives you full control over your communication.

How do I verify a GPG signature?

Using the sender’s public key, you can verify a signature through mail clients or command-line tools.

Trust & Security
Security.txt

Thomas Kugi

What does GPG mean?​

GPG, OpenPGP and PGP – what's the difference?​

How does GPG work?​

Where is GPG used?​

What GPG is not​

GPG in practice: creating & using a key​

1. Generate a GPG key​

2. Export the public key​

3. Decrypt an encrypted file​

4. Encrypt a file (for someone else)​

Enterprise usage advice​

Frequently asked questions​