Skip to main content

GPG

GPG is an encryption standard – for digital signatures, confidentiality, and integrity.

For tech-savvy users, it’s a tool. For security professionals: a proven standard. For us: a natural part of digital communication.

What does GPG mean?

GPG stands for GNU Privacy Guard – a free cryptographic tool that uses asymmetric encryption. It enables two core capabilities:

  • Digital signatures: Proof that a message came from a specific person and hasn’t been altered.
  • Encryption: Protection of content from third-party access.

Technically, GPG is based on the OpenPGP standard – the open counterpart to proprietary solutions like S/MIME.

GPG, OpenPGP and PGP – what's the difference?

  • PGP (Pretty Good Privacy) was the first widely used software for asymmetric email encryption. It was developed in the 1990s – initially as proprietary software.
  • OpenPGP is the open standard it’s based on, published as an RFC. It defines formats and functionality independent of any specific implementation.
  • GPG (GNU Privacy Guard) is a free, open-source implementation of that standard – and today the de facto standard in the open-source ecosystem.

So when you find a file like /.well-known/pgp-key.txt, it usually contains a GPG-compatible OpenPGP key – and that’s also the case with us.

In short: We use GPG – it speaks OpenPGP – and is compatible with PGP.

How does GPG work?

GPG uses a key pair:

  • Public key: freely shareable, used to verify and encrypt.
  • Private key: kept secret, used to sign and decrypt.

For example, you can sign an email – recipients can verify its authenticity and integrity without having to blindly trust you.

Security doesn’t rely on secrecy – but on mathematically verifiable principles.

Where is GPG used?

Common use cases include:

  • Signed emails (authenticity & integrity)
  • Encrypted communication
  • Software signatures (e.g. in package managers)
  • Verification of security.txt and sensitive files

At RiKuWe, GPG is a core part of secure communication. You can find more details on our Trust & Security page.

What GPG is not

  • Not an end-to-end platform: GPG is a tool, not a messaging service.
  • No obfuscation: It protects content – but not the fact that communication happened.
  • Not necessarily simple: It requires some initial understanding – but offers full independence in return.

GPG in practice: creating & using a key

Here's a short guide for the Linux command line.

1. Generate a GPG key

gpg --full-generate-key
  • Type: 1 (RSA and RSA)
  • Key size: 4096
  • Expiry: e.g. 1y for 1 year (don’t forget the unit!)
  • Name & email: fill out meaningfully
  • Passphrase: choose a strong passphrase

2. Export the public key

gpg --armor --export mail@domain.tld > publickey.asc

You can send the publickey.asc file via email or upload it using a secure form.

3. Decrypt an encrypted file

Let’s say you received config.yaml.gpg:

gpg --decrypt config.yaml.gpg > config.yaml

The file will only decrypt if you have the corresponding private key.

4. Finding (and Publishing) Public Key

There are several ways for individuals or organizations to make their public keys available.

The most secure and modern approach is a Web Key Directory (WKD). RiKuWe uses this method as well. A WKD ensures that published keys remain fully under the organization’s control and cannot be manipulated via external key servers.

Another option is public key servers such as keys.openpgp.org. These can also be used to obtain keys, provided the owners have published them there.

If a key is available via WKD or a compatible server, it can be imported directly:

gpg --locate-external-keys mail@domain.tld

GPG will automatically check the domain’s WKD first — and only fall back to well-known key servers if no matching key is found.

If a public key is instead provided to you as a file (e.g., publickey.asc), you can import it manually.

gpg --import publickey.asc

5. Encrypt a file (for someone else)

gpg --encrypt --recipient mail@domain.tld --output secret.txt.gpg secret.txt

Optional: Use --armor to generate an ASCII-formatted file that’s easier to send via email.

Enterprise usage advice

In security-critical environments – e.g., when working with customer infrastructure or strict offboarding requirements – we recommend:

  • Use primary and subkeys: The primary key should only be used to create and sign subkeys – and stored offline (e.g., on a USB stick or air-gapped machine).

  • Use subkeys for daily use: Signing, decrypting, etc. should be done only with subkeys. These can be replaced easily in case of loss or expiration.

  • A company GPG key as trusted authority: The central company key should sign all employee keys and be able to trigger revocation in case of offboarding or key loss.

  • Always generate a revocation certificate when creating a new key.

Frequently asked questions

What does GPG stand for?

GPG stands for GNU Privacy Guard – a tool for digital signatures and encryption. It’s based on the OpenPGP standard.

What’s the benefit of a digital signature?

It proves that the message really came from the sender – and that it hasn’t been altered. This is especially important for sensitive content.

How is GPG different from other encryption methods?

Unlike password-based encryption, GPG uses asymmetric cryptography. This offers better security and more flexibility – e.g., no need to share a password beforehand.

Can I use GPG without technical expertise?

Yes. Tools like Thunderbird or Mailvelope make GPG usable without the terminal. It requires a bit of learning – but gives you full control over your communication.

How do I verify a GPG signature?

Using the sender’s public key, you can verify a signature through mail clients or command-line tools.

Trust & Security
Security.txt

Last updated on by Thomas Kugi
Thomas Kugi
Thomas Kugi
Version: v1.19.10