GPG-encrypted email means only the intended recipient can read the message — not your email provider, not the recipient’s email provider, not anyone who intercepts the message in transit. The tradeoff is that both sender and recipient need to have set up GPG and exchanged public keys.

This guide covers the complete workflow: generating a key pair, exchanging keys, encrypting and decrypting messages, and setting up Thunderbird for everyday use.

Install GPG

# Debian/Ubuntu
sudo apt install gnupg

# Fedora/RHEL
sudo dnf install gnupg2

# macOS (GPG Suite is easiest)
brew install gnupg
# Or download GPG Suite from https://gpgtools.org

# Windows: Gpg4win from https://www.gpg4win.org

Verify:

gpg --version

Generate Your Key Pair

gpg --full-generate-key

At the prompts:

• Key type: (1) RSA and RSA or (9) ECC (sign and encrypt) — choose ECC for modern security
• If ECC: select Curve 25519
• If RSA: use 4096 bits
• Expiration: 2y (2 years) — shorter is better; you can extend before expiry
• Name: your real name or pseudonym
• Email: the address you’ll use for encrypted email
• Comment: leave blank or enter “GPG key”
• Passphrase: a strong passphrase, stored in your password manager

After generation, view your key:

gpg --list-secret-keys --keyid-format LONG

Output:

sec   ed25519/1A2B3C4D5E6F7890 2026-03-21 [SC] [expires: 2028-03-21]
      A1B2C3D4E5F6789012345678901234567890ABCD
uid                 [ultimate] Your Name <you@example.com>
ssb   cv25519/FEDCBA0987654321 2026-03-21 [E]

The long hex string starting with 1A2B... is your key ID. The 40-character string is your fingerprint.

Export Your Public Key

Share this with anyone who wants to send you encrypted email:

# Export in ASCII armor format
gpg --armor --export you@example.com > yourname-public-key.asc

# View it
cat yourname-public-key.asc

The public key starts with -----BEGIN PGP PUBLIC KEY BLOCK-----. This is safe to share publicly — post it on your website, email it to contacts, publish it to a key server.

Back Up Your Private Key

Your private key is irreplaceable. Back it up to encrypted offline storage:

# Export private key (keep this SECRET and ENCRYPTED)
gpg --armor --export-secret-key you@example.com > yourname-private-key.asc

# Also export the revocation certificate (generated at key creation)
gpg --gen-revoke you@example.com > yourname-revoke.asc

Store both files on an encrypted USB drive or in an encrypted archive. If you lose the private key, you can’t decrypt old messages. If someone else gets it, they can read everything encrypted to you.

Publish Your Key to a Key Server

Publishing makes it easy for others to find your key by email address:

# Send to keys.openpgp.org (verifies email ownership before publishing)
gpg --keyserver keys.openpgp.org --send-keys YOUR_KEY_ID

# Alternative: Ubuntu key server
gpg --keyserver keyserver.ubuntu.com --send-keys YOUR_KEY_ID

After publishing to keys.openpgp.org, you’ll receive a verification email. Confirm it so your key becomes searchable by email address.

You can also paste the public key directly on:

• Your personal website
• Your GitHub profile (https://github.com/yourusername.gpg)
• Email signatures

Import Someone Else’s Public Key

To send an encrypted message, you need the recipient’s public key.

From a key server:

# Search by email
gpg --keyserver keys.openpgp.org --search-keys recipient@example.com

# Import by key ID
gpg --keyserver keys.openpgp.org --recv-keys RECIPIENT_KEY_ID

From a file they sent you:

gpg --import recipient-public-key.asc

From GitHub:

curl https://github.com/theirusername.gpg | gpg --import

Verify the fingerprint matches what the recipient told you (over a separate channel):

gpg --fingerprint recipient@example.com

Encrypt a Message

# Encrypt a file for a recipient (also sign it with your key)
gpg --recipient recipient@example.com \
    --sign \
    --armor \
    --encrypt message.txt

# Output: message.txt.asc (the encrypted message)

The --sign flag attaches your digital signature. This proves the message came from you and hasn’t been tampered with.

To encrypt for multiple recipients:

gpg --recipient alice@example.com \
    --recipient bob@example.com \
    --sign \
    --armor \
    --encrypt message.txt

The message is encrypted separately for each recipient’s key — only Alice or Bob can decrypt it.

Decrypt a Message

# Decrypt (will prompt for your passphrase)
gpg --decrypt message.txt.asc

# Or redirect to a file
gpg --decrypt --output message.txt message.txt.asc

GPG automatically detects which private key to use based on the recipient field in the encrypted message.

Set Up Thunderbird with OpenPGP

Thunderbird 78+ has native OpenPGP support — no Enigmail required.

1. Import your key into Thunderbird:
   • Account Settings > End-To-End Encryption > Add Key
   • Choose “Use your external key” or import the .asc file
2. Set default behavior:
   • Require encryption: enable if all your contacts use GPG
   • Sign unencrypted messages: enables recipients to verify identity
3. Import a contact’s public key:
   • Open a signed email from them > Security tab > Import their key
   • Or: Tools > OpenPGP Key Manager > Import from file
4. Send an encrypted email:
   • Compose a message to a recipient whose key you have
   • Click the lock icon in the toolbar
   • If their key is available, “Encrypt” option becomes active
   • Send — Thunderbird encrypts automatically
5. Receive and decrypt:
   • Thunderbird decrypts automatically when you open the message
   • Displays “This message was encrypted and signed by…”

Sign-Only Mode (For Authenticity Without Encryption)

Signing without encryption lets anyone verify the message came from you, without needing to exchange keys first:

gpg --clearsign message.txt
# Creates message.txt.asc with readable text + signature block

The recipient can verify:

gpg --verify message.txt.asc

This is useful for software releases, announcements, and situations where confidentiality isn’t the goal but authenticity is.

Web of Trust and Key Signing

The web of trust is a decentralized way to verify that a key actually belongs to the person it claims to. When you sign someone’s key, you’re vouching that you’ve verified the key belongs to them.

# Sign someone's key (only after verifying fingerprint in person or via secure channel)
gpg --sign-key recipient@example.com

# Send the signed key back to the key server
gpg --keyserver keys.openpgp.org --send-keys RECIPIENT_KEY_ID

In practice, most people just verify fingerprints out-of-band rather than building formal trust chains.

Key Management Commands

# List all keys in your keyring
gpg --list-keys

# Update keys from key server (check for revocations)
gpg --refresh-keys

# Extend key expiration
gpg --edit-key you@example.com
# At gpg> prompt:
#   expire       (to change primary key expiry)
#   save

# Revoke a compromised key
gpg --import yourname-revoke.asc
gpg --keyserver keys.openpgp.org --send-keys YOUR_KEY_ID

Related Articles

• How to Use GPG Signed Emails to Verify Sender Identity
• How To Set Up Pgp Encrypted Email In Thunderbird Step By Ste
• Best Email Encryption Plugin Thunderbird
• Email Encryption Comparison Smime Vs Pgp Vs Automatic Encryp
• How to Set Up S/MIME Email Encryption: A Practical Guide

Built by theluckystrike — More at zovo.one