gnupg: Symmetric encryption and decryption

It would be very easy to editorialize any mention of gnupg — how it’s the most important application in your life right now, how the world today needs gnupg more than anything else.

But I’m going to swing wide of all that, and only mention gnupg for two small things: encrypting a file with a password, and decrypting it again.

I know there are lots of ways to use gnupg, and I encourage you to investigate them. This one is just the one I use most.

Let’s get started. Here’s a nifty text file, just filled with random words, then sorted.


How or what you encrypt shouldn’t really matter. I generally lump things into tar folders with scrambled file names, which means everything has a container with a file name unrelated to the contents. See here if that one-liner interests you.

Here’s the encryption command:

gpg -z 0 -c sorted.txt

You’ll be prompted for a password twice, either through a graphical text box, or inline commmand prompt. And the results are a file with the same name, appended with .gpg.


Feeding a 0 to the -z flag, as you might have checked, turns off compression. That I prefer since most of the things I encrypt are already compressed, in one fashion or another.

What’s that file look like? Let’s check.


Gobbledygook. That’s what we want. Now it’s ready for transfer, over any medium or even out over the Internet.

On the receiving end, it’s time to decrypt. Remember, you’ll need to know that password to get in there.

gpg --decrypt sorted.txt.gpg > sorted.txt

We need to redirect the output into a file, because by default gpg will decrypt to STDOUT.


And there we have it: back to where we started. Everything in order and without any errors.

Believe it or not, that’s all there is. A few small caveats:

  • This method assumes both you and the receiver have a shared password; those in the know called this symmetric-key encryption. If you need to work without a prearranged key, you’ll need to investigate other methods for gnupg.
  • You can split or otherwise manhandle gpg files, but be forewarned that any damage to the file integrity is going to seriously hamper, if not thwart, your decryption efforts. If you need to verify the integrity of a file, I’d suggest something like md5, for starts.
  • It probably goes without saying, but the strength of this method depends on a lot of factors, not least of which is your password. If you pick something simple or obvious or easy to guess or easy to attack … well, I warned you. And how easy is it to brute-force attack your password? Right this way, sirs and madams.
  • If you’re using Arch, you’re 99 percent likely to be using version 2 of gnupg. Debian, on the other hand, makes a distinction between version 1 and version 2.

There are other utilities and even software suites that handle encryption, and I urge you to look into them, even if you don’t use this method.

For my own part I like this because gnupg is a base-level program with little to no dependencies, and can run on the weakest of hardware with the least of requirements.

Oh, and by the way, using encryption apparently makes you a suspect, according to some governments. 😐