Skip to main content

GPG Encryption & Decryption Guide (Mac CLI)

Purpose

This document outlines the secure procedure for encrypting and decrypting files using GNU Privacy Guard (GPG) public/private key pairs on macOS. It is intended for scenarios where sensitive files (e.g., source code, credentials) must be transferred securely so that only the intended receiver can decrypt them.

1. Installation

Install GPG on macOS via Homebrew: 
brew install gnupg

2. Roles in the Process

  • Receiver: The individual or entity that will decrypt the file. They must generate and securely store their GPG private key.
  • Sender: The individual encrypting the file. They use the receiver’s public key to encrypt the content.

3. Process Overview

  1. Receiver generates GPG keypair
  2. Receiver exports and shares public key
  3. Sender imports receiver’s public key
  4. Sender zips the files to be sent
  5. Sender encrypts the zip using receiver’s public key
  6. Sender shares the encrypted file
  7. Receiver decrypts the file using private key
  8. Receiver extracts the original files

4. Step-by-Step Guide

Step 1: Generate GPG Keypair (Receiver only)

gpg --full-generate-key
Follow the prompts to provide:
  • Name
  • Email address
  • Passphrase (must be strong and kept secure)
Export Receiver’s Public Key: 
gpg --armor --export "receiver@email.com" > receiver-public-key.asc
  • Share receiver-public-key.asc with the sender via a secure channel.
  • Never share your private key.

Step 2: Import Receiver’s Public Key (Sender only)

gpg --import receiver-public-key.asc
Verify key exists: 
gpg --list-keys

Step 3: Create the ZIP File (Sender only)

zip -r secret.zip folder_to_send

Step 4: Encrypt the ZIP File (Sender only)

Basic binary encryption: 
gpg -e -r "receiver@email.com" secret.zip
Creates: 
secret.zip.gpg
ASCII-armored output (for easier emailing): 
gpg -e -a -r "receiver@email.com" secret.zip
Creates: 
secret.zip.asc

Step 5: Share the Encrypted File

Send secret.zip.gpg or secret.zip.asc to the receiver via:
  • Secure file transfer (SFTP, corporate portal)
  • Encrypted email Do not send over insecure channels like public chat.

Step 6: Decrypt the File (Receiver only)

Binary format: 
gpg -o secret.zip -d secret.zip.gpg
ASCII-armored format: 
gpg -o secret.zip -d secret.zip.asc
Enter your private key passphrase when prompted.

Step 7: Extract the Files (Receiver only)

unzip secret.zip

5. Quick Reference Commands

ActionCommand
Export public keygpg --armor --export "email" > public-key.asc
Import public keygpg --import public-key.asc
Encryptgpg -e -r "email" file.zip
Decryptgpg -o file.zip -d file.zip.gpg

6. Security Best Practices

  • Always verify the public key’s fingerprint with the receiver before encrypting.
  • Store private keys in a secure, access-controlled environment.
  • Use strong passphrases for private keys and never share them.
  • Keep an audit log of who received encrypted files and when.
  • If possible, use Out-of-Band verification for key exchange.