Hello, you are using an old browser that's unsafe and no longer supported. Please consider updating your browser to a newer version, or downloading a modern browser.

Global Accelerated Learning • Est. 1999
Glossary Term GPG Key

Training Camp • Cybersecurity Glossary

What is GPG Key?

A GPG key is an OpenPGP (RFC 4880) public/private key pair used to encrypt, decrypt, and digitally sign data, email, and software releases.

Glossary > Cryptography & PKI > GPG Key

GPG Key — A GPG key is an OpenPGP (RFC 4880) public/private key pair used to encrypt

Understanding GPG Key

A GPG key is a cryptographic key pair used with GNU Privacy Guard, the open-source implementation of the OpenPGP standard (RFC 4880), to encrypt, decrypt, and digitally sign data. It consists of a public key, which is shared freely, and a private key, which must remain secret. Anyone can encrypt to your public key, but only your private key can decrypt the result.

GPG keys typically use asymmetric algorithms such as RSA or elliptic-curve EdDSA/ECDH. A key has a fingerprint (a hash uniquely identifying it) and usually one or more user IDs. Encryption uses a hybrid model: GPG generates a random symmetric session key to encrypt the message body, then encrypts that session key with the recipient's public key, combining speed and security. Signing works in reverse: GPG hashes the data and encrypts the hash with the sender's private key, so anyone with the public key can verify authenticity and integrity. Trust is established through self-signed certifications and the web of trust, where users sign each other's keys.

For security, GPG keys deliver confidentiality, integrity, authentication, and non-repudiation. They protect sensitive email and files, and they are central to verifying software supply-chain integrity: Linux distributions sign packages and release tarballs with GPG so users can confirm code has not been tampered with. Compromise or poor protection of the private key (no passphrase, exposed backup) undermines everything, so keys are guarded with strong passphrases, expiration dates, revocation certificates, and increasingly hardware tokens like YubiKey.

For example, a developer publishing a release runs 'gpg --detach-sign release.tar.gz' to produce a signature file and posts both the tarball and their public key. A user downloads them and runs 'gpg --verify release.tar.gz.asc release.tar.gz'; a 'Good signature' result proves the file came from that developer and was not modified in transit. The same key can encrypt a confidential email to a colleague whose public key the developer has imported.

Learn More About GPG Key:

Ready to Get Certified?

Turn knowledge into credentials with our instructor-led cybersecurity boot camps.

View All Courses →