Skip to main content

How to encrypt messages with asymmetric encryption

Privacy Windows Linux macOS Desktop PGP 

Last updated:

This guide will teach you how to handle encrypted messages using asymmetric encryption. If you want to learn more about encryption, read our guide on the basics of encryption.

This guide is part of a series about improving online privacy:

  1. Intro: privacy is a universal right  - an introduction to what privacy is and why it's important.
  2. Step one: change your online habits - begin with these simple changes.
  3. Step two: privacy tools for your browser - continue by blocking trackers, and more.
  4. Step three: create better passwords - improve your password habits.
  5. Step four: send and receive encrypted messages - you are viewing this guide.

1. Install GnuPG

First, you need to install GnuPG on your operating system. GnuPG, or GPG as it's often called, is a free software program based upon the PGP encryption standard that allows users to encrypt and sign data, and even to manage keys.

  • Linux: Open a terminal window and run the command sudo apt-get install gnupg2
  • Windows: Download GnuPG from the GNU Privacy Guard for Windows website and install it.
  • macOS: Open a terminal window and run the command brew install gpg (if the command doesn't work, you probably need to first install Homebrew).

2. Create your own asymmetric key

Open a terminal window to create your asymmetric key pair by running the command:

  • Windows: gpg --gen-key
  • macOS, Linux: gpg2 --gen-key

On some versions of GnuPG, you will first need to answer a few questions:

  • What kind of key you want? Choose RSA and RSA (default).
  • What keysize you want? Choose 4096.
  • For how long should the key be valid? Choose 0 = key does not expire.

Continue by answering some general information like your name and email address. If you are creating a key to be used when sending email, then it makes sense to use the information that corresponds with that email account.

After you've supplied this information, you will need to enter a password to protect where your private key is stored on your computer.

The program will then spend up to one minute generating a random key for you, but usually it will take only a few seconds.

3. Share your public key

In order to allow people to send encrypted information to you, you need to first share your public key with them. To do this, you need to export the key as a file.

Run the following command in your terminal, replacing the email address with the one you entered when you created the key and "sarah" with your own choice of filename.

  • Windows: gpg --armor --export sarah@mullvad.net > sarah.asc
  • macOS, Linux: gpg2 --armor --export sarah@mullvad.net > sarah.asc

A file will be created on your computer and placed in the folder that you are currently located in within the terminal.

If you open the file in a text editor, this is what you will see:

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v2
mQENBFjPvdIBCACpWkWtev2RZnrYfm6vP9C/dt9cMvlwn2Wk2b45FKSOo5y14WOR
kH6L36h7dNnwvWsSupPMLcuAS6LrUcR3w5staihu0EPDWkEnwuxF0Ljk6UTMjlme
MD+s2wCBN6P9w1R0emWkAFjFD+9MeCAJzRPZP0xuXkroKOPboAvCNx3BYAkHHzBJ
.
.
.
OGmJsDSCsSfgp/QtkDK3qKuMLFSO8MwYs4cI7ArTsDU6pNyEjoZmDdYhNZwYdGdh
2l6op4q2FIle1hXMMHohNckgIAjO3pExKbsa
=C4dt
-----END PGP PUBLIC KEY BLOCK-----

You can now send this file to your contacts.

3. Import someone else's public key

After someone sends you their public key, you can import it to your computer by running this command (replace "john.asc" with the name of the file you received).

  • Windows: gpg --import john.asc
  • macOS, Linux: gpg2 --import john.asc

4. View your list of keys

This command returns a list of contacts whose public keys you have imported, as well as any keys that you have created for yourself:

  • Windows: gpg -k
  • macOS, Linux: gpg2 -k

This command returns your own private keys:

  • Windows: gpg -K
  • macOS, Linux: gpg2 -K

5. Verify keys with fingerprints

You will want to make sure that the public keys you have belong to the people you think they do. Checking the validity of your public keys can be tricky. The easiest way is to import the key in question and then verify it by talking to its owner face-to-face or by phone.

Of course, reading aloud the many lines of random characters that a key is composed of would take a lot of time and leave room for making errors. Instead, you can verify the fingerprint which is a much shorter representation of a public key.

This command returns a list of fingerprints for all public keys that you have imported:

  • Windows: gpg --fingerprint
  • macOS, Linux: gpg2 --fingerprint

6. Encrypt a message

Create a text file with your preferred text editor and save it. Back in the terminal, navigate to where you saved the file. Run the following command, replacing "john@mullvad.net" with that of your recipient and "message.txt" with the name of the file you created.

  • Windows: gpg --armor --encrypt --recipient john@mullvad.net message.txt
  • macOS, Linux: gpg2 --armor --encrypt --recipient john@mullvad.net message.txt
  • The message is now saved in a new file called message.txt.asc, which is encrypted and addressed to your recipient using his or her public key.

All you have to do now is send an email to the recipient and attach the encrypted file to it.

7. Decrypt a message from a friend

Once you have received an encrypted message, save it to your computer. In the terminal, navigate to where you saved the file.

Run the following command, replacing "message.txt.asc" with the name of the encrypted file you received and "message.txt" with a filename ending in .txt that you want the decrypted file to be called.

  • Windows: gpg --decrypt message.txt.asc > message.txt
  • macOS, Linux: gpg2 --decrypt message.txt.asc > message.txt

Since your private key will be used to decrypt the message and because your private key is password protected, you will be prompted to enter the password.

Send an encrypted message to Mullvad

  1. Download and import Mullvad's public key (also available at the bottom of our website).
  2. Using support@mullvadvpn.net as the recipient, follow the steps above for encrypting a message.
  3. Send the encrypted message to the same email address. No one other than our support team will be able to decrypt the message.
  4. If you would like us to reply with an encrypted message, you will need to send your public key to us.