Encrypting files with PGP requires the recipient’s public key and an OpenPGP-compatible tool like GnuPG.
One wrong key makes the file unrecoverable. PGP encryption keeps a file readable only by the intended recipient by combining symmetric and public-key cryptography. The process is direct once you have the right tool and a working command. Here is exactly how to encrypt a file using PGP, the tools that work across operating systems, and the mistakes that lock you out.
How PGP File Encryption Works
PGP encrypts the file itself with a one-time symmetric session key, then encrypts that session key with the recipient’s public key. The recipient’s private key decrypts the session key, which decrypts the file. A digital signature can be added to prove the file came from you and detect tampering in transit. Because PGP follows the OpenPGP standard, different tools that support OpenPGP can exchange encrypted files without compatibility problems.
What You Need Before You Encrypt
You need two things: the recipient’s PGP public key and an OpenPGP-compatible encryption tool. GnuPG (GPG) is the most widely used command-line tool and works on Linux, macOS, and Windows. The recipient must have kept the corresponding private key secret and available on their own system.
- Recipient’s public key – usually provided as an
.ascor.gpgkey file. - An OpenPGP tool – GnuPG (free), Broadcom PGP Command Line (enterprise), or a built-in workflow engine like AWS Transfer Family.
- Your private key (optional) – if you want to sign the file to prove origin.
Encrypt A File With PGP – The Command Line Method
The most stable, universal method for PGP encryption is the command line using GnuPG. The process never changes between Linux, macOS, and Windows (with Gpg4win installed).
- Import the recipient’s public key into your local keyring:
gpg --import recipient-public-key.asc - Encrypt the file using the recipient’s email address or key ID. The AWS Transfer Family documentation uses this exact pattern:
gpg --encrypt -r recipient@email.com --openpgp test-file.txt - The output file is
test-file.txt.gpg. Send that file to the recipient through your usual channel.
The --openpgp flag forces strict adherence to the OpenPGP standard, which avoids interoperability issues with other tools. The -r flag identifies which public key to use. If the recipient has multiple keys, the email address ensures the correct one is selected.
| Tool | Interface | Best For |
|---|---|---|
| GnuPG (GPG) | Command line | Universal encryption, scripting, cross-platform use |
| Broadcom PGP Command Line | Command line | Enterprise automated workflows (Windows/Linux) |
| GoAnywhere Open PGP | GUI + Tasks | Business file transfers with Key Vault management |
| AWS Transfer Family PGP | Cloud Workflow | Cloud-native file processing via Amazon S3 |
AWS’s official PGP encryption guide provides a full walkthrough of the command-line method, including key generation with RSA 3072-bit keys and the exact gpg syntax shown above.
Encrypting Files With PGP In Enterprise Environments
Enterprise tools automate PGP encryption inside scheduled file transfers. GoAnywhere Open PGP lets you import a trading partner’s key into its Key Vault, then attach a PGP Encrypt task to a Project that picks up files from local folders, UNC paths, or NFS mounts. Microsoft System Center Orchestrator’s PGP Encrypt File activity requires specific GnuPG binaries (version 1.4.10 or later, or GnuPG version 2.x components including gpg-agent.exe, libgcrypt-20.dll, and others) placed in the Orchestrator extensions encryption folder. Missing those files breaks the activity entirely.
Broadcom PGP Command Line offers the same pgp --encrypt syntax with an --output flag to control the encrypted file name. The command pgp --encrypt (input) --recipient (user) matches the core GnuPG pattern, so teams switching tools don’t need to rewrite workflow logic.
The Most Common PGP Encryption Mistakes
| Mistake | Why It Hurts | How To Avoid It |
|---|---|---|
| Encrypting with the wrong public key | The intended recipient cannot decrypt the file. | Verify the recipient’s key fingerprint before importing. |
| Forgetting to sign the file | The recipient cannot verify who sent it. | Add the --sign flag when authenticity matters. |
| Using an old PGP tool version | Interoperability failures with modern OpenPGP implementations. | Use GnuPG 2.x or later and include --openpgp. |
| Missing GnuPG binaries in automation | Enterprise workflows (Orchestrator, custom scripts) fail silently. | Verify every file in the required set exists on the runbook server. |
Encrypting Files With PGP: The Core Steps To Remember
The exact workflow fits in five steps. Run through them in order and the encrypted file will open cleanly on the other side.
- Obtain and verify the recipient’s public key fingerprint.
- Import the key into your local GPG keyring (
gpg --import recipient-key.asc). - Run the encrypt command with the correct recipient email or ID (
gpg --encrypt -r recipient@email.com --openpgp file.txt). - Confirm the output file ends in
.pgpor.gpg. - Send the encrypted file over your usual channel—email, SFTP, or cloud storage.
PGP encryption is one of the few cryptographic methods that has remained stable for decades. The same command that worked on a Linux server ten years ago works today, and the OpenPGP standard guarantees that the file you send will open in any compliant tool the recipient uses.
References & Sources
- AWS. “Encrypt and decrypt files with PGP and AWS Transfer Family.” Full command-line PGP tutorial with RSA key generation and GPG syntax.
- GoAnywhere. “How to Encrypt Files (Open PGP).” Enterprise GUI-based PGP encryption workflow using Key Vault.
- Broadcom. “Encrypt using PGP Command Line.” Syntax and flags for the enterprise PGP command-line tool.
- Microsoft. “PGP Encrypt File activity in System Center Orchestrator.” Required GnuPG binaries and version guidance for enterprise automation.