GPG keys let you do two things with a file: lock it so only the intended recipient can open it, and stamp it so the recipient can prove it came from you and arrived unchanged. When you are moving sensitive files — financial records, health data, contracts, anything you would not want read in transit — that is the protection you want, and GPG encryption is the standard way to get it.

This post explains what a GPG key is, what GPG and PGP actually are, and why the two-key design behind them is the part worth understanding. None of it requires a cryptography background.

What Is GPG? What Is PGP?

PGP, short for Pretty Good Privacy, is an encryption program first written in 1991. It set the pattern almost every file-encryption tool still follows. The pattern itself was later written down as an open standard called OpenPGP, so that any tool could read and write the same encrypted format.

GPG, short for GNU Privacy Guard, is a free, open-source program that implements that OpenPGP standard. In everyday use the names blur together: people say "PGP" for the idea and "GPG" for the tool they actually run. A GPG key and a PGP key are the same kind of thing — a cryptographic key in the OpenPGP format. If a file was encrypted with PGP, GPG can open it, and the reverse holds too.

How Does a GPG Key Work?

A GPG key is not one key. It is a matched pair: a public key and a private key. They are generated together, they are mathematically linked, and they do opposite jobs.

Here is the picture that makes it click. Think of your public key as an open padlock that you hand out freely. Anyone can take that padlock, put your file in a box, and snap the lock shut.

Once it is shut, no one can reopen it — not even the person who just locked it. Only the matching key opens it, and you are the only one who has that key. That key is your private key, and you never give it to anyone.

So the two halves work like this:

• The public key encrypts. You share it openly — post it, email it, publish it on a key server. Anyone who wants to send you a protected file uses it to lock the file. Sharing your public key is safe by design; it can only lock, never unlock.
• The private key decrypts. You keep it secret and protected, usually behind a passphrase. It is the only thing that can open files that were locked with your public key.

When a colleague wants to send you a confidential file, they encrypt it with your public key. The file travels across the network as scrambled data. Even if someone intercepts it mid-transfer, they get noise. When it reaches you, your private key turns it back into the original file. This is called public-key cryptography, and it is the same idea that secures the locked part of the web — the part where SFTP and HTTPS get their privacy.

Encrypting and Signing Are Two Different Jobs

GPG keys do a second job that is easy to confuse with the first: signing. The two are worth keeping straight because they protect against different problems.

• Encrypting answers "can anyone else read this?" You encrypt with the recipient's public key so only the recipient can open it.
• Signing answers "did this really come from who it claims, and has it been altered?" You sign with your own private key, and anyone holding your public key can check the signature. If a single byte of the file changed after you signed it, the check fails.

A file can be both signed and encrypted at once: signed so the recipient trusts the sender, encrypted so no one else can read it. In a partner file exchange, that combination is what lets two organizations trade sensitive files without trusting the network in between.

Why Use GPG Keys?

GPG encryption protects a file at the file level, independent of how it travels. A transfer protocol like SFTP encrypts the connection — the tunnel the file moves through. GPG encrypts the file itself, so it stays locked before it is sent, while it sits at rest on a server, and after it is delivered. The two layers stack: a GPG-encrypted file moving over SFTP is protected both ways.

That file-level protection is why GPG shows up in a few specific places:

• Partner and regulated data exchange. When you send files to a bank, an insurer, or a healthcare partner, encrypting with their public key means the file is unreadable to anyone but them, even if it passes through systems neither side controls.
• Files at rest. A GPG-encrypted file sitting in cloud storage stays unreadable to anyone who gets at the storage but not the private key.
• Verifying authenticity. Signing a file or a software release lets the recipient confirm it came from you and was not tampered with on the way.

The catch in practice is key management. GPG itself is solid; the trouble is the operational side — generating keys, storing private keys somewhere safe, distributing public keys to partners, rotating keys before they expire, and wiring encryption into transfers that need to run automatically every night. Done by hand across a team, that is where mistakes creep in.

Managing GPG Keys on a File Orchestration Platform

Most teams that rely on GPG for partner transfers eventually want the encryption to happen automatically, without someone running a command for every file. That is the job Files.com is built for. Files.com is the cloud-native File Orchestration Platform: one platform that replaces the stack of legacy tools IT teams run to move files — SFTP and FTP servers, MFT suites, file-sharing apps, and the custom scripts holding them together. It speaks every protocol, connects 50+ cloud and on-prem systems, automates every transfer, and keeps a complete audit trail.

For GPG specifically, Files.com generates and stores key pairs inside the platform — you can create a key pair in the browser with no third-party software, and private keys are encrypted at rest and inaccessible to Files.com staff. From there, encryption and decryption become a step in an automated workflow: a file arriving from a partner can be decrypted with your private key on the way in, and a file headed out can be encrypted with the partner's public key automatically, every time, with the whole exchange recorded in the audit trail. The same platform handles the transfer protocol, so a GPG-encrypted file moving over SFTP or FTP is covered end to end.

To put GPG to work in your transfers, see Files.com's PGP/GPG encryption and decryption or start a free trial — no credit card, live in minutes.