Welcome back to LaunchCrafted! Today, let’s tackle a security issue that makes me cringe every time I see it: sharing credentials in direct messages or group chats. Whether it’s on Slack, Teams, or Skype, firing off secrets and passwords in these channels is a massive risk. These platforms can be hacked, or maybe they don’t fully encrypt data, or perhaps employees at the company have more access than you realize. And group chats? Don’t even get me started—one accidental invite or rogue group member can compromise everything.

We often hear excuses like:

“No, this credential is just for a dev environment…”
“It’s only trusted people here…”

But credential leaks can lead to gigantic repercussions—think lost revenue, brand damage, or plain old identity theft. Let’s not wait for regrets to set in.

Enter GPG: Your New Secret-Sharing Sidekick

If you haven’t heard of it, GPG (GNU Privacy Guard) is an industry-standard tool for encryption and signing. In short, it lets you encrypt files and messages so only the intended recipient can read them. Even if someone snoops on the data in transit, it’s worthless to them without the proper key.

In this post, I’ll show you how to set up GPG on macOS, Windows, and Linux. Then we’ll walk through how to generate your key pair and share credentials securely.

1. Installing GPG

macOS

1. Install via Homebrew (Recommended):

   • If you don’t have Homebrew installed, open Terminal and run:

     /bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)"

   • Once Homebrew is set up, install GPG:

     brew install gnupg

   • Verify installation:

     gpg --version

2. Alternatively, use GPGTools:

   • Download GPGTools and install it.

   • This package includes a suite of GPG utilities and a convenient GUI.

Windows

1. Download Gpg4win:

   • Head to Gpg4win and download the installer.

   • Run the installer and select the components you want (usually GnuPG and Kleopatra).

2. Kleopatra (GUI):

   • Kleopatra is a user-friendly interface for managing keys and encrypting/decrypting files.

   • After installing, open Kleopatra to create and manage your keys.

Linux (Ubuntu/Debian-based)

1. Install via apt:

   sudo apt update sudo apt install gnupg

2. Other Distributions:

   • For Fedora, use dnf install gnupg.

   • For Arch, use pacman -S gnupg.

   • Verify installation:

     gpg --version

2. Generating Your Key Pair

Once GPG is installed, the next step is creating your personal key pair consisting of:

• A public key (you share this with others).

• A private key (this stays locked down on your machine—never share it).

Generate a Key Pair

Open your terminal (or Kleopatra on Windows) and run:

gpg --full-generate-key

You’ll be guided through a series of prompts:

1. Key Type: Typically choose RSA and RSA (default) or ECC.

2. Key Size: For RSA, 4096 bits is a good modern standard.

3. Expiry Date: You can set an expiration date (1-2 years) or choose “no expiration.”

4. Real Name: Enter your name.

5. Email Address: Provide an email you’d like associated with the key.

6. Comment: Optional but can be useful to add a note or label (e.g., “Work key”).

7. Passphrase: Use a strong, unique passphrase for your private key.

After this, GPG will generate your keys. It may ask you to do some random actions if it needs more “entropy” (randomness).

List Your Keys

To list your keys, run:

gpg --list-keys

You should see your newly created public key listed. To see your private key, run:

gpg --list-secret-keys

3. Sharing Your Public Key

For someone else to send you encrypted messages (or for you to verify something you’ve signed), they need your public key.

• Export your public key:

  gpg --armor --export [email protected] > my_public_key.asc

  This creates a text file (.asc) that you can share via email, Slack, or any channel (public key is safe to distribute).

• Someone can then import it:

  gpg --import my_public_key.asc

4. Encrypting and Decrypting Files/Messages

Encrypting a File

Suppose you have a file named credentials.txt that you want to share with a colleague who has the public key under the email [email protected].

gpg --encrypt --recipient [email protected] credentials.txt

GPG will generate credentials.txt.gpg. This is the encrypted file that you can safely share.

Decrypting a File

On the receiving end, once your colleague downloads credentials.txt.gpg, they can decrypt it like so:

gpg --decrypt credentials.txt.gpg > credentials_decrypted.txt

They’ll be prompted for their private key passphrase. After that, GPG outputs the decrypted content into credentials_decrypted.txt.

Encrypting Text Directly (No Files)

Want to send a quick message in Slack but in an encrypted form? You can type it out in Terminal:

echo "Here is a secret password: MySuperPassword123" | gpg --armor --encrypt --recipient [email protected]

GPG will spit out encrypted text like:

-----BEGIN PGP MESSAGE-----
Version: GnuPG v2 hQEMA9kTMQro0owtAQf9HvvMYJDrWhf1V2NTTLkaCeCazOQZ5N/9s0BYUzFBzN/9
[...] 
-----END PGP MESSAGE-----

Copy/paste that into Slack, Teams, or email—wherever.

Decrypting (No File Needed)

When your colleague receives that block of text, they can decrypt it straight from the command line without creating a file, printing directly to the terminal:

echo "-----BEGIN PGP MESSAGE----- 
Version: GnuPG v2 hQEMA9kTMQro0owtAQf9HvvMYJDrWhf1V2NTTLkaCeC...
[...] 
-----END PGP MESSAGE-----" | gpg --decrypt

They’ll be prompted for their private key’s passphrase (if required), and the decrypted message will appear directly in their terminal output.

Decrypting to a File

If your colleague wants to save the decrypted output to a file, they can redirect the output:

echo "-----BEGIN PGP MESSAGE-----
Version: GnuPG v2 hQEMA9kTMQro0owtAQf9HvvMYJDrWhf1V2NTTLkaCeC...
[...]
-----END PGP MESSAGE-----" | gpg --decrypt > decrypted_message.txt

After entering the passphrase, the decrypted content will be stored in decrypted_message.txt.

5. Best Practices & Tips

1. Keep your private key private. Never share it with anyone.

2. Use a strong passphrase. Protects your key even if someone gains access to your computer.

3. Verify your key fingerprints. When exchanging public keys with someone, confirm the key’s fingerprint over a secure channel or in person to avoid “man-in-the-middle” attacks.

4. Rotate or revoke keys when needed. If you suspect any compromise, revoke the key and generate a new pair.

5. Automate if possible. For frequent encryption tasks, consider scripts or tools that wrap around GPG. That way, your team can standardize this process.

The Bottom Line

Sharing credentials in group chats or direct messages is a recipe for disaster—no matter how secure or “friendly” the environment may seem. Using GPG to encrypt your secrets is a simple, robust way to protect your data and your organization. You might spend a bit more time setting up keys, but that investment pays off the moment you avoid even one serious security breach.

I’d love to hear from you:

• Have you tried using GPG or any other encryption methods before?

• What are your tips for keeping credentials safe?

Drop your thoughts or questions below, and let’s make the tech world a safer place—one encrypted message at a time!

Thanks for reading, and stay secure!
Mortaza