This help file is intended to give more detailed, platform-specific
instructions on how to decrypt files using GNU Privacy Guard (GPG) for those
that need it.
First, some background: File encryption is required by U.S. Federal law
when transmitting the proprietary information utilized in peer reviews. We
have endeavored to make this process as simple as possible while using free
software that is supported on all popular OS platforms, but we recognize that
it is obviously not as easy as it could be. Please accept our apologies for
the inconvenience and our thanks for the additional time and effort it takes
to decrypt these files.
First, download and install the latest version of
You will need administrator access to install it. Make sure you install
the GPA component. It may not be part of the default installation.
After GPG4Win has been successfully installed, launch GPA (gpa.exe),
either by clicking on its icon or selecting it from the Windows "Start"
After it has launched, click on the "Files" icon in the toolbar of the
"GNU Privacy Assistant - Key Manager" window. It is the third icon from the
right in the toolbar, next to the "Clipboard" icon. This will open up the
"GNU Privacy Assistant - File Manager" window.
In that window, click on the "Open" icon in the toolbar (the first
icon on the left of the "File Manager" toolbar) and then navigate to the
encrypted (*.asc) file and open it. The file should now be listed in the
"File Manager" window.
Finally, click on the "Decrypt" button. This will present a dialog box
for you to enter the passphrase. Type (or paste) the passphrase, which
should have already been supplied to you by the mission's peer review
staff. After a few moments, the file will be decrypted and you can quit
You will likely still need to untar the decrypted file, but there are
many Windows programs to do that (e.g.,
7zip, WinZip, Winrar,
Winace), and you may already have one of those utilities
Alternatively, you can use the command line interface in a
Terminal session. Note that the executable may be named "gpg2.exe"
instead of "gpg.exe". It will probably be installed in
C:\Program Files\GNU\GnuPG\. If that is the case, you should amend the
recommended command line from "gpg" to "gpg2" accordingly.
and install the latest
to use GPG 2.x.
Alternatively, if you already use and are familiar with MacPorts or
Homebrew or Fink, you can install gpg2 using one of those Mac open source
package managers and skip to step 5.
Locate the downloaded image file
("GPG_Suite-2019.2.dmg" or similar) in the Finder and double-click it
to mount it.
After the image mounts, double-click on the
"Install" icon in the image's window and follow the installer's
instructions to install GPG on your Mac. We recommend that you click on the
Customize button and uncheck every sub-package except for
the "MacGPG2" sub-package (unless you plan on using GPG for other things
on your Mac and want those other features). You will need administrator
access to perform the install.
Next, launch the Terminal application, which should be located
in the "Utilities" folder inside your main "Applications" folder.
Alternatively, use Spotlight to locate it by searching for
"Terminal" (without the quotes).
Once you have a Terminal window open, you will need to change directory
to where the encrypted file was downloaded. For example, if the encrypted
file is in your Downloads folder, you would type:
If the encrypted file is on your desktop, you would type:
If the encrypted file is in your home directory, you would just type:
Finally, copy and paste one of the Unix-compatible commands for
decrypting files, as given in the peer review instructions, into the
Terminal window. The second command should work on macOS and is
recommended. If you get an error in the Terminal window that says "gpg:
command not found" or similar, replace "gpg" with
"/usr/local/MacGPG2/bin/gpg --no-symkey-cache" in the decryption command and try again.
If that doesn't work, try "/usr/local/bin/gpg" instead and/or use the
following commands to determine where GPG was installed:
You may find it convenient to create a command alias so that you
do not have to type the complete path each time. Depending on what type
of shell you are using, you can do that by typing one
of the following commands, chosen appropriately, in a Terminal window
(for the bash shell):
alias gpg='/usr/local/MacGPG2/bin/gpg2 --no-symkey-cache'
alias gpg='/usr/local/gnupg-2.2/bin/gpg2 --no-symkey-cache'
If your shell is tcsh instead of bash, defining an alias
is similar. The only difference is that you should not type the equal
sign (=) in the above examples. Type a space instead.
Note that, if the version of gpg you are using is >= 2.2.7, adding
--no-symkey-cache to your alias (as shown in a couple of the
most common cases above) is highly recommended. Alternatively, to avoid
typing this option all the time or including it in your alias, you can
add it to your ~/.gnupg/gpg.conf file by executing:
echo "no-symkey-cache" >> ~/.gnupg/gpg.conf
If you are not sure which shell you are using or this is confusing, you
can skip defining an alias and instead just type the full path to the
command when issuing the decryption command.
Depending on which Terminal command you used, you might still need to
untar the decrypted file. We recommend utilizing the free utility
Unarchiver for that purpose. It can also be downloaded for free from
the Mac App Store.
Most popular Linux distributions ship with GPG already installed. You
should be able to just copy and paste the decryption command (as given in the
peer review instructions) into any terminal window. If not, consult your
distribution's software package manager on
install GPG (a.k.a. "gnupg"). Alternatively, the
source code is
If the version of gpg you are using is >= 2.2.7, make sure you use the
--no-symkey-cache option when decrypting or add it to your
~/.gnupg/gpg.conf file by executing:
echo "no-symkey-cache" >> ~/.gnupg/gpg.conf
If the ~/.gnupg/ directory doesn't exist, create it first:
chmod 700 ~/.gnupg
Alternatively, you could define an alias, like so (for the bash
alias gpg='gpg --no-symkey-cache'
If your shell is tcsh instead of bash, defining an alias is
similar. The only difference is that you should not type the equal sign (=)
in the above example. Type a space instead.