GPG Cheat Sheet


For GPG versions 2.x only.

List keys

List public keys

gpg --list-keys

List all secret keys

gpg --list-secret-keys

List public or secret keys, but show subkey fingerprints as well

gpg --list-keys --with-subkey-fingerprints
gpg --list-secret-keys --with-subkey-fingerprints

The key ring location is normally shown on the first line on stdout.

Use different key ring

List keys but use a different home directory for one command only

gpg --homedir ~/.gnupg-alternate --list-keys

Set different home directory for session

export GNUPGHOME=/mnt/c/Users/USER/AppData/Roaming/gnupg/
gpg --list-keys

Generate keys

Generate key pair

gpg --full-generate-key

Exporting keys

Export single public key or secret key, useful for backing up keys

gpg -a --export KEYID > public.asc
gpg -a --export-secret-key KEYID > secret.asc

Export all keys

gpg -a --export > public-all.asc
gpg -a --export-secret-key > secret-all.asc

Exported secret keys are protected with current secret key passphrase.

Importing keys

List contents of key file without importing it

gpg keys.asc

Verbose option to see fingerprint or both fingerprint/signatures too

gpg --with-subkey-fingerprint keys.asc
gpg -v keys.asc

Import keys, merging into current key ring

gpg --import keys.asc

Signing a key

View the fingerprint of a key, after confirming the key is authentic, sign the key.

gpg --fingerprint KEYID
gpg --sign-key KEYID

Or via the key editor

gpg --edit-key KEYID

Optionally, export the key again and return to user

gpg -a --export KEYID > signed-key.asc

Signing a key will automatically set the key's trust level to full.

If you local sign a key, the exported key to others doesn't contain the signatures, the signature is only valid to you.

gpg --lsign-key KEYID

Removing a key signature

Removing a local key signature

gpg --edit-key KEYID

Revoking a published key signature. You can not delete a key signature.

gpg --edit-key KEYID

If needed, upload the key and revocation certificate to key servers

gpg --send-key KEYID

Or export the key with the revoked signature

gpg -a --export KEYID > exported-key.asc

Adding or removing a UID

gpg --edit-key KEYID
(enter details as prompted)

Changing primary UID

If you have multiple UIDs, this will change which UID is the primary one.

gpg --edit-key KEYID
gpg>uid X

Edit key trust

gpg --edit-key KEYID
gpg>(enter trust level)

The trust level you enter is based on:

1 = I don't know or won't say
2 = I do NOT trust
3 = I trust marginally
4 = I trust fully
5 = I trust ultimately
m = back to the main menu

Use ultimate only for keys you've generated yourself. Signing a key will automatically set the key's trust level to full.

Generate a revocation certificate

gpg -a --gen-revoke KEYID > revoke.asc

Renew an expired (sub)key

To change the expiry of a key

gpg --edit-key KEYID
gpg>key 1

If you have more subkeys, you can edit those with key 2, key 3 etc. Use list to view the key details including expiry date. The default key edited is the primary key when no key N is specified, this is the first key shown in the list output, and can also be manually selected by key 0.

Then export the new key for distribution, and generate a new revocation certificate for safekeeping. The secret key doesn't change.

gpg -a --export KEYID > public.asc
gpg -a --gen-revoke KEYID > revoke.asc


Encrypt file to one recipient key. This will write to a default filename, in this case file.txt.gpg

gpg -e -r KEYID file.txt

Sign and encrypt a file

gpg -s -e -r KEYID file.txt

Encrypt to multiple recipients

gpg -e -r KEY1 -r KEY2 -r KEY3 file.txt

Encrypt and specify output file


Encryption uses compression by default. To disable, use the option -z 0. This will speed up the process if encrypting a large file which is already compressed.

gpg -e -z 0 -r KEYID file.tar.gz

Encrypt contents from standard input

cat "my secret message" | gpg -e -r KEYID > message.txt.gpg
tar -jc /var/log/secret | gpg -z 0 -e -r KEYID > secret.tar.bz2.gpg

Symmetrically encrypt a file using a passphrase

gpg -c file.txt

Create or verify signature

Sign file without encrypting, using a detached signature. This will write to a default file file.txt.asc in the example below.

gpg -a -s file.txt

But with clear signed attached signature

gpg --clear-sign file.txt

Sign using a non default secret key. Useful if you have multiple secret keys on your key ring.

gpg --default-key KEYID -a -s file.txt

Verify a clearsigned or dettached signature

gpg --verify file.txt.asc


List recipients of a encrypted file

gpg --list-only FILE

Decrypt a file to user defined output filename

gpg -d -o OUTPUT FILE

Decrypt a file using default file name, e.g file.txt.gpg decrypts to file.txt

gpg -d FILE

Batch encrypt and decrypt

Encrypt all *.jpg files in the current directory to two recipients, with no compression

find . -maxdepth 1 -type f -name "*.jpg" -exec gpg -z 0 -e -r KEY1 -r KEY2 -o {}.gpg {} \;

Decrypt all *.gpg files in current directory. If --output is not used, it will write file.txt.gpg to file.txt

gpg --decrypt-files *.gpg

Do the same using a shell script

read -rsp "Enter passphrase: " PASSPHRASE
for FILE in *.*.gpg; do
    echo "Extracting $FILE to ${FILE%.gpg}."
    echo "$PASSPHRASE" | gpg --passphrase-fd 0 --batch -d --output "${FILE%.gpg}" "$FILE"

Decrypt using passphrase from standard input

echo "passphrase" | gpg --passphrase-fd 0 --batch -d -o file.txt file.txt.gpg

Using a keyserver

KEYID is the last 4 bytes (8 hexadecimal chars) of your fingerprint, e.g D9B2766F

Sending or uploading a key to a key server

gpg --keyserver SERVER --send-key KEYID

Receiving a key from a key server

gpg --keyserver SERVER --recv-key KEYID

If you don't use the --keyserver SERVER option, the default server will be used. See what your default server is.

gpgconf --list-options gpg

Common and popular keyservers are

Search for keys

gpg --keyserver SERVER --search-keys STRING