GPG Cheat Sheet
For GPG versions 2.x only.
List keys
List public keys
gpg --list-keys
List all secret keys
gpg --list-secret-keys
List public or secret keys, but show subkey fingerprints as well
gpg --list-keys --with-subkey-fingerprints
gpg --list-secret-keys --with-subkey-fingerprints
The key ring location is normally shown on the first line on stdout.
Use different key ring
List keys but use a different home directory for one command only
gpg --homedir ~/.gnupg-alternate --list-keys
Set different home directory for session
export GNUPGHOME=/mnt/c/Users/USER/AppData/Roaming/gnupg/
gpg --list-keys
Generate keys
Generate key pair
gpg --full-generate-key
Exporting keys
Export single public key or secret key, useful for backing up keys
gpg -a --export KEYID > public.asc
gpg -a --export-secret-key KEYID > secret.asc
Export all keys
gpg -a --export > public-all.asc
gpg -a --export-secret-key > secret-all.asc
Exported secret keys are protected with current secret key passphrase.
Importing keys
List contents of key file without importing it
gpg keys.asc
Verbose option to see fingerprint or both fingerprint/signatures too
gpg --with-subkey-fingerprint keys.asc
gpg -v keys.asc
Import keys, merging into current key ring
gpg --import keys.asc
Signing a key
View the fingerprint of a key, after confirming the key is authentic, sign the key.
gpg --fingerprint KEYID
gpg --sign-key KEYID
Or via the key editor
gpg --edit-key KEYID
gpg>fpr
gpg>sign
gpg>save
Optionally, export the key again and return to user
gpg -a --export KEYID > signed-key.asc
Signing a key will automatically set the key's trust level to full.
If you local sign a key, the exported key to others doesn't contain the signatures, the signature is only valid to you.
gpg --lsign-key KEYID
Removing a key signature
Removing a local key signature
gpg --edit-key KEYID
gpg>delsig
gpg>save
Revoking a published key signature. You can not delete a key signature.
gpg --edit-key KEYID
gpg>revsig
gpg>save
If needed, upload the key and revocation certificate to key servers
gpg --send-key KEYID
Or export the key with the revoked signature
gpg -a --export KEYID > exported-key.asc
Adding or removing a UID
gpg --edit-key KEYID
gpg>adduid
(enter details as prompted)
gpg>list
gpg>save
gpg>quit
Changing primary UID
If you have multiple UIDs, this will change which UID is the primary one.
gpg --edit-key KEYID
gpg>list
gpg>uid X
gpg>primary
gpg>save
gpg>quit
Edit key trust
gpg --edit-key KEYID
gpg>trust
gpg>(enter trust level)
gpg>save
The trust level you enter is based on:
1 = I don't know or won't say
2 = I do NOT trust
3 = I trust marginally
4 = I trust fully
5 = I trust ultimately
m = back to the main menu
Use ultimate only for keys you've generated yourself. Signing a key will automatically set the key's trust level to full.
Generate a revocation certificate
gpg -a --gen-revoke KEYID > revoke.asc
Renew an expired (sub)key
To change the expiry of a key
gpg --edit-key KEYID
gpg>expire
gpg>key 1
gpg>expire
gpg>list
gpg>save
If you have more subkeys, you can edit those with key 2, key 3 etc. Use list to view the key details including expiry date. The default key edited is the primary key when no key N is specified, this is the first key shown in the list output, and can also be manually selected by key 0.
Then export the new key for distribution, and generate a new revocation certificate for safekeeping. The secret key doesn't change.
gpg -a --export KEYID > public.asc
gpg -a --gen-revoke KEYID > revoke.asc
Encryption
Encrypt file to one recipient key. This will write to a default filename, in this case file.txt.gpg
gpg -e -r KEYID file.txt
Sign and encrypt a file
gpg -s -e -r KEYID file.txt
Encrypt to multiple recipients
gpg -e -r KEY1 -r KEY2 -r KEY3 file.txt
Encrypt and specify output file
gpg -e -r KEYID -o OUTPUT INPUT
Encryption uses compression by default. To disable, use the option -z 0. This will speed up the process if encrypting a large file which is already compressed.
gpg -e -z 0 -r KEYID file.tar.gz
Encrypt contents from standard input
cat "my secret message" | gpg -e -r KEYID > message.txt.gpg
tar -jc /var/log/secret | gpg -z 0 -e -r KEYID > secret.tar.bz2.gpg
Symmetrically encrypt a file using a passphrase
gpg -c file.txt
Create or verify signature
Sign file without encrypting, using a detached signature. This will write to a default file file.txt.asc in the example below.
gpg -a -s file.txt
But with clear signed attached signature
gpg --clear-sign file.txt
Sign using a non default secret key. Useful if you have multiple secret keys on your key ring.
gpg --default-key KEYID -a -s file.txt
Verify a clearsigned or dettached signature
gpg --verify file.txt.asc
Decryption
List recipients of a encrypted file
gpg --list-only FILE
Decrypt a file to user defined output filename
gpg -d -o OUTPUT FILE
Decrypt a file using default file name, e.g file.txt.gpg decrypts to file.txt
gpg -d FILE
Batch encrypt and decrypt
Encrypt all *.jpg files in the current directory to two recipients, with no compression
find . -maxdepth 1 -type f -name "*.jpg" -exec gpg -z 0 -e -r KEY1 -r KEY2 -o {}.gpg {} \;
Decrypt all *.gpg files in current directory. If --output is not used, it will write file.txt.gpg to file.txt
gpg --decrypt-files *.gpg
Do the same using a shell script
#!/bin/bash
read -rsp "Enter passphrase: " PASSPHRASE
for FILE in *.*.gpg; do
echo "Extracting $FILE to ${FILE%.gpg}."
echo "$PASSPHRASE" | gpg --passphrase-fd 0 --batch -d --output "${FILE%.gpg}" "$FILE"
done
Decrypt using passphrase from standard input
echo "passphrase" | gpg --passphrase-fd 0 --batch -d -o file.txt file.txt.gpg
Using a keyserver
KEYID is the last 4 bytes (8 hexadecimal chars) of your fingerprint, e.g D9B2766F
Sending or uploading a key to a key server
gpg --keyserver SERVER --send-key KEYID
Receiving a key from a key server
gpg --keyserver SERVER --recv-key KEYID
If you don't use the --keyserver SERVER option, the default server will be used. See what your default server is.
gpgconf --list-options gpg
Common and popular keyservers are
pgp.mit.edu
pool.sks-keyservers.net
Search for keys
gpg --keyserver SERVER --search-keys STRING