GPG Cheat Sheet

25 July, 20204 min readLinux

For GPG versions 2.x only.

List keys

List public keys

gpg --list-keys

List all secret keys

gpg --list-secret-keys

List public or secret keys, but show subkey fingerprints as well

gpg --list-keys --with-subkey-fingerprints
gpg --list-secret-keys --with-subkey-fingerprints

The key ring location is normally shown on the first line on stdout.

Use different key ring

List keys but use a different home directory for one command only

gpg --homedir ~/.gnupg-alternate --list-keys

Set different home directory for session

export GNUPGHOME=/mnt/c/Users/USER/AppData/Roaming/gnupg/
gpg --list-keys

Generate keys

Generate key pair

gpg --full-generate-key

Exporting keys

Export single public key or secret key, useful for backing up keys

gpg -a --export KEYID > public.asc
gpg -a --export-secret-key KEYID > secret.asc

Export all keys

gpg -a --export > public-all.asc
gpg -a --export-secret-key > secret-all.asc

Exported secret keys are protected with current secret key passphrase.

Importing keys

List contents of key file without importing it

gpg keys.asc

Verbose option to see fingerprint or both fingerprint/signatures too

gpg --with-subkey-fingerprint keys.asc
gpg -v keys.asc

Import keys, merging into current key ring

gpg --import keys.asc

Signing a key

View the fingerprint of a key, after confirming the key is authentic, sign the key.

gpg --fingerprint KEYID
gpg --sign-key KEYID

Or via the key editor

gpg --edit-key KEYID
gpg>fpr
gpg>sign
gpg>save

Optionally, export the key again and return to user

gpg -a --export KEYID > signed-key.asc

Signing a key will automatically set the key's trust level to full.

If you local sign a key, the exported key to others doesn't contain the signatures, the signature is only valid to you

gpg --lsign-key KEYID

Edit key trust

gpg --edit-key KEYID
gpg>trust
gpg>(enter trust level)
gpg>save

The trust level you enter is based on:

1 = I don't know or won't say
2 = I do NOT trust
3 = I trust marginally
4 = I trust fully
5 = I trust ultimately
m = back to the main menu

Use ultimate only for keys you've generated yourself. Signing a key will automatically set the key's trust level to full.

Generate a revocation certificate

gpg -a --gen-revoke KEYID > revoke.asc

Renew an expired (sub)key

To change the expiry of a key

gpg --edit-key KEYID
gpg>expire
gpg>save

Then export the new key for distribution, and generate a new revocation certificate for safekeeping. The secret key doesn't change.

gpg -a --export KEYID > public.asc
gpg -a --gen-revoke KEYID > revoke.asc

Encryption

Encrypt file to one recipient key. This will write to a default filename, in this case file.txt.gpg

gpg -e -r KEYID file.txt

Sign and encrypt a file

gpg -s -e -r KEYID file.txt

Encrypt to multiple recipients

gpg -e -r KEY1 -r KEY2 -r KEY3 file.txt

Encrypt and specify output file

gpg -e -r KEYID -o OUTPUT INPUT

Encryption uses compression by default. To disable, use the option -z 0. This will speed up the process if encrypting a large file which is already compressed.

gpg -e -z 0 -r KEYID file.tar.gz

Encrypt contents from standard input

cat "my secret message" | gpg -e -r KEYID > message.txt.gpg
tar -jc /var/log/secret | gpg -z 0 -e -r KEYID > secret.tar.bz2.gpg

Symmetrically encrypt a file using a passphrase

gpg -c file.txt

Create or verify signature

Sign file without encrypting, using a detached signature. This will write to a default file file.txt.asc in the example below.

gpg -a -s file.txt

But with clear signed attached signature

gpg --clear-sign file.txt

Sign using a non default secret key. Useful if you have multiple secret keys on your key ring.

gpg --default-key KEYID -a -s file.txt

Verify a clearsigned or dettached signature

gpg --verify file.txt.asc

Decryption

List recipients of a encrypted file

gpg --list-only FILE

Decrypt a file to user defined output filename

gpg -d -o OUTPUT FILE

Decrypt a file using default file name, e.g file.txt.gpg decrypts to file.txt

gpg -d FILE

Batch encrypt and decrypt

Encrypt all *.jpg files in the current directory to two recipients, with no compression

find . -maxdepth 1 -type f -name "*.jpg" -exec gpg -z 0 -e -r KEY1 -r KEY2 -o {}.gpg {} \;

Decrypt all *.gpg files in current directory. If --output is not used, it will write file.txt.gpg to file.txt

gpg --decrypt-files *.gpg

Do the same using a shell script

#!/bin/bash
read -rsp "Enter passphrase: " PASSPHRASE
for FILE in *.*.gpg; do
    echo "Extracting $FILE to ${FILE%.gpg}."
    echo "$PASSPHRASE" | gpg --passphrase-fd 0 --batch -d --output "${FILE%.gpg}" "$FILE"
done

Decrypt using passphrase from standard input

echo "passphrase" | gpg --passphrase-fd 0 --batch -d -o file.txt file.txt.gpg
© Andy Gock 2009−2020