GPG Cheat Sheet

25 July, 2020Linux

For GPG versions 2.x only.

List keys

List public keys

gpg --list-keys

List all secret keys

gpg --list-secret-keys

List public or secret keys, but show subkey fingerprints as well

gpg --list-keys --with-subkey-fingerprints
gpg --list-secret-keys --with-subkey-fingerprints

The key ring location is normally shown on the first line on stdout.

Use different key ring

List keys but use a different home directory for one command only

gpg --homedir ~/.gnupg-alternate --list-keys

Set different home directory for session

export GNUPGHOME=/mnt/c/Users/USER/AppData/Roaming/gnupg/
gpg --list-keys

Generate keys

Generate key pair

gpg --full-generate-key

Exporting keys

Export single public key or secret key, useful for backing up keys

gpg -a --export KEYID > public.asc
gpg -a --export-secret-key KEYID > secret.asc

Export all keys

gpg -a --export > public-all.asc
gpg -a --export-secret-key > secret-all.asc

Exported secret keys are protected with current secret key passphrase.

Importing keys

List contents of key file without importing it

gpg keys.asc

Verbose option to see fingerprint or both fingerprint/signatures too

gpg --with-subkey-fingerprint keys.asc
gpg -v keys.asc

Import keys, merging into current key ring

gpg --import keys.asc

Signing a key

View the fingerprint of a key, after confirming the key is authentic, sign the key.

gpg --fingerprint KEYID
gpg --sign-key KEYID

Or via the key editor

gpg --edit-key KEYID
gpg>fpr
gpg>sign
gpg>save

Optionally, export the key again and return to user

gpg -a --export KEYID > signed-key.asc

Signing a key will automatically set the key's trust level to full.

If you local sign a key, the exported key to others doesn't contain the signatures, the signature is only valid to you.

gpg --lsign-key KEYID

Removing a key signature

Removing a local key signature

gpg --edit-key KEYID
gpg>delsig
gpg>save

Revoking a published key signature. You can not delete a key signature.

gpg --edit-key KEYID
gpg>revsig
gpg>save

If needed, upload the key and revocation certificate to key servers

gpg --send-key KEYID

Or export the key with the revoked signature

gpg -a --export KEYID > exported-key.asc

Adding or removing a UID

gpg --edit-key KEYID
gpg>adduid
(enter details as prompted)
gpg>list
gpg>save
gpg>quit

Changing primary UID

If you have multiple UIDs, this will change which UID is the primary one.

gpg --edit-key KEYID
gpg>list
gpg>uid X
gpg>primary
gpg>save
gpg>quit

Edit key trust

gpg --edit-key KEYID
gpg>trust
gpg>(enter trust level)
gpg>save

The trust level you enter is based on:

1 = I don't know or won't say
2 = I do NOT trust
3 = I trust marginally
4 = I trust fully
5 = I trust ultimately
m = back to the main menu

Use ultimate only for keys you've generated yourself. Signing a key will automatically set the key's trust level to full.

Generate a revocation certificate

gpg -a --gen-revoke KEYID > revoke.asc

Renew an expired (sub)key

To change the expiry of a key

gpg --edit-key KEYID
gpg>expire
gpg>save

Then export the new key for distribution, and generate a new revocation certificate for safekeeping. The secret key doesn't change.

gpg -a --export KEYID > public.asc
gpg -a --gen-revoke KEYID > revoke.asc

Encryption

Encrypt file to one recipient key. This will write to a default filename, in this case file.txt.gpg

gpg -e -r KEYID file.txt

Sign and encrypt a file

gpg -s -e -r KEYID file.txt

Encrypt to multiple recipients

gpg -e -r KEY1 -r KEY2 -r KEY3 file.txt

Encrypt and specify output file

gpg -e -r KEYID -o OUTPUT INPUT

Encryption uses compression by default. To disable, use the option -z 0. This will speed up the process if encrypting a large file which is already compressed.

gpg -e -z 0 -r KEYID file.tar.gz

Encrypt contents from standard input

cat "my secret message" | gpg -e -r KEYID > message.txt.gpg
tar -jc /var/log/secret | gpg -z 0 -e -r KEYID > secret.tar.bz2.gpg

Symmetrically encrypt a file using a passphrase

gpg -c file.txt

Create or verify signature

Sign file without encrypting, using a detached signature. This will write to a default file file.txt.asc in the example below.

gpg -a -s file.txt

But with clear signed attached signature

gpg --clear-sign file.txt

Sign using a non default secret key. Useful if you have multiple secret keys on your key ring.

gpg --default-key KEYID -a -s file.txt

Verify a clearsigned or dettached signature

gpg --verify file.txt.asc

Decryption

List recipients of a encrypted file

gpg --list-only FILE

Decrypt a file to user defined output filename

gpg -d -o OUTPUT FILE

Decrypt a file using default file name, e.g file.txt.gpg decrypts to file.txt

gpg -d FILE

Batch encrypt and decrypt

Encrypt all *.jpg files in the current directory to two recipients, with no compression

find . -maxdepth 1 -type f -name "*.jpg" -exec gpg -z 0 -e -r KEY1 -r KEY2 -o {}.gpg {} \;

Decrypt all *.gpg files in current directory. If --output is not used, it will write file.txt.gpg to file.txt

gpg --decrypt-files *.gpg

Do the same using a shell script

#!/bin/bash
read -rsp "Enter passphrase: " PASSPHRASE
for FILE in *.*.gpg; do
    echo "Extracting $FILE to ${FILE%.gpg}."
    echo "$PASSPHRASE" | gpg --passphrase-fd 0 --batch -d --output "${FILE%.gpg}" "$FILE"
done

Decrypt using passphrase from standard input

echo "passphrase" | gpg --passphrase-fd 0 --batch -d -o file.txt file.txt.gpg

Using a keyserver

KEYID is the last 4 bytes (8 hexadecimal chars) of your fingerprint, e.g D9B2766F

Sending or uploading a key to a key server

gpg --keyserver SERVER --send-key KEYID

Receiving a key from a key server

gpg --keyserver SERVER --recv-key KEYID

If you don't use the --keyserver SERVER option, the default server will be used. See what your default server is.

gpgconf --list-options gpg

Common and popular keyservers are

pgp.mit.edu
pool.sks-keyservers.net

Search for keys

gpg --keyserver SERVER --search-keys STRING
© Andy Gock 2009−2022