Homepage

GPG

A tool for secure communication. The OpenPGP standard is available at https://tools.ietf.org/html/rfc4880.

Subordinate pairs

GnuPG also supports a more sophisticated scheme, where a user has a primary key pair, and zero or more additional subordinate pairs.

Key length

User IDs

Expiration

Revocation certificates

Trust model

Web of trust

Trust levels

Key servers

Send a key to a key server

gpg --keyserver server.pgp.com --send-key <key specifier>

Retrieve a key from a key server

gpg --keyserver server.pgp.com --recv-key <key ID>

Fingerprints

Default keypair

You can set a default key pair by setting the GPGKEY environment variable:

export GPGKEY=<key id>

Signatures

Ciphers

Symmetric

Public-key

Hybrid

Snippets

Generate a key

gpg --gen-key

Generating a revocation certificate

gpg --output revoke.asc --gen-revoke <key specifier>

List the keys in the public keyring

gpg --list-keys

List the keys in the public keyring along with their fingerprints

gpg --fingerprint --list-signatures

Check the signature of a public key

gpg --edit-key <key specifier>
Command> check

Export a public key (binary format)

gpg --output mypublickey.gpg --export <key specifier>

Export a public key (ASCII format)

gpg --armor --output mypublickey.gpg --export <key specifier>

Importing a public key

gpg --import publickey.gpg

Export a private key (binary format)

gpg --output identity.key --export-secret-key <key specifier>

Export a private key (ASCII format)

gpg --output identity.key.asc --armor --export-secret-key <key specifier>

Signing a public key

gpg --edit-key <key specifier>
Command> sign

Encrypting a file

gpg --output file.txt.gpg --encrypt --recipient <key specifier> file.txt

We can then check the recipients that are allowed to decrypt the data by running:

gpg --list-packets file.txt.gpg

This will return a list of public keys, like:

:pubkey enc packet: version 3, algo 1, keyid BC5EB4A7A76C6BD3
        data: [4096 bits]

And we can verify that the keyid is the right one by inspecting a key using --edit-key:

ssb  rsa4096/BC5EB4A7A76C6BD3
     created: 2016-11-24  expires: never       usage: E
[ultimate] (1). Juan Cruz Viotti <jv@jviotti.com>

Encrypting a file using symmetric encryption

Symmetric encryption means that you can pick a passphrase at the moment of encrypting the file, and anyone with the passphrase can decrypt it, without needing any private key.

gpg --output file.txt.gpg --symmetric file.txt

Decrypting a file

gpg --output file.txt --decrypt file.txt.gpg

Signing a file (output binary)

gpg --output file.txt.sig --sign file.txt

Signing a file (output ASCII)

gpg --output file.txt.sig --clearsign file.txt

Signing a file (using a detached signature)

gpg --output file.txt.sig --detach-sig file.txt

Verify a signature

gpg --verify file.txt.sig

Verify a detached signature

gpg --verify file.txt.sig file.txt

View information of a key-pair

gpg --edit-key <key specifier>
pub  rsa4096/AAAAAAAAAAAAAAAA
     created: 2016-03-14  expires: 2020-01-07  usage: SCEA
     trust: unknown       validity: unknown
sub  rsa4096/BBBBBBBBBBBBBBBB
     created: 2016-03-14  expires: 2020-01-07  usage: SEA

In this case, the keys are RSA keys of 4096 bits. The ID of the public key is AAAAAAAAAAAAAAAA, and the id of the subordinate key is BBBBBBBBBBBBBBBB.

Other types:

Add a user ID to an existing key

gpg --edit-key <key specifier>
Command> adduid
Command> save

Revoking a subkey

gpg --edit-key <key specifier>
Command> key <n> # Select the key
Command> revkey

Revoking a user ID

A user ID is revoked by revoking its own self-signature.

gpg --edit-key <key specifier>
Command> uid <n> # Select the user ID
Command> revsig

Update expiration time

gpg --edit-key <key specifier>
Command> key <n> # Optional
Command> expire

Adjust your trust in a key’s owner

This command will interactively ask you to pick a trust level.

gpg --edit-key <key specifier>
Command> trust

Export ownertrust

The owner trust is a list of public key ids and how much you trust each of them.

gpg --export-ownertrust > ownertrust-file

Import ownertrust

gpg --import-ownertrust ownertrust-file

Keycards

References