GPG Command Line Guide
This guide provides essential GPG (GNU Privacy Guard) commands for managing cryptographic keys and performing secure operations like encryption, decryption, and signing. GPG is a powerful tool for ensuring data confidentiality and integrity.
GPG Key Management
Effectively managing your GPG keys is crucial for secure communication. This section covers generating, listing, exporting, and importing keys.
# Create a new GPG key pair
gpg --gen-key
# List all keys (public and secret)
gpg --list-keys
gpg -k
# List only secret keys
gpg --list-secret-keys
gpg -K
# Show your public key in ASCII armor format
gpg --armor --export
# Show the fingerprint for a specific key
gpg --fingerprint KEY_ID
# Search for keys on public key servers
gpg --search-keys 'user@emailaddress.com'
File Encryption and Decryption
Learn how to encrypt files for specific recipients and decrypt files that have been encrypted using GPG.
# Encrypt a file for a specific recipient
gpg --encrypt --recipient 'user@emailaddress.com' example.txt
# Decrypt a file
gpg --output example.txt --decrypt example.txt.gpg
Exporting and Importing Keys
Securely export your public and private keys for backup or sharing, and import keys from others.
# Export your public key
gpg --output ~/public_key.txt --armor --export KEY_ID
# Export your secret key (handle with extreme care)
gpg --output ~/private_key.txt --armor --export-secret-key KEY_ID
# Securely delete the private key file after export
shred -zu ~/private_key.txt
# Import a public key
gpg --import ~/public_key.txt
# Import a secret key (requires special flag)
gpg --allow-secret-key-import --import ~/private_key.txt
# Securely delete the imported private key file after import
shred -zu ~/private_key.txt
Revoking a GPG Key
If your private key is compromised or you no longer wish to use a key, you should revoke it.
# Create a revocation certificate
gpg --output ~/revoke.asc --gen-revoke KEY_ID
# Import the revocation certificate
gpg --import ~/revoke.asc
# Send the revocation to key servers
gpg --send-keys KEY_ID
Signing and Verifying Files
GPG can be used to digitally sign files to verify their authenticity and integrity.
# Sign a file (creates a .asc signature file)
gpg -ba filename
# Sign a file with a specific default key
gpg --default-key <key ID> -ba filename
# Verify a downloaded file using its signature
gpg --verify filename.asc
Signing Public Keys
Contribute to the web of trust by signing the public keys of others.
# Retrieve a public key from a keyserver
gpg --keyserver <keyserver> --recv-keys <Key_ID>
# Check the key's fingerprint
gpg --fingerprint <Key_ID>
# Sign the key
gpg --sign-key <Key_ID>
# Upload the signed key to a keyserver
gpg --keyserver <keyserver> --send-key <Key_ID>
Managing GPG Key UIDs (User IDs)
Modify the email addresses and names associated with your GPG keys.
# Edit a key
gpg --edit-key <key ID>
# Add a new User ID (name and email)
adduid
# List current UIDs
list
# Select a UID to delete
uid <list number>
# Delete the selected UID
deluid
# Save changes
save
# Publish the updated key to a server
gpg --send-keys <key ID>
Creating and Managing Subkeys
Subkeys offer flexibility by allowing you to keep your master key secure while using subkeys for specific purposes or machines.
# Edit a key to add subkeys
gpg --edit-key <key ID>
# Add a signing-only subkey
addkey
# Choose RSA, 4096 bits, and set an expiry period.
# Add an encryption-only subkey (repeat addkey process)
# Save changes
save
# Export secret subkeys
gpg --export-secret-subkeys <subkey ID> > subkeys
gpg --export <key ID> > pubkeys
# Delete the master secret key
gpg --delete-secret-key <key ID>
# Import the master public key and secret subkeys
gpg --import pubkeys subkeys
# Verify that subkeys are now present (should show sec#)
gpg -K
High-Quality Symmetric Encryption Options
For enhanced security in symmetric encryption, consider these advanced GPG options.
# Encrypt a file using high-quality symmetric options
gpg \
--symmetric \
--cipher-algo aes256 \
--digest-algo sha512 \
--cert-digest-algo sha512 \
--compress-algo none -z 0 \
--s2k-mode 3 \
--s2k-digest-algo sha512 \
--s2k-count 65011712 \
--force-mdc \
--pinentry-mode loopback \
--armor \
--no-symkey-cache \
--output somefile.gpg \
somefile # file to encrypt
# Decrypt a file using high-quality symmetric options
gpg \
--decrypt \
--pinentry-mode loopback \
--armor \
--output somefile.decrypted \
somefile.gpg # file to decrypt
