cheatsheets/gnupg.md

---
title: GnuPG
category: CLI
tags: []
updated: 2017-10-22
weight: 0
intro: |
  [GnuPG](https://gnupg.org/) is a complete and free implementation of the OpenPGP standard.
---

Basics
---------------

### Exporting keys

```bash
gpg -o key.gpg --export <KEY ID>
```

__Export key in ASCII:__

```bash
gpg -o key.asc --armor --export <KEY ID>
```

__Note:__ Omitting the `-o|--output` option will print the key to `stdout`.

### Importing keys

```bash
gpg --import key.gpg
gpg --import key.asc
```

Only merge updates for keys already in key-ring:

```bash
gpg --import key.asc --import-options merge-only
```

### Managing your keyring

Generate a new key:
{: .-setup}

```bash
gpg --gen-key
# or, generate a new key with dialogs for all options
gpg --full-gen-key
```

List public keys:

```bash
gpg -k
gpg --list-keys
```

List secret keys:

```bash
gpg -K
gpg --list-secret-keys
```


### Using a keyserver

Import keys from keyserver:
{: .-setup}

```bash
gpg --receive-keys <KEY IDS>
```

Upload keys to keyserver:

```bash
gpg --send-keys <KEY IDS>
```

Request updates from keyserver for keys already in your keyring:

```bash
gpg --refresh-keys
```

Search keys from keyserver:

```bash
gpg --search-keys "<SEARCH STRING>"
```

Override keyserver from `~/.gnupg/gpg.conf`

```bash
gpg --keyserver <URL> ...
```

### Trusting a key

```bash
gpg --edit-key <KEY ID>
# In the interactive prompt:
gpg> trust
gpg> save
```

__NOTE:__ You can use the owner's email or name (or part thereof) instead of the key ID for `--edit-key`


Encrypting
---------
{: .-two-column}

### Public key encryption
This will produce an encrypted file, `secret.txt.gpg`, that can only be decrypted by the recipient:

```bash
gpg -e -o secret.txt.gpg -r <RECIPIENT> secret.txt
```

For `<RECIPIENT>` you can use their key ID, their email, or their name (or part thereof).

```bash
gpg -e -r <KEY ID> ...
gpg -e -r "Bez" ...
gpg -e -r "bezalelhermoso@gmail.com" ...
```

Specifying multiple recipients

```bash
gpg -e -r <RECIPIENT> -r <ANOTHER RECIPIENT> ... secret.txt
```

__NOTE__: Omitting `-o|--output` will produce an encrypted file named `<ORIGINAL FILENAME>.gpg` by default.

### Symmetric encryption

Encrypt file using a shared key. You will be prompted for a passphrase.

```bash
gpg --symmetric secret.txt
# or
gpg -c secret.txt
```

Decrypting
---------
{: .-one-column}

### Decrypting a file

```bash
gpg -d -o secret.txt secret.txt.gpg
```

If the file is encrypted via symmetric encryption, you will be prompted for the passphrase.

__NOTE__: Omitting `-o|--output` will print the unencrypted contents to `stdout`

Signing & Verifying
---------
{: .-two-column}

### Signing

```bash
gpg -o signed-file.txt.gpg -s file.txt
```

This can be used during encryption to also sign encrypted files:

```bash
gpg -s -o secret.txt.gpg \
  -r <RECIPIENT> secret.txt
```

### Verifying a signature

```bash
gpg --verify file.txt.gpg
```

### Viewing content of signed file

```bash
gpg -d signed-file.txt.gpg
```

Miscellaneous
----------
{: .-two-column}

### Components

List all components:
{: .-setup}

```bash
gpgconf --list-components
```

Kill a component:

```bash
gpgconf --kill <COMPONENT> # i.e. gpgconf --kill dirmngr
```

Kill all components:
```bash
gpgconf --kill all
```

### Parsing keyring data

Use `--with-colons` to produce an output that can easily be parsed i.e. with `awk`, `grep`. Fields are colon-separated.

```bash
gpg -k --with-colons
```

Field Quick Reference:

| Field # | Description |
| 1       | Record type |
| 2       | Validity |
| 3       | Key length in bits |
| 4       | Public key algorithm |
| 5       | Key ID |
| 6       | Creation date |
| 7       | Expiry date |
| 8       | Certificate S/N, UID hash, trust signature info |
| 9       | Ownertrust |
| 10      | User ID |
| 11      | Signature class |
| 12      | Key capabilities |
| 13      | Issuer fingerprint |
| 14      | Flag field |
| 15      | S/N of token |
| 16      | Hash algorithm |
| 17      | Curve name |
| 18      | Compliance flags |
| 19      | Last update timestamp |
| 20      | Origin |

See [GnuPG Details](https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=blob_plain;f=doc/DETAILS) for more details.
Add GnuPG cheatsheet 2017-10-19 00:22:27 +00:00			`---`
			`title: GnuPG`
			`category: CLI`
			`tags: []`
Cleanup: update timestamps of files 2020-07-04 13:33:09 +00:00			`updated: 2017-10-22`
Add GnuPG cheatsheet 2017-10-19 00:22:27 +00:00			`weight: 0`
			`intro: \|`
			`[GnuPG](https://gnupg.org/) is a complete and free implementation of the OpenPGP standard.`
			`---`

			`Basics`
			`---------------`

			`### Exporting keys`

			```bash
			`gpg -o key.gpg --export <KEY ID>`
			```

Update layout & added "Trusting a key" 2017-10-19 01:05:35 +00:00			`__Export key in ASCII:__`
Add GnuPG cheatsheet 2017-10-19 00:22:27 +00:00
			```bash
			`gpg -o key.asc --armor --export <KEY ID>`
			```

			__Note:__ Omitting the `-o\|--output` option will print the key to `stdout`.

			`### Importing keys`

			```bash
			`gpg --import key.gpg`
			`gpg --import key.asc`
			```

Update layout & added "Trusting a key" 2017-10-19 01:05:35 +00:00			`Only merge updates for keys already in key-ring:`
Add GnuPG cheatsheet 2017-10-19 00:22:27 +00:00
			```bash
Fix merge flag name (#1623) 2022-11-01 03:30:02 +00:00			`gpg --import key.asc --import-options merge-only`
Add GnuPG cheatsheet 2017-10-19 00:22:27 +00:00			```

			`### Managing your keyring`

Update layout & added "Trusting a key" 2017-10-19 01:05:35 +00:00			`Generate a new key:`
			`{: .-setup}`

Add GnuPG cheatsheet 2017-10-19 00:22:27 +00:00			```bash
			`gpg --gen-key`
			`# or, generate a new key with dialogs for all options`
			`gpg --full-gen-key`
			```

Update layout & added "Trusting a key" 2017-10-19 01:05:35 +00:00			`List public keys:`
Add GnuPG cheatsheet 2017-10-19 00:22:27 +00:00
			```bash
			`gpg -k`
			`gpg --list-keys`
			```

Update layout & added "Trusting a key" 2017-10-19 01:05:35 +00:00			`List secret keys:`
Add GnuPG cheatsheet 2017-10-19 00:22:27 +00:00
			```bash
			`gpg -K`
			`gpg --list-secret-keys`
			```


			`### Using a keyserver`

Update layout & added "Trusting a key" 2017-10-19 01:05:35 +00:00			`Import keys from keyserver:`
			`{: .-setup}`

Add GnuPG cheatsheet 2017-10-19 00:22:27 +00:00			```bash
			`gpg --receive-keys <KEY IDS>`
			```

Update layout & added "Trusting a key" 2017-10-19 01:05:35 +00:00			`Upload keys to keyserver:`

Add GnuPG cheatsheet 2017-10-19 00:22:27 +00:00			```bash
			`gpg --send-keys <KEY IDS>`
			```

Update layout & added "Trusting a key" 2017-10-19 01:05:35 +00:00			`Request updates from keyserver for keys already in your keyring:`

Add GnuPG cheatsheet 2017-10-19 00:22:27 +00:00			```bash
			`gpg --refresh-keys`
			```

Update layout & added "Trusting a key" 2017-10-19 01:05:35 +00:00			`Search keys from keyserver:`

Add GnuPG cheatsheet 2017-10-19 00:22:27 +00:00			```bash
			`gpg --search-keys "<SEARCH STRING>"`
			```

Update layout & added "Trusting a key" 2017-10-19 01:05:35 +00:00			Override keyserver from `~/.gnupg/gpg.conf`

Add GnuPG cheatsheet 2017-10-19 00:22:27 +00:00			```bash
			`gpg --keyserver <URL> ...`
			```

Update layout & added "Trusting a key" 2017-10-19 01:05:35 +00:00			`### Trusting a key`

			```bash
			`gpg --edit-key <KEY ID>`
			`# In the interactive prompt:`
Update gnupg.md (#1932) Fixed a typo: edit -> trust 2023-01-04 09:42:50 +00:00			`gpg> trust`
change quit => save 2017-10-19 02:06:31 +00:00			`gpg> save`
Update layout & added "Trusting a key" 2017-10-19 01:05:35 +00:00			```

			__NOTE:__ You can use the owner's email or name (or part thereof) instead of the key ID for `--edit-key`

Add GnuPG cheatsheet 2017-10-19 00:22:27 +00:00
			`Encrypting`
			`---------`
			`{: .-two-column}`

			`### Public key encryption`
			This will produce an encrypted file, `secret.txt.gpg`, that can only be decrypted by the recipient:

			```bash
			`gpg -e -o secret.txt.gpg -r <RECIPIENT> secret.txt`
			```

			For `<RECIPIENT>` you can use their key ID, their email, or their name (or part thereof).

			```bash
			`gpg -e -r <KEY ID> ...`
			`gpg -e -r "Bez" ...`
			`gpg -e -r "bezalelhermoso@gmail.com" ...`
			```

Update layout & added "Trusting a key" 2017-10-19 01:05:35 +00:00			`Specifying multiple recipients`
Add GnuPG cheatsheet 2017-10-19 00:22:27 +00:00
			```bash
			`gpg -e -r <RECIPIENT> -r <ANOTHER RECIPIENT> ... secret.txt`
			```

			__NOTE__: Omitting `-o\|--output` will produce an encrypted file named `<ORIGINAL FILENAME>.gpg` by default.

			`### Symmetric encryption`

			`Encrypt file using a shared key. You will be prompted for a passphrase.`

			```bash
			`gpg --symmetric secret.txt`
			`# or`
			`gpg -c secret.txt`
			```

			`Decrypting`
			`---------`
			`{: .-one-column}`

			`### Decrypting a file`

			```bash
			`gpg -d -o secret.txt secret.txt.gpg`
			```

			`If the file is encrypted via symmetric encryption, you will be prompted for the passphrase.`

			__NOTE__: Omitting `-o\|--output` will print the unencrypted contents to `stdout`

			`Signing & Verifying`
			`---------`
			`{: .-two-column}`

			`### Signing`

			```bash
			`gpg -o signed-file.txt.gpg -s file.txt`
			```

Update layout & added "Trusting a key" 2017-10-19 01:05:35 +00:00			`This can be used during encryption to also sign encrypted files:`
Add GnuPG cheatsheet 2017-10-19 00:22:27 +00:00
			```bash
			`gpg -s -o secret.txt.gpg \`
			`-r <RECIPIENT> secret.txt`
			```

			`### Verifying a signature`

			```bash
			`gpg --verify file.txt.gpg`
			```

			`### Viewing content of signed file`

			```bash
			`gpg -d signed-file.txt.gpg`
			```

			`Miscellaneous`
			`----------`
			`{: .-two-column}`

			`### Components`

			`List all components:`
			`{: .-setup}`

			```bash
			`gpgconf --list-components`
			```

			`Kill a component:`

			```bash
			`gpgconf --kill <COMPONENT> # i.e. gpgconf --kill dirmngr`
			```

			`Kill all components:`
			```bash
			`gpgconf --kill all`
			```

			`### Parsing keyring data`

Update layout & added "Trusting a key" 2017-10-19 01:05:35 +00:00			Use `--with-colons` to produce an output that can easily be parsed i.e. with `awk`, `grep`. Fields are colon-separated.
Add GnuPG cheatsheet 2017-10-19 00:22:27 +00:00
			```bash
			`gpg -k --with-colons`
			```

			`Field Quick Reference:`

Update layout & added "Trusting a key" 2017-10-19 01:05:35 +00:00			`\| Field # \| Description \|`
			`\| 1 \| Record type \|`
			`\| 2 \| Validity \|`
			`\| 3 \| Key length in bits \|`
Fix typos 2017-10-22 11:08:21 +00:00			`\| 4 \| Public key algorithm \|`
Update layout & added "Trusting a key" 2017-10-19 01:05:35 +00:00			`\| 5 \| Key ID \|`
			`\| 6 \| Creation date \|`
			`\| 7 \| Expiry date \|`
Fix typos 2017-10-22 11:08:21 +00:00			`\| 8 \| Certificate S/N, UID hash, trust signature info \|`
Update layout & added "Trusting a key" 2017-10-19 01:05:35 +00:00			`\| 9 \| Ownertrust \|`
			`\| 10 \| User ID \|`
			`\| 11 \| Signature class \|`
			`\| 12 \| Key capabilities \|`
			`\| 13 \| Issuer fingerprint \|`
			`\| 14 \| Flag field \|`
			`\| 15 \| S/N of token \|`
			`\| 16 \| Hash algorithm \|`
			`\| 17 \| Curve name \|`
			`\| 18 \| Compliance flags \|`
			`\| 19 \| Last update timestamp \|`
			`\| 20 \| Origin \|`
Add GnuPG cheatsheet 2017-10-19 00:22:27 +00:00
Add reference to GnuPG Details org file 2017-10-19 01:09:36 +00:00			`See [GnuPG Details](https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=blob_plain;f=doc/DETAILS) for more details.`

Add GnuPG cheatsheet 2017-10-19 00:22:27 +00:00