"gpg 2.x cheat-sheet"

Frequently used Linux GPG 2.x Commands and arguments

Confirming the GnuPG installation and version

sha256sum `which gpg`: Confirm gpg executable file has not been tampered with.
gpg --version: Report gpg program version.
gpg --help: List program usege summary.
gpg --dump-options: List all implementd commands/options.
gpg --homedir directory: Execute using an alternative keyring directory.


Creating and Editing a Keypair


gpg --gen-key
                     Prompt for essential parameters and create the keypair.
gpg --full-gen-key
                Prompt for every key parameter and create the keypair.
gpg --quick-gen-key userId
 Generate keypair for given userId (typically while testing).

gpg --edit-key userId
      Edit key elements. (See manual).


Listing Key Information

gpg --list-keys
                   List all keys in your public keyring.
gpg --show-key keyFile.asc
 List summary of key in keyFile.asc.
gpg --list-keys uniqueId
   List all keys matching uniqueId.
gpg --list-sigs
                   List all keys in your public keyring and their signatures.
gpg --list-sigs uniqueId
   List all keys and their signatures matching uniqueId.
gpg --fingerprint
                 List all keys in your public keyring and their fingerprints.
gpg --fingerprint uniqueId
 List all keys and their signatures matching uniqueid.
gpg -a --export uniqueId | gpg --list-packets --verbose
  List detailed internals of key packets.


Importing, Exporting, Refreshing and Removing Keys

Importing

gpg --import file
                   Import a key contained in file to the appropriate keyring.
gpg –recv-keys keyid1 keyid2
        Receive the key which corresponds to keyid1, keyid2, etc. from the provided keyserver.
gpg --search-keys srting_a string_b
 Search for keys which contain srting_a and string_b, etc., provides an interactive interface to choose the correct key to import to the appropriate keyring.


Exporting

gpg -a --export keyId > keyFile.asc
           Output a public key to an ascii text file.
gpg --send-keys keyId
                            Upload a public key to a keyserver.
gpg -a --export-secret-keys keyId > keyFile.asc
 Output a private key to an ascii text file.


Refreshing

gpg --refresh-keys
  Check to see if your version of a key is out of date. If so update it.


Signing a Key

gpg --fingerprint uniqueId
 Check the local key fingerprint against the reported fingerprint.
gpg --sign-key uniquId</code>
     If the fingerprints match sign the key with your private key.


Removing a key-pair from key-rings

gpg --delete-secret-keys uniqueId
 First step (if secret one is present): delete the secret with uniqueId.
gpg --delete-keys uniqueId
        Second step: delete the public with uniqueId.


Encrypting and Signing

Encrypting

gpg -er recipient file
                        Produce File.gpg an encrypted version of File, which can be decrypted by Recipient.
echo “Text” | gpg -ear recipient
              Produce an encrypted version of Text which can be decrypted by Recipient and prints the result to the terminal.
echo “Text” | gpg -ear recipient outFle
       Produce an encrypted version of Text which can be decrypted by Recipient and writes the result to out_file.
cat inFile | gpg -ear recipient
        Produce an encrypted version of the text contained in inFile which can be decrypted by and print the result to the terminal.
cat inFile | gpg -ear recipient outFile
 Produce an encrypted version of the text contained in inFile which can be decrypted by Recipient and writes the result to out_file.


Signing

gpg -s file
                        Produce file.gpg, a signed version of file, which can be verified.
echo “text” | gpg -as
                     Produce a signed version of text and prints the result to the terminal.
echo “text” | gpg -s > outFile
            Produce a signed version of text and writes the result to outFile.
cat inFile | gpg -as
                Produce a signed version of the text in inFile and prints the result to the terminal.
cat inFile | gpg -s > ouFile
 Produce a signed version of the text in inFile and writes the result to outFile.
gpg --detach-sign file
             Produce a separate signature, file.sig, which can be used to verify file.
echo “text” | gpg --clearsign
             ???
cat inFile | gpg --clearsign
       ???


Encrypting and Signing

gpg -esr recipient file
                          Produce file.gpg, an encrypted and signed version of file, which can be decrypted and verified by recipient.
echo “Text” | gpg -esar recipient file
           Produce an encrypted and signed version of Text which can be decrypted and verified by recipient and lists the result to the terminal.
echo “Text” | gpg -esar recipient file out_file
  Produce an encrypted and signed version of Text which can be decrypted and verified by recipient and writes the result to out_file.
cat InFile | gpg -esar recipient
           Produce an encrypted and signed version of the text in inFile which can be decrypted and verified by recipient and list the result to the terminal.
cat InFile | gpg -esar recipient out_file
  Produce an encrypted and signed version of the text in inFile which can be decrypted and verified by recipient and write the result out_file.


Decrypting and Verifying

gpg -d inFile > outFile
  Decrypt and/or verify file.
echo “cipherText” | gpg -d
              Decrypt and/or verify cipherText.
echo “cipherText” | gpg -d > outFile
 Decrypt and/or verify cipherText and write the result to outfile.
cat inFile | gpg -d
              Decrypt and/or verify the contents of inFile.
cat inFile | gpg -d > outFile
 Decrypt and/or verify the contents of File and write the result to outFile.


Symmetric Encryption

gpg -c file
                             Create a file symmetrically encrypted with a passphrase.
gpg -ca file
                            Create a file symmetrically encrypted with a passphrase readable as plain text.
echo “text” | gpg -ca
                          Symmetrically encrypt text with a passphrase and output the result to the terminal.
echo “text” | gpg -c > outFile
       Symmetrically encrypt text with a passphrase and write the result to outFile.
cat inFile | gpg -ca
                    Symmetrically encrypt the text in InFile and output the result to the terminal.
cat inFile | gpg -c > outFile
 Symmetrically encrypt the text in InFile and write the result to outFile.




Notes:

This summary covers the GPG commands that will typically be used when keys
are generated on a stand-slone computer, then transfered to an
internet-connected computer to be used for sending and receiving encrypted
messages with Thunderbird.


Most gpg operations are carried out on keys stored in public and private
(i.e., secret) "key-rings". By default, they are located in $HOME/.gnupg
directory. An alternative directory can be specified by GNUPGHOME environment
variable, or by using --homedir command option. Depending on the setup, it
might simplify key management functions if the keys, generated and resident
elswhere on the computer are "imported" into respective "key-rings".

Public keys are all stored in a single file, named pubring.kbx. Private keys
are located in $HOME/.gnupg/private-keys-v1.d/ subdirectory, in two files
for each private-key (i.e., one for signing and one for encrypting key).


Note that Thunderbird does not use WoT ("web-of-trust"), which is why commands
that manipulate public key signatures are not included in this summary.

Full GnuPG manual.


An overview of GnuPG and SSH
fingerprints and keygrips.


Discussion of GPG key
"anatomy".


An Advanced Intro to GnuPG. (video)


For the truly paranoid, the grugq.