GPG Cheatsheet

Create Key

You may want to follow this guide.

gpg --gen-key  

Display All Keys

gpg --list-keys

Display/List Public Keys

gpg --list-public-keys

Display/List Private Keys

gpg --list-secret-keys

Exporting Public Keys

If you just want other's to be able to send you encrypted messages, you just need to give them your public key. The public key can only be used for encrypting messages, so you can pretty much give it to anybody.

To export all public keys, execute:

gpg --export -a > [filename].asc

If you want to export a single public key, then you need to also specify some sort of identifier, such as the email address or the key user's name

gpg --export -a "blah@gmail.com" > [filename].asc
  • The -a switch is for --armour or --armor (both supported) and converts from binary output to ascii so that one can transfer the file to any computer safely.
  • Other's quite often use the .key extension. The asc extension is to represent the fact that it is in ascii format.

Exporting Private Keys

If you own multiple computers, or are about to reinstall your operating system, you may need to export your private key. Your private key can be used to decrypt files, so be careful how you store it or send it anywhere.

To export all private keys, execute:

gpg --export-secret-key -a > [filename].asc

If you want to export a single private key, then you need to also specify some sort of identifier, such as the email address or the key user's name

gpg --export-secret-key -a "blah@gmail.com" > [filename].asc
  • The -a switch is for --armour or --armor (both supported) and converts from binary output to ascii so that one can transfer the file to any computer safely.
  • Other's quite often use the .key extension. The asc extension is to represent the fact that it is in ascii format.

Import Key(s)

What use is exporting keys if you couldn't import them?

gpg --import [filename]

Symmetric Passphrase Based Encryption

The commands below are for if you want to just keep files encrypted on your system, rather than share them with someone. This is because the commands will use symmetric encryption which is a lot faster than asymmetric (public key) encryption, but make it harder to give them to someone as you would have to somehow securely provide them with the passphase.

Delete Public Keys

gpg --delete-key "email@domain.com"

Delete Private/Secret Keys

gpg --delete-secret-keys "email@domain.com"

Encrypt File With Passphrase

gpg \
--output doc.gpg \
--symmetric \
--cipher-algo AES256 \
[document to encrypt]

The list of possible ciphers are: 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH, CAMELLIA128, CAMELLIA192, CAMELLIA256

Decrypt File

gpg \
--output [decrypted filename] \
--decrypt [encrypted file]

Alternatively:

gpg --decrypt [encrypted file] > [output filename]

The decrypt command automatically use the appropriate key if one exists, or ask for a passphrase if it doesn't.

You can use the command below if you wish to specify a file that has the passphrase to use to decrypt the files (so that your password isn't viewable in the history by all the other users on the system). Just make sure that file isn't accessible by other users.

gpg \
--decrypt \
--no-use-agent \
--passphrase-file [passphrase file] \
--output [output filename] \
[encrypted file]

Signing

Create External Text Signature

gpg2 --detach-sign --armor /path/to/doc.txt

This will create another document with the .asc extension appended which has just the signature for the document, in plaintext form.

Clearsign a Document

gpg --clearsign /path/to/doc.txt

This will create another document with the .asc extension appended which has the original body of the document, along with the signature. For example:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

This is my message to sign  
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJZIbkvAAoJEDDuuAeDtd9Xw/QQAKMxzXP+X6GlGOignrHaSgXS  
1cNkELarFAcyG9q6WX0McRa2aWo4kpEL7hHF9gKRkoqEigXj0XijsjhmuowR8+Uv  
mdCL1r2W6yYXwQAibenJIy8zXEgkSPeuCYikyy9YkLyDuXRtYJgVJFKZ1dRonDUA  
Wm6HRfXoF4VNxgVNbyOHhLsLXy/j0sESptaCmU87OdWYAruFXmpYsDcwV1pB5/Qr  
OAQHBQsp9XQLiWyiYDB+13+VWK882gZZYecu7kwsC/dfd8gToA27Yo0eXzFlSbOK  
EqX4qOkbmyQrhGrrpYTLTwSfnJa+gBuKLKAbE/J3n7ovkmYojOfMlaKxvYlam30v  
z2Lr1G7Z1SQPwZ+W/PYnssgeypkuOSfeqSjiV6lEIwNUYcldxD9sj/ol/U4Rp5Vi  
XVD1E/jA2mL/ww+NdjcMhutcP+iuj0yk05e6jvd7qF4+uN/FxD7tD4GiTtBZbt8v  
Hqgg5Rr/4l5ruhfPb9pqzEci+8rGPD4FKQY7n/sYXv0EBZHce+SxL2p7sQTGyTpI  
0JFPU3PnVoIlDMSMDnCGsnR/0ln9tOohU+HfRXZIvv8vKRv6EzmKckHccpwhhNnn  
JDC/FtLSlHaxTTHWLBkTa+SBoCdHkw3zLu1plcVN3NIKcs/+4AeKUeUZ5RU9TteV  
wWYD/DYgYCMkVaF/8Z84  
=6G9U
-----END PGP SIGNATURE-----

Verification

Verify clearsigned Document

gpg2 --verify myFile.txt.asc

You will get a message saying
gpg: WARNING: not a detached signature; file 'test.txt' was NOT verified! which is true, you verified the signed document at test.txt.asc, not test.txt.

Verify External Signature

gpg2 \
--verify myFile.txt.asc \
myFile.txt

The .asc file in this case is the external signature.

References

Author

Programster

Stuart is a software developer with a passion for Linux and open source projects.

comments powered by Disqus