Table of Contents
- GnuPG (gpg) Cheat Sheet
- Key Management
- Encryption and Decryption
- Signing and Verification
- Advanced Usage
- Advanced Key Management
- Encryption and Decryption in Depth
- Batch Processing and Scripting
- Handling Passphrases
- Advanced Signing
- Miscellaneous Advanced Commands
- Using Different Cryptographic Algorithms
- Advanced Key Management and Usage
- Scripting and Automation
- Special Usage Scenarios
GnuPG (gpg) Cheat Sheet
Key Management
Generate a New Key Pair
- Creates a new public/private key pair.
gpg --gen-key
List Keys
- Lists all keys in your public keyring.
gpg --list-keys
Export a Public Key
- Exports a public key to a file.
gpg --export -a "User Name" > public.key
Import a Public Key
- Imports a public key from a file.
gpg --import public.key
Export a Private Key
- Exports your private key.
gpg --export-secret-keys -a "User Name" > private.key
Delete a Public Key
- Removes a public key from your keyring.
gpg --delete-key "User Name"
Delete a Private Key
- Removes a private key from your keyring.
gpg --delete-secret-key "User Name"
Encryption and Decryption
Encrypt a File
- Encrypts a file for a specific recipient.
gpg --encrypt --recipient "User Name" file.txt
Decrypt a File
- Decrypts a file.
gpg --decrypt file.txt.gpg
Symmetric Encryption
- Encrypts a file using a passphrase.
gpg --symmetric file.txt
Decrypt Symmetrically Encrypted File
- Decrypts a file encrypted with symmetric encryption.
gpg --decrypt file.txt.gpg
Signing and Verification
Sign a File
- Digitally signs a file.
gpg --sign file.txt
Verify a Signed File
- Verifies a signed file.
gpg --verify file.txt.gpg
Create a Detached Signature
- Creates a detached signature for a file.
gpg --detach-sign file.txt
Verify a Detached Signature
- Verifies a detached signature.
gpg --verify file.txt.sig file.txt
Advanced Usage
Edit a Key
- Accesses the key editing menu to manage key trust, add subkeys, etc.
gpg --edit-key "User Name"
List Secret Keys
- Lists all your secret keys.
gpg --list-secret-keys
Add a Subkey
- Adds a subkey to your keyring.
gpg --edit-key "User Name" addkey
Create a Revocation Certificate
- Generates a revocation certificate for a key.
gpg --gen-revoke "User Name"
Change a Passphrase
- Changes the passphrase for your private key.
gpg --edit-key "User Name" passwd
Backup and Restore Keys
- Backup:
gpg --export-secret-keys "User Name" > my-private-backup.gpg
- Restore:
gpg --import my-private-backup.gpg
Using GPG with an Agent
- Configures GPG to use
gpg-agentfor key management and passphrase caching.
gpg-agent --daemon
gpg --use-agent
Advanced Key Management
Refresh Public Keys from a Keyserver
- Updates your public keys with the latest versions from a keyserver.
gpg --refresh-keys
Send a Key to a Keyserver
- Publishes your public key to a keyserver.
gpg --send-keys --keyserver [keyserver address] [keyID]
Receive a Key from a Keyserver
- Fetches a public key from a keyserver using the key ID.
gpg --recv-keys --keyserver [keyserver address] [keyID]
Set Trust Level for a Key
- Manually sets the trust level of a public key.
gpg --edit-key [keyID] trust
Add a Photo ID to Your Key
- Attaches a photo ID to your GnuPG key.
gpg --edit-key [keyID] addphoto
Export Owner Trust Values
- Exports the owner trust values of your keys.
gpg --export-ownertrust > ownertrust.txt
Import Owner Trust Values
- Imports owner trust values from a file.
gpg --import-ownertrust ownertrust.txt
Encryption and Decryption in Depth
Encrypt for Multiple Recipients
- Encrypts a file for multiple recipients.
gpg --encrypt --recipient [User Name 1] --recipient [User Name 2] file.txt
Encrypt with ASCII Armor
- Encrypts data in ASCII format, useful for text-based communication.
gpg --armor --encrypt --recipient "User Name" file.txt
Decrypt to Standard Output
- Decrypts a file and outputs the content to standard output.
gpg --decrypt --output - file.txt.gpg
Batch Processing and Scripting
Batch Key Generation
- Generates a key pair without interactive prompts (useful for scripting).
gpg --batch --gen-key key-script.txt
Unattended Encryption/Decryption
- Encrypts/decrypts in batch mode, allowing for scripting without interactive prompts.
- Encryption:
gpg --batch --trust-model always --encrypt --recipient "User Name" file.txt
Decryption:
gpg --batch --decrypt file.txt.gpg
Handling Passphrases
Passphrase File for Batch Processing
- Uses a passphrase from a file for batch operations.
gpg --batch --passphrase-file mypassphrase.txt --decrypt file.txt.gpg
Cache Passphrase with gpg-agent
- Caches the passphrase using
gpg-agentto avoid repeated prompts.
gpg-agent --daemon
gpg --use-agent --decrypt file.txt.gpg
Advanced Signing
Clearsign a Document
- Creates a clearsigned document, useful for signing text files like emails.
gpg --clearsign document.txt
Detached Signature with Timestamp
- Creates a detached signature with a timestamp.
gpg --detach-sign --timestamp document.txt
Sign and Encrypt in One Step
- Digitally signs and then encrypts a document.
gpg --sign --encrypt --recipient "User Name" document.txt
Miscellaneous Advanced Commands
Print GPG Configuration
- Prints the GnuPG configuration file.
gpg --version
Verify without Importing Key
- Verifies a signature without importing the signer’s key to your keyring.
gpg --verify --no-default-keyring --keyring /dev/null document.txt.sig
Use an Alternate Configuration File
- Specifies an alternate
gpg.conffile.
gpg --options /path/to/alternate/gpg.conf
List GPG Components and Versions
- Lists GnuPG components and their versions.
gpg --version
Using Different Cryptographic Algorithms
Generate Non-RSA Key Pair
- GnuPG supports several algorithms like DSA, Elgamal, ECDSA, ECDH, and EdDSA. You can specify the algorithm while generating a key.
gpg --full-gen-key
During the process, you’ll be prompted to choose the type of key. Here, you can select DSA, Elgamal, or ECC (Elliptic Curve Cryptography) options.
Generate ECC Key Pair
- Specifically, to generate an ECC key pair, use:
gpg --full-generate-key
Then choose (9) ECC and ECC and follow the prompts.
Display Key Algorithm
- To check the algorithm used by a particular key:
gpg --list-keys --with-keygrip [User Name or Key ID]
Advanced Key Management and Usage
Changing Key Preferences
- Modify cipher, hash, and compression preferences for your key.
gpg --edit-key [keyID] setpref
Export and Import Subkeys
- GnuPG allows exporting and importing of individual subkeys.
- Export Subkey:
gpg --export-secret-subkeys [keyID!] > subkey.gpg
- Import Subkey:
gpg --import subkey.gpg
Cross-certify a Key
- Adds a cross-certification to a subkey to prevent “signing subkey not cross-certified” errors.
gpg --edit-key [keyID] cross-certify
Scripting and Automation
Automated Encryption with Specific Cipher
- Encrypts a file with a specific cipher algorithm.
gpg --cipher-algo [cipher] --symmetric file.txt
Non-Interactive Key Generation with Configuration File
- Uses a predefined configuration file for non-interactive key generation.
gpg --batch --generate-key mygpg.conf
The mygpg.conf file contains all the required parameters for key generation.
Special Usage Scenarios
Create and Sign Keys in a Hardware Token
- GnuPG can interact with hardware tokens. Generating and signing keys can be performed directly on the device for added security.
gpg --card-edit
gpg --edit-card
These commands provide interactive menus for managing keys on a smart card or hardware token.
Encrypt to Multiple Recipients Using Different Algorithms
- GnuPG allows encryption to multiple recipients, each potentially using different algorithms.
gpg --encrypt --recipient [RSA User] --recipient [ECC User] file.txt
Advanced Output and Logging
- Direct GnuPG output to a file for logging or debugging.
gpg --output result.txt --verbose --encrypt --recipient "User Name" file.txt
Using GnuPG in Scripts with Status-FD
- Use the
--status-fdoption to have GnuPG output machine-readable status messages suitable for scripts.
gpg --status-fd 1 --encrypt --recipient "User Name" file.txt