This is a quick and dirty cheatsheet on GnuPG (gpg)
| Installation |
yum install gnupg apt install gnupg |
| Version | gpg --version Note: the gpg home dir which can be changed as per below |
| Environment Setup | GNUPGHOME=[directory] |
| Generate new gpg key |
gpg --generate-key gpg --full-generate-key * advanced option gpg --quick-generate-key Follow the on screen options, generally defaults are acceptable |
| Trust a gpg key | gpg --edit-key [keyID] gpg> trust select the specific trust option |
| List Keys |
gpg --list-keys gpg --list-public-keys gpg --list-secret-keys Note you can add the option below to have the keyid in long or short format [--keyid-format [short|long]] Key Type pub - means public key and is used for signing sub - means sub public key and is used for encryption sec - means a secret key and is used for signing ssb - means under the secret key and used for encryption uid - means user ID and their level of trust Key Capabilities [C]ertify: can sign keys. Necessary to create new subkeys. [S]ign: can sign messages and verify signatures. Necessary to sign Git commits. [E]ncrypt: can encrypt and decrypt messages. [A]uthenticate: can be used to authenticate the user. It is commonly used in other protocols such as SSH (Secure Shell) to authenticate the user |
| List Fingerprint |
gpg --fingerprint * all keys gpg --fingerprint [KEYID] |
| GPG file details | gpg --list-packets [gpg_file] Note: you can inspect a gpg file before doing something with it |
| Edit gpg key |
gpg --edit-key [KEYID] Note: use the gpg menu to edit various options |
| Delete gpg key |
gpg --delete-key [KEYID] gpg --delete-secret-key [KEYID] Note: you generally delete the secret key first |
| Expire gpg key |
gpg --quick-set-expire [KEYID] |
| Revoke Key |
gpg --output [revoke_file] --gen-revoke [KEYID] gpg --import [revoke_file] |
| UID commands for key |
gpg --quick-revoke-uid [KEYID] gpg --quick-add-uid [KEYID] |
| Export public key | gpg --output [output_file] --export [KEYID] gpg --output [output_file] --export-secret-keys [KEYID] * be careful in regards to secret keys gpg --output [output_file] --armor --export [KEYID] |
| Import public key | gpg --import [GPG key_file] |
| Encrypt & no armor | gpg --batch --no-tty --encrypt -r [KEYID] -o [output_file] [input_file] |
| Encrypt with symmetric | gpg --batch --no-tty --encrypt --symmetric -o [output_file] [input_file] |
| Encrypt & with armor |
gpg --batch --no-tty -a --encrypt -r [KEYID] -o [output_file] [input file] Note: armor flag that encodes binary cryptographic data into readable ASCII text |
| Encrypt with armor & sign |
gpg --batch --no-tty -a --sign --encrypt -r [KEYID] -o [output_file] [input_file] |
| Decrypt |
gpg --batch --no-tty -r [KEYID] -o [output_file] --decrypt [gpg_encrypted_file] |
| ClearSign |
gpg --digest-algo SHA256 --clearsign -o [output_file] -u [KEYID] [signed_file]
Note: clearsign will have the text (or data) inside the gpg file that is readable
you can also use a specific digest algorithm
|
| Sign and Validate |
gpg --detach-sig [signed_file] gpg --verify [signed_file].sig [signed_file] |
| Common Options |
--batch - Use batch mode. Never ask, do not allow interactive commands
--no-tty - Make sure that the TTY (terminal) is never used for any output
--sign - Sign a message. This command may be combined with --encrypt
--clearsign - Make a cleartext signature, the content in a cleartext signature is readable without any special software
--verify - Assume that the first argument is a signed file and verify it without generating any output
--detach-sig - Make a detached signature
-a - Create ASCII armored output. The default is to create the binary OpenPGP format
-o - Write output to file, default is stdout
-u - Use name as the key to sign with
-r - Encrypt for user id name (recipient name)
-e - Encrypt a file (--encrypt)
|