GPG quick-reference cheat sheet

 Mon, 28 Nov 2022 20:49 UTC

GPG quick-reference cheat sheet
Image: CC BY 4.0 by cybrkyd

gpg is the OpenPGP part of the GNU Privacy Guard (GnuPG). It is a tool to provide digital encryption and signing services using the OpenPGP standard. GnuPG is often used for file encryption as well as to send encrypted communications such as e-mails. The following is a quick-reference cheat sheet for GnuPG version 2.x.

Create a new key

For quick key creation, follow the prompts. All the default options are fine.

$ gpg --gen-key

To create a new key with custom settings:

$ gpg --full-gen-key

List public keys

List all public keys in your keyring using the lower-case -k option; an abbreviation of --list-keys:

$ gpg -k

List secret keys

List all secret or private keys in your keyring using the upper-case -K; an abbreviation of --list-secret-keys:

$ gpg -K

List all keys with short ID

List all keys with their respective short identifier or octet. In the example below, the key ID is C3E456DE shown in the first line. It is the last 8 characters of the full ID shown in line 2. To list public keys, use lower-case -k

$ gpg -k --keyid-format=short

pub   rsa4096/C3E456DE 2022-10-17 [SC] [expires: 2024-10-16]
      44C64B50FA07E40E905F5947FDEE7C1DC3E456DE
uid         [ultimate] xx <xx@yy.com>
sub   rsa4096/9C9AE090 2022-10-17 [E] [expires: 2024-10-16]

Export public key to file

$ gpg -o public.txt -a --export <KEY ID>

Export private key to file

$ gpg -o private.txt -a --export-secret-key <KEY ID>

Import a public or private key to your keyring

Add a public or private key to your keyring. Importing will work on any ASCII-armored key file, regardless of extension, e.g. .asc, .pgp, gpg, .txt, etc.

$ gpg --import public.gpg

#or

gpg --import public.txt

Delete a private key from your key ring

$ gpg --delete-secret-keys <KEY ID>

Delete a public key from your key ring

Important: If a public key has an associated private key, delete the private key first.

$ gpg --delete-keys <KEY ID>

Encrypt files

To perform local symmetric encryption on local files where there is no recipient, the option -c is used. This option encrypts the files with a password as opposed to a key. Note that you will be prompted for a password.

$ gpg -c filename

Encrypt data using recipient’s public key

To send an encrypted file to a named recipient, it is necessary to possess the recipient’s public key. In the following example, we are encrypting the file message.txt with the public key we hold for bob@somewhere.com.

The options -e or --encrypt and -r or --recipient specify the required operations and can be combined as -er.

$ gpg -er bob@somewhere.com message.txt

The output of the above example will be the creation of a new file message.txt.gpg which can only be decrypted with the private key belonging to the recipient. The file message.txt.gpg can now be attached to and sent as a regular email to bob@somewhere.com.

Decrypt files

To decrypt and display output in CLI:

$ gpg -d filename.asc

To decrypt and output to file:

$ gpg -d filename.asc > output.txt