GPG (GnuPG) Encryption and Signing

Tear Sheet

This Tear Sheet provides common GPG (GnuPG) Encryption and Signing commands.  Tear Sheets are quick reference documents intended for readers that are already familiar with the topic, but need basic command syntax to quickly accomplish a task at hand.

Encrypt (symmetric) and decrypt a file with GPG.  Default behavior is to decrypt a file.  Alternatively, -c can be used to encrypt and –decrypt can be omitted since it’s the default gpg behavior.

gpg --symmetric filename
gpg --version
gpg --symmetric --cipher-algo cipher --verbose filename

gpg --decrypt filename

Clear GPG password cache, otherwise default TTL is 10 min, with a max TTL of 2 hours.

gpgconf --reload gpg-agent

Create a public and private key pair, export the public key, export private key, and change permissions on private key.  Remember…. NEVER give anybody your private key!  The –armor parameter is optional and makes the key human readable.  The –emit-version parameter includes gpg version information in the ASCII output.

gpg --full-gen-key
gpg --armor --emit-version --export alice@domain.com > pubkey.asc
gpg --armor --export-secret-keys alice@domain.com > privkey.asc
chmod 600 privkey.asc

Import a public key, validate fingerprint, and sign the public key with your private key.  Anybody can create a private key with whatever name they like, so you must validate the fingerprint of the key with the owner to make sure you have the proper key.

gpg --import bob.gpg
gpg --list-keys
gpg --edit-key bob@domain.com
Command> fpr
Command> sign
Command> check

Encrypt a message with public key cryptography and decrypt with a private key.  Only the recipient can decrypt the message using their private key.  The recipient’s public key must be in the key-chain

gpg --output filename.gpg --encrypt --recipient bob@domain.com filename

gpg --output filename --decrypt filename.gpg

Sign a document, clearsign a document, and detached signatures.  Signing compresses the document and signs it.  Clearsigning a document wraps the document in an ASCII signed message.  A detached signature leaves the original file intact, but adds a separate signature file.

gpg --output document.sig --sign document
gpg --output document --decrypt document.sig

gpg --clearsign document.txt
gpg --verify document.txt

gpg --output document.sig --detach-sig document
gpg --verify document.sig document

The GNU Privacy Handbook

Leave a Reply

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload the CAPTCHA.