GnuPG notes
1. Syntax
gpg [options] command [args]
gpg accepts a single command, but multiple options are allowed.
In this how-to, we will introduce useful commands one by one, and various options along the line.
2. Useful commands and options
2.1. Encryption and decryption
2.1.1. Symmetric encryption: --symmetric
The command is --symmetric or -c.
gpg --symmetric file.txt gpg -c file.txt
By default, this will create file.txt.gpg. To enter an output file,
use --output or -o:
gpg --output file.gpg -c file.txt gpg -o file.gpg -c file.txt
To send the result to stdout, use -o -:
gpg -o - -c file.txt
To encrypt using 7-bit ASCII, use --armor or -a:
gpg -o - --armor -c file.txt gpg -o - -a -c file.txt
To change the compression level, use --compress-level or -z:
gpg --compress-level 0 -o - --armor -c file.txt gpg -z 0 -o - -a -c file.txt
2.1.2. Asymetric encryption: --encrypt
The command is --encrypt or -e.
gpg --encrypt file.txt gpg -e file.txt
To specify a recipient, use the --recipient option, or -r:
gpg --recipient bob@gmail.com -e file.txt gpg -r bob@gmail.com -e file.txt
Asymetric encryption with the options seen so far:
gpg --compress-level 0 --output files.tgz.gpg --armor --recipient bob@gmail.com --encrypt files.tgz gpg -z 0 -o files.tgz.gpg -a -r bob@gmail.com -e files.tgz
This command will encrypt files.tgz with:
- No compression
- Output to
files.tgz.gpg - ASCII armor
- A recipient's email set to bob@gmail.com (this will use the associated public key). The recipient's key ID will be visible in the encrypted file.
2.1.2.1. Bonus
Bonus 1. By default, the recipient's key ID is visible in the
encrypted file. If you want to hide this information, use the
--hidden-recipient option, or -R:
gpg -a -o file.gpg --hidden-recipient bob@gmail.com -e file.txt gpg -a -o file.gpg -R bob@gmail.com -e file.txt
Bonus 2. You can specify a default recipient (yourself) by editing
~/.gnupg/gpg.conf. Replace [UID] below by your default key ID.
# The default key to sign with. If this option is not used, the # default key is the first key found in the secret keyring. default-key [UID] # Use the default key as default recipient if option --recipient is # not used and don't ask if this is a valid one. default-recipient-self
2.1.3. Decryption: --decrypt
The command is --decrypt or -d.
gpg --decrypt file.txt.gpg gpg -d file.txt.gpg
By default, the decryption data goes to stdout. Use the -o option
seen above to decrypt in a file:
gpg -o file.txt -d file.txt.gpg
2.1.3.1. Bonus
To decrypt an "anonymous" encrypted file (see this section) using a
specific secret key, use the --try-secret-key option. Otherwise
GnuPG will try all secret keys in your keyring.
gpg -o file.txt --try-secret-key [key-id] -d file.gpg
2.2. Key management
2.2.1. Listing public keys: --list-public-keys
The command is --list-public-keys, or -k.
gpg --list-public-keys gpg -k
2.2.2. Listing secret keys: --list-secret-keys
The command is --list-secret-keys, or -K.
gpg --list-secret-keys gpg -K
2.2.3. Exporting public keys: --export
The command is --export.
gpg --export [UID]
This command will export the public key [name]. By default this exports the key to stdout, in a binary format. To export in an ASCII file, use the options seen before:
gpg -a -o file.txt --export [UID]
2.2.4. Exporting secret keys: --export-secret-keys
The command is --export-secret-keys.
gpg --export-secret-keys
As with --export, you can use options to export in an ASCII file:
gpg -a -o secret_key.asc --export-secret-keys
2.2.5. Importing keys: --import
The command is --import.
gpg --import key.asc