The GNU Privacy Guard application allows you to encrypt and decrypt information, create public and private encryption keys, and use or verify digital signatures. GPG is based on the use of a pair of keys, one public and one private (or “secret”). Data encrypted with one key can only be decrypted with the other. To encrypt a message to you, someone would use your public key to create a message that could only be unlocked with your private key. To sign information, you would lock it with your private key, allowing anyone to verify that it came from you by unlocking it with your public key.
Key commands
| Option | Description |
|---|---|
| –check-sigs [keyname] | Lists keys and signatures like –list-sigs, but also verifies the signatures. |
| –delete-key keyname | Delete the specified key from the keyring. |
| –delete-secret-key keyname | Delete the named secret key from the secret and public keyring. |
| –delete-secret-and-public-key keyname | Delete the secret (if any) and then the public key for the specified name. |
| –desig-revoke keyname | Create a revocation certificate for a key pair and designate authority to issue it to someone else. |
| –edit-key [keyname] | Edit key options using a menu-driven tool. Key options are too numerous to list here, but include everything from trust settings to images attached to keys for user identification purposes. |
| –export [keyname] | Output the specified key or, if no key is named, the entire keyring. Use the –output flag to send the key information to a file, and –armor to make the key mailable as ASCII text. |
| –export-secret-keys [keyname] | Outputs the specified secret key or keys. Operation is the same as –export, except with secret keys. This is a security risk and should be used with caution. |
| –export-secret-subkeys [keyname] | Outputs the specified secret subkeys. Operation is the same as –export, except with secret keys. |
| –fingerprint [keyname] | List keys and their fingerprints for keys named, or all keys if no name is specified. |
| –gen-key | Generate a new pair of keys, prompting for several preferences and a passphrase. |
| –gen-revoke keyname | Create a revocation certificate for a key pair. |
| –keyserver keyserver | Specifies the name of the keyserver holding the key. |
| –list-keys [keyname] | List keys with the specified name, or all keys if no name is specified. |
| –list-public-keys [keyname] | List public keys with the specified name, or all public keys if no name is specified. |
| –list-secret-keys [keyname] | List secret keys with the specified name, or all secret keys if no name is specified. |
| –list-sigs [keyname] | List keys as –list-keys does, but also list the signatures. |
| –gen-revoke keyname | Delete the secret key (if any) and then the public key for the specified name. |
| –import file | Read keys from a file and add them to your keyring. |
| –lsign-key keyname | Sign a public key, but mark it as nonexportable. |
| –recv-keys keyname | Download and import keys from a keyserver. |
| –refresh-keys [keyname] | Check the keyserver for updates to keys already in the keyring. |
| –search-keys [keyname] | Search the names of keys on the keyserver. Specify the keyserver with –keyserver. |
| –send-keys [keyname] | Send one or more keys to a keyserver. Specify the keyserver with –keyserver. |
| –sign-key keyname | Sign a public key using your private key. |
If you encounter below error while running the gpg command:
gpg: command not found
you may install the gpg package as shown below as per your choice of distribution.
| Distribution | Command |
|---|---|
| OS X | brew install gnupg |
| Debian | apt-get install gpg |
| Ubuntu | apt-get install gpg |
| Alpine | apk add gnupg |
| Arch Linux | pacman -S gnupg |
| Kali Linux | apt-get install gpg |
| CentOS | yum install gnupg2 |
| Fedora | dnf install GnuPG |
| Raspbian | apt-get install gnupg |
gpg Command Examples
1. Create a GPG public and private key interactively:
# gpg --full-generate-key
2. Sign `doc.txt` without encryption (writes output to `doc.txt.asc`):
# gpg --clearsign doc.txt
3. Encrypt and sign `doc.txt` for alice@example.com and bob@example.com (output to `doc.txt.gpg`):
# gpg --encrypt --sign --recipient alice@example.com --recipient bob@example.com doc.txt
4. Encrypt `doc.txt` with only a passphrase (output to `doc.txt.gpg`):
# gpg --symmetric doc.txt
5. Decrypt `doc.txt.gpg` (output to stdout):
# gpg --decrypt doc.txt.gpg
6. Import a public key:
# gpg --import public.gpg
7. Export public key for alice@example.com (output to stdout):
# gpg --export --armor alice@example.com
8. Export private key for alice@example.com (output to stdout):
# gpg --export-secret-keys --armor alice@example.com