GPG notes

Revision as of 22:30, 29 June 2010 by Root (Talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

GPG quick reference

Note that GPG is sensitive to the order of command-line arguments.

generate a new key pair:
  gpg --gen-key

list keys with fingerprints:
  gpg --fingerprint --list-keys

export public key in ASCII:
  gpg --armor --export

export public key in ASCII to file:
  gpg --armor --output pubkey.asc --export

import keys from file:
  gpg --import keyfile

sign a text file with ASCII output in '''file.asc'''. This is meant mostly for email. Do not use this on binary data:
  gpg --clearsign file

sign a file with binary output in '''file.gpg'''. This works on both text and binary data.
  gpg --sign file

sign a file with ASCII encoded output in '''file.asc'''. This works on both text and binary data.
  gpg --armor --sign file

verify a signed file:
  gpg --verify file

create a detached signature where '''file''' is unchanged and signature is put in '''file.sig''':
  gpg --detach-sig file

verify a detached signature of a file. You must have both '''file''' and '''file.sig''' in the same directory:
  gpg --verify file.sig

encrypt a file. The recipient's public key must be on your keyring. Note that this automatically signs the file. The '''decrypt''' argument will automatically verify the file. You can't use '''verify''' separately.
  gpg --encrypt --recipient file

decrypt a file:
  gpg --decrypt file

symmetric key encryption with GPG

Users often want to encrypt a file with a simple password or passphrase. This is called symmetric key encryption because the same password is used for both encrypting and decrypting a file. GPG is most often used for more robust and safe public/private key pair encryption and signing. But can be more effort and trouble if you are just encrypting a file for yourself. These examples show how GPG can be used for simple symmetric key encryption.

Note that OpenSSL also supports symmetric key encryption. You are likely to find OpenSSL on more machines than GPG, so you may prefer to use that tool instead.

symmetric key encryption

This encrypts the given file, foo.plain. Each line is equivalent and shows different ways for specifying input and output (from a file or stdin/stdout). The --armor option specifies ASCII encoded output instead of binary.

cat foo_plain_in.txt | gpg --symmetric --armor > foo.enc
gpg --symmetric --armor foo_plain_in.txt > foo.enc
gpg --symmetric --armor --output foo.enc foo_plain_in.txt

=== symmetric key decryption ===

Note that the '--use-agent' option is not required. Normally the agent is used to unlock the secret key in a key pair in your keyring, but  I just use it to get the passphrase for symmetric key encryption. The GPG key agent can provide more options for how you provide the passphrase. This makes the graphical GUI popup appear to ask for a password.

The '--no-mdc-warning' is necessary to suppress the warning that the message was not protected with a SHA-1 checksum (modification detection code). The MDC is not very useful with simple symmetric encryption anyway.

cat foo.enc | gpg --decrypt --no-mdc-warning --quiet --use-agent > foo_plain_out.txt


This was a rough first attempt at a bash alias that would decrypt either GPG or OpenSSL encrypted files. If it fails on gpg then it attempts openssl.

gpg --decrypt --no-mdc-warning --quiet --use-agent foo.enc || openssl bf -d -a -salt -in foo.enc