GPG quick reference
Note that GPG is sensitive to the order of command-line arguments.
generate a new key pair: gpg --gen-key list keys with fingerprints: gpg --fingerprint --list-keys export public key in ASCII: gpg --armor --export email@example.com export public key in ASCII to file: gpg --armor --output pubkey.asc --export firstname.lastname@example.org import keys from file: gpg --import keyfile sign a text file with ASCII output in '''file.asc'''. This is meant mostly for email. Do not use this on binary data: gpg --clearsign file sign a file with binary output in '''file.gpg'''. This works on both text and binary data. gpg --sign file sign a file with ASCII encoded output in '''file.asc'''. This works on both text and binary data. gpg --armor --sign file verify a signed file: gpg --verify file create a detached signature where '''file''' is unchanged and signature is put in '''file.sig''': gpg --detach-sig file verify a detached signature of a file. You must have both '''file''' and '''file.sig''' in the same directory: gpg --verify file.sig encrypt a file. The recipient's public key must be on your keyring. Note that this automatically signs the file. The '''decrypt''' argument will automatically verify the file. You can't use '''verify''' separately. gpg --encrypt --recipient email@example.com file decrypt a file: gpg --decrypt file
symmetric key encryption with GPG
Users often want to encrypt a file with a simple password or passphrase. This is called symmetric key encryption because the same password is used for both encrypting and decrypting a file. GPG is most often used for more robust and safe public/private key pair encryption and signing. But can be more effort and trouble if you are just encrypting a file for yourself. These examples show how GPG can be used for simple symmetric key encryption.
Note that OpenSSL also supports symmetric key encryption. You are likely to find OpenSSL on more machines than GPG, so you may prefer to use that tool instead.
symmetric key encryption
This encrypts the given file, foo.plain. Each line is equivalent and shows different ways for specifying input and output (from a file or stdin/stdout). The --armor option specifies ASCII encoded output instead of binary.
cat foo_plain_in.txt | gpg --symmetric --armor > foo.enc gpg --symmetric --armor foo_plain_in.txt > foo.enc gpg --symmetric --armor --output foo.enc foo_plain_in.txt <pre> === symmetric key decryption === Note that the '--use-agent' option is not required. Normally the agent is used to unlock the secret key in a key pair in your keyring, but I just use it to get the passphrase for symmetric key encryption. The GPG key agent can provide more options for how you provide the passphrase. This makes the graphical GUI popup appear to ask for a password. The '--no-mdc-warning' is necessary to suppress the warning that the message was not protected with a SHA-1 checksum (modification detection code). The MDC is not very useful with simple symmetric encryption anyway. <pre> cat foo.enc | gpg --decrypt --no-mdc-warning --quiet --use-agent > foo_plain_out.txt
This was a rough first attempt at a bash alias that would decrypt either GPG or OpenSSL encrypted files. If it fails on gpg then it attempts openssl.
gpg --decrypt --no-mdc-warning --quiet --use-agent foo.enc || openssl bf -d -a -salt -in foo.enc