gpg
Encrypt, decrypt, sign, and verify files
TLDR
Create a GPG public and private key interactively
List all keys from the public keyring
Sign doc.txt without encryption (writes output to doc.txt.asc)
Encrypt and sign doc.txt for alice@example.com and bob@example.com (output to doc.txt.gpg)
Encrypt doc.txt with only a passphrase (output to doc.txt.gpg)
Decrypt doc.txt.gpg (output to stdout)
Import a public key
Export the public/private key for alice@example.com (output to stdout)
SYNOPSIS
gpg [options] [files]
gpg --encrypt [options] files
gpg --decrypt [options] files
gpg --sign [options] files
gpg --clearsign [options] files
gpg --detached-sign [options] files
gpg --verify [options] files
gpg --import [options] [files]
gpg --export [options] [keyIDs]
gpg --list-keys [options] [keyIDs]
gpg --delete-keys [options] keyIDs
gpg --gen-key [options]
PARAMETERS
-e, --encrypt
Encrypts data for specified recipients. Requires public keys of recipients.
-d, --decrypt
Decrypts encrypted data. Requires the corresponding private key.
-s, --sign
Makes a detached signature for a file. The signature is stored separately.
--clearsign
Makes a clear text signature. The signature is embedded within the original text, remaining readable.
--detached-sign
Similar to --sign, creating a signature file separate from the data.
--verify
Verifies a signature against a file. Requires the signer's public key.
--import
Imports public or private keys from a file or standard input into the keyring.
--export
Exports public or private keys from the keyring to a file or standard output.
--list-keys
Lists all public keys (or specified ones) in the public keyring.
--gen-key
Generates a new PGP key pair (public and private keys).
-r, --recipient
Specifies a recipient's User ID or key ID for encryption.
-u, --local-user
Specifies the key to be used for signing or decrypting data.
-o, --output
Writes output to the specified file instead of standard output.
--armor
Creates ASCII armored output, which is base64 encoded and suitable for email or text transfer.
DESCRIPTION
The gpg (GNU Privacy Guard) command is a powerful, free, and complete implementation of the OpenPGP standard (RFC 4880). It provides cryptographic privacy and authentication for data communication. Users can encrypt files and emails, ensuring only intended recipients can read them, and digitally sign data, allowing recipients to verify its origin and integrity.
gpg features an advanced key management system, enabling users to generate, import, export, and revoke cryptographic key pairs (a public key and a private key). It's widely used in Linux environments for various security tasks, including secure email, file encryption, software package verification, and secure communication channels. Its flexibility and adherence to open standards make it a cornerstone tool for digital security and privacy.
CAVEATS
Complexity: gpg can be complex, especially for key management and understanding the Web of Trust.
Passphrase Security: The security of your private keys heavily depends on the strength of your passphrase. A weak passphrase renders strong encryption useless.
Key Loss: Losing your private key means losing access to encrypted data and the ability to sign data. Back up your keys securely.
Metadata Leakage: gpg encrypts content but not metadata (e.g., file names, sizes, communication patterns), which can still reveal information.
No Perfect Forward Secrecy: Standard gpg encryption doesn't offer perfect forward secrecy by default, meaning if your private key is compromised, past communications encrypted with that key could be retroactively decrypted.
KEYRINGS
gpg maintains two primary keyrings: the public keyring (pubring.kbx) for storing public keys of others and your own, and the private keyring (privring.kbx) for storing your secret (private) keys. These keyrings are typically located in the ~/.gnupg/ directory.
WEB OF TRUST
Instead of relying on a centralized Certificate Authority model, OpenPGP uses a 'Web of Trust'. Users sign each other's public keys to vouch for their authenticity, building a decentralized network of trust. This allows users to determine how much they trust a key based on who has signed it.
GPG-AGENT
The gpg-agent is a utility that manages private keys and passphrases. It caches passphrases for a configurable period, reducing the need to enter them repeatedly when performing cryptographic operations, thus improving usability while maintaining security.
CONFIGURATION
The main configuration file for gpg is ~/.gnupg/gpg.conf. Users can define default options, preferred algorithms, key server settings, and other behaviors in this file to customize their gpg experience.
HISTORY
gpg (GNU Privacy Guard) was started in 1997 by Werner Koch as a free replacement for the proprietary PGP software. The first stable version, 1.0.0, was released on September 7, 1999. It quickly gained traction as the open-source community's preferred tool for OpenPGP-compatible cryptography. gpg adheres strictly to the OpenPGP standard (RFC 4880) and has become an integral part of nearly every Linux distribution and a foundational component for securing software releases, email communication, and data storage across the internet.
SEE ALSO
pgp(1), openssl(1), ssh-keygen(1), base64(1), cryptsetup(8)