LinuxCommandLibrary

gpg

Encrypt, decrypt, sign, and verify files

TLDR

Create a GPG public and private key interactively

$ gpg [[--full-gen-key|--full-generate-key]]
copy

List all keys from the public keyring
$ gpg [[-k|--list-keys]]
copy

Sign doc.txt without encryption (writes output to doc.txt.asc)
$ gpg --clearsign [doc.txt]
copy

Encrypt and sign doc.txt for alice@example.com and bob@example.com (output to doc.txt.gpg)
$ gpg [[-es|--encrypt --sign]] [[-r|--recipient]] [alice@example.com] [[-r|--recipient]] [bob@example.com] [doc.txt]
copy

Encrypt doc.txt with only a passphrase (output to doc.txt.gpg)
$ gpg [[-c|--symmetric]] [doc.txt]
copy

Decrypt doc.txt.gpg (output to stdout)
$ gpg [[-d|--decrypt]] [doc.txt.gpg]
copy

Import a public key
$ gpg --import [public.gpg]
copy

Export the public/private key for alice@example.com (output to stdout)
$ gpg [--export|--export-secret-keys] [[-a|--armor]] [alice@example.com]
copy

SYNOPSIS

gpg [options] [files]
gpg --encrypt [options] files
gpg --decrypt [options] files
gpg --sign [options] files
gpg --clearsign [options] files
gpg --detached-sign [options] files
gpg --verify [options] files
gpg --import [options] [files]
gpg --export [options] [keyIDs]
gpg --list-keys [options] [keyIDs]
gpg --delete-keys [options] keyIDs
gpg --gen-key [options]

PARAMETERS

-e, --encrypt
    Encrypts data for specified recipients. Requires public keys of recipients.

-d, --decrypt
    Decrypts encrypted data. Requires the corresponding private key.

-s, --sign
    Makes a detached signature for a file. The signature is stored separately.

--clearsign
    Makes a clear text signature. The signature is embedded within the original text, remaining readable.

--detached-sign
    Similar to --sign, creating a signature file separate from the data.

--verify
    Verifies a signature against a file. Requires the signer's public key.

--import
    Imports public or private keys from a file or standard input into the keyring.

--export
    Exports public or private keys from the keyring to a file or standard output.

--list-keys
    Lists all public keys (or specified ones) in the public keyring.

--gen-key
    Generates a new PGP key pair (public and private keys).

-r, --recipient
    Specifies a recipient's User ID or key ID for encryption.

-u, --local-user
    Specifies the key to be used for signing or decrypting data.

-o, --output
    Writes output to the specified file instead of standard output.

--armor
    Creates ASCII armored output, which is base64 encoded and suitable for email or text transfer.

DESCRIPTION

The gpg (GNU Privacy Guard) command is a powerful, free, and complete implementation of the OpenPGP standard (RFC 4880). It provides cryptographic privacy and authentication for data communication. Users can encrypt files and emails, ensuring only intended recipients can read them, and digitally sign data, allowing recipients to verify its origin and integrity.

gpg features an advanced key management system, enabling users to generate, import, export, and revoke cryptographic key pairs (a public key and a private key). It's widely used in Linux environments for various security tasks, including secure email, file encryption, software package verification, and secure communication channels. Its flexibility and adherence to open standards make it a cornerstone tool for digital security and privacy.

CAVEATS

Complexity: gpg can be complex, especially for key management and understanding the Web of Trust.

Passphrase Security: The security of your private keys heavily depends on the strength of your passphrase. A weak passphrase renders strong encryption useless.

Key Loss: Losing your private key means losing access to encrypted data and the ability to sign data. Back up your keys securely.

Metadata Leakage: gpg encrypts content but not metadata (e.g., file names, sizes, communication patterns), which can still reveal information.

No Perfect Forward Secrecy: Standard gpg encryption doesn't offer perfect forward secrecy by default, meaning if your private key is compromised, past communications encrypted with that key could be retroactively decrypted.

KEYRINGS

gpg maintains two primary keyrings: the public keyring (pubring.kbx) for storing public keys of others and your own, and the private keyring (privring.kbx) for storing your secret (private) keys. These keyrings are typically located in the ~/.gnupg/ directory.

WEB OF TRUST

Instead of relying on a centralized Certificate Authority model, OpenPGP uses a 'Web of Trust'. Users sign each other's public keys to vouch for their authenticity, building a decentralized network of trust. This allows users to determine how much they trust a key based on who has signed it.

GPG-AGENT

The gpg-agent is a utility that manages private keys and passphrases. It caches passphrases for a configurable period, reducing the need to enter them repeatedly when performing cryptographic operations, thus improving usability while maintaining security.

CONFIGURATION

The main configuration file for gpg is ~/.gnupg/gpg.conf. Users can define default options, preferred algorithms, key server settings, and other behaviors in this file to customize their gpg experience.

HISTORY

gpg (GNU Privacy Guard) was started in 1997 by Werner Koch as a free replacement for the proprietary PGP software. The first stable version, 1.0.0, was released on September 7, 1999. It quickly gained traction as the open-source community's preferred tool for OpenPGP-compatible cryptography. gpg adheres strictly to the OpenPGP standard (RFC 4880) and has become an integral part of nearly every Linux distribution and a foundational component for securing software releases, email communication, and data storage across the internet.

SEE ALSO

pgp(1), openssl(1), ssh-keygen(1), base64(1), cryptsetup(8)

Copied to clipboard