gpg

Create a GPG public and private key interactively

$ gpg [[--full-gen-key|--full-generate-key]]

$ gpg [[-k|--list-keys]]

$ gpg --clearsign [doc.txt]

$ gpg [[-es|--encrypt --sign]] [[-r|--recipient]] [alice@example.com] [[-r|--recipient]] [bob@example.com] [doc.txt]

$ gpg [[-c|--symmetric]] [doc.txt]

$ gpg [[-d|--decrypt]] [doc.txt.gpg]

$ gpg --import [public.gpg]

$ gpg [--export|--export-secret-keys] [[-a|--armor]] [alice@example.com]

gpg [options] command [args]

--armor
    Create ASCII armored output

--batch
    Run in non-interactive mode

--clearsign
    Make a clear-text signature

--decrypt
    Decrypt data (default if no command)

--default-key
    Use named key as default

--delete-keys
    Remove keys from public keyring

--edit-key
    Edit a key interactively

--encrypt
    Encrypt data

--export
    Export keys

--fingerprint
    Show key fingerprints

--gen-key
    Generate a new key pair

--gen-revoke
    Generate a revocation certificate

--homedir
    Set directory for config and keys

--import
    Import/merge keys

--keyid-format
    Select key ID format

--list-keys
    List public keys

--list-secret-keys
    List secret keys

--list-sigs
    List keys with signatures

--output
    Write output to file

--recipient
    Encrypt for user ID or key ID

--sign
    Make a detached signature

--signer
    Sign as user ID or key ID

--verify
    Verify a signature

--version
    Show version info

--detach-sign
    Make a detached signature

gpg (GNU Privacy Guard) is a complete and free implementation of the OpenPGP standard (RFC4880) as a command-line tool. It provides secure data encryption, digital signatures, and key management for protecting privacy and authenticity in communications and files.

Key features include symmetric and asymmetric encryption (using RSA, ElGamal, ECC), signing with private keys, verification of signatures, key generation, import/export, and revocation. It supports trust models like Web of Trust and integrates with keyservers for public key distribution.

Common workflows: encrypt files for recipients with --encrypt --recipient, sign data with --sign, verify with --verify, or clear-sign messages with --clearsign. Keys are stored in ~/.gnupg by default, with separate public and secret keyrings.

gpg is widely used for email encryption (e.g., with Mutt or Thunderbird), software signing, Git commit signing, and secure file transfer. It handles multiple backends for smartcards and HSMs via gpg-agent. While powerful, it requires understanding of public-key cryptography concepts to use effectively.

Key management is critical; losing secret keys means data loss. Default trust model requires manual web-of-trust setup. Interactive prompts may fail in scripts without --batch. Vulnerable to timing attacks if not configured properly. Use --no-tty in non-TTY environments.

--encrypt-files, --decrypt-files, --symmetric for batch operations; --quick-gen-key for fast key generation.

Use --keyserver hkp://keys.gnupg.net with --recv-keys or --send-keys for key exchange.

Edit trust with gpg --edit-key > trust; defaults to ultimate trust for own keys.

Developed by Werner Koch in 1997 as a free, GPL-licensed alternative to Phil Zimmermann's PGP due to export restrictions. GnuPG 1.x focused on core features; GnuPG 2.x (2007+) added agent, smartcard support, and modern crypto (ECC). Now at version 2.4+, maintained by the GnuPG Project with widespread adoption in Linux distros.

gpg2(1), gpg-agent(1), gpgconf(1), scdaemon(1), pinentry(1)