gpg2

View documentation for the original command

$ tldr gpg

gpg2 [--homedir dir] [--options file] [opt-file] [command] [args]

--armor (-a)
    Create ASCII-armored output

--batch
    Run in non-interactive batch mode

--clearsign (-b)
    Make a clear-text signature

--decrypt (-d)
    Decrypt input (stdin or files)

--default-key name
    Use specified key as default

--encrypt (-c|-e)
    Encrypt data; -c for symmetric

--export [-a] [-r user] [files]
    Export public keys

--fingerprint [-v]
    Show key fingerprints

--gen-key (-g)
    Generate new key pair

--gen-revoke user
    Generate revocation certificate

--import [-v] [files]
    Import public keys

--list-keys (-k) [names]
    List public keys

--list-secret-keys (-K)
    List secret keys

--list-sigs [names]
    List keys with signatures

--output (-o) file
    Write output to file

--recipient (-r) user
    Encrypt for specific recipient

--sign (-s)
    Sign input data

--verify [sigfile [datafile]]
    Verify signature

--yes
    Assume yes to all prompts

--homedir dir
    Use non-default home directory

--keyserver uri
    Set keyserver for uploads/downloads

--trust-model model
    Set trust model (classic, pgp, tofu+pgp)

--edit-key name
    Interactively edit key

--quick-gen-key name
    Quickly generate a key

--detach-sign (-b)
    Create detached signature

--symmetric (-c)
    Encrypt with symmetric cipher only

--encrypt-files (-e)
    Encrypt given files

--no-tty
    No tty for batch scripts

gpg2 is the primary client for GNU Privacy Guard (GnuPG) version 2.x, a free implementation of the OpenPGP standard (RFC 4880). It provides secure encryption, digital signing, and verification of files, emails, and messages. Users can generate, manage, import, and export public/private key pairs, create revocation certificates, and interact with hardware tokens like smartcards.

Key features include ASCII-armored output for easy transport, symmetric/asymmetric encryption, detached signatures, trust model configuration, and batch mode for automation. It supports multiple recipients, subkeys for different purposes, and expiration dates on keys/signatures. gpg2 integrates with gpg-agent for passphrase caching and SSH agent functionality.

Common workflows: encrypt files with gpg2 --encrypt --recipient user@example.com file.txt, sign packages for distribution, verify downloaded software, or set up encrypted email via plugins like Enigmail or built-in clients. Security relies on strong passphrases, key backups, and updating to latest versions to mitigate vulnerabilities. Widely used in Linux distributions for package signing (e.g., apt repositories) and developer workflows.

Not all options from gpg1 are compatible; use gpg wrapper for portability. Requires writable homedir (~/.gnupg). Passphrase prompts may fail in non-interactive envs without agent. Keyservers can be unreliable; prefer direct exchange.

Always backup secring.gpg or private keys. Use paperkey for offline backups. Revoke compromised keys immediately with --gen-revoke.

gpg.conf in ~/.gnupg/ for defaults like default-key, keyserver, personal-digest-preferences SHA512.

'no public key': Import recipient key first. 'invalid packet': Corrupt input. Use -v or --verbose for debugging.

GnuPG 1.0 released 1999 as PGP replacement. GnuPG 2.0 (2007) introduced gpg-agent, smartcard support, and split daemons. gpg2 is 2.x client; 2.1+ added ECC, certified drivers. Now standard (GnuPG 2.4.x in 2024), replacing gpg1 in most distros.

gpg(1), gpg-agent(1), gpgconf(1), scdaemon(1), gpgsm(1), pinentry(1)