gpg2

View documentation for the original command

$ tldr gpg

gpg2 [options] [files]

Common usage examples:
gpg2 --encrypt --recipient user@example.com file.txt
gpg2 --decrypt file.txt.gpg
gpg2 --sign document.pdf
gpg2 --verify signature.sig [signed-file]
gpg2 --list-keys
gpg2 --gen-key

--encrypt, -e
    Encrypt data for specified recipients.

--decrypt, -d
    Decrypt data. Output is typically written to stdout or a file.

--sign, -s
    Make a detached signature of the input file.

--clearsign
    Make a cleartext signature, embedding the signature in the text.

--verify
    Verify a signature against a file or stdin.

--recipient user-id, -r user-id
    Encrypt for the specified user or key ID.

--output file, -o file
    Write output to the specified file.

--armor, -a
    Create ASCII armored output, suitable for email or text transfer.

--list-keys, -k
    List public keys in the keyring.

--list-secret-keys, -K
    List secret (private) keys in the keyring.

--import
    Import keys from a file or stdin into the keyring.

--export
    Export keys from the keyring to stdout or a file.

--gen-key
    Generate a new OpenPGP key pair interactively.

--delete-secret-keys
    Delete secret keys from the keyring.

--delete-keys
    Delete public keys from the keyring.

--edit-key
    Enter an interactive key editing shell.

--refresh-keys
    Refresh public keys from a configured key server.

--batch
    Run in batch mode, avoiding interactive prompts where possible.

gpg2 is the primary command-line tool for the GnuPG 2.x suite, providing a robust and free implementation of the OpenPGP standard (RFC 4880). It enables users to encrypt and decrypt files, sign and verify digital signatures, and manage their OpenPGP keys. Unlike its predecessor gpg (GnuPG 1.x), gpg2 is designed with a more modular architecture, heavily relying on components like gpg-agent for passphrase caching and scdaemon for smart card integration.

This separation of concerns enhances security and usability by centralizing sensitive operations. gpg2 is widely used for securing email, documents, and code, ensuring confidentiality, integrity, and authenticity through cryptographic operations. It supports various algorithms and key types, making it a versatile tool for privacy-conscious users and developers alike.

gpg2 relies heavily on gpg-agent for passphrase management and private key operations. Issues with gpg-agent (e.g., not running, misconfigured) can prevent gpg2 from functioning correctly.

While `--passphrase` exists, it's generally discouraged due to security risks; it exposes the passphrase in command history and process lists. Prefer using gpg-agent for passphrase caching.

gpg2 stores all cryptographic keys (public and private) in a GnuPG home directory, typically ~/.gnupg. This directory also contains the trust database and configuration files. Proper management and backup of this directory are crucial for retaining control over your cryptographic identities.

GnuPG implements a 'Web of Trust' model, where users can sign other users' public keys to indicate their validity. This system provides an alternative to centralized Certificate Authorities. gpg2 allows users to manage and express their trust relationships, influencing how keys are validated.

A core feature of gpg2 is its seamless interaction with gpg-agent. Whenever a private key operation (like signing or decrypting) is required, gpg2 communicates with the agent, which handles passphrase prompts and caching. This centralizes passphrase management, reducing the number of times a passphrase needs to be entered and enhancing overall system security.

GnuPG was originally created by Werner Koch, with gpg (GnuPG 1.x) being the initial stable series. The development of gpg2 (GnuPG 2.x) introduced a significant architectural shift, moving towards a more modular design. This led to the creation of separate daemons like gpg-agent (for passphrase caching and private key handling), scdaemon (for smart card integration), and dirmngr (for key server interactions).

The gpg2 series is now the recommended and actively developed branch, improving security by isolating sensitive operations and offering greater flexibility. On many modern Linux distributions, the command gpg is often a symbolic link to gpg2, signifying its status as the default and preferred GnuPG client.

gpg(1), gpg-agent(1), scdaemon(1), dirmngr(8), gpgconf(1)