GPG Cheatsheet
A command list for you (and me) to use GnuPG.
Check GPG location
- Linux or MacOS
which gpg
- Windows
where.exe gpg
Git Config
# Get PATH from which or where.exe (windows),
# Replace [PATH] with previous PATH
which gpg
git config --global gpg.program [PATH]
# Get GPG_KEY from "gpg --list-secret-keys",
# Replace [GPG_KEY] with previous PATH
gpg --list-secret-keys --keyid-format LONG
git config --global user.signingkey "[GPG_KEY]"
git config --global commit.gpgsign true
GPG commands
- Generate key pair
gpg --full-generate-key
- List key pairs
# List public key detail from database
gpg --list-keys
# List private key detail from database
gpg --list-secret-keys
# Llist key detail with subkey fingerprint from database
gpg --list-keys --with-subkey-fingerprints
gpg --list-secret-keys --with-subkey-fingerprints
- Delete key
# Delete public key detail from database
gpg --delete-key [KEYID]
# Delete private key detail from database
gpg --delete-secret-key [KEYID]
- Importing key pair or key pairs
# List key detail from key file
gpg keys.asc
# List more key detail from key file
gpg --with-subkey-fingerprint keys.asc
gpg -v keys.asc
# Import key file
gpg --import keys.asc
- Exporting key pair or key pairs
# Export specific public key
gpg -a --export [KEYID] > public.asc
# Export all public key
gpg -a --export > public-all.asc
# Export specific private key
gpg -a --export-secret-key [KEYID] > secret.asc
# Export all private key
gpg -a --export-secret-key > secret-all.asc
- Signing a key
# View the fingerprint of key
gpg --fingerprint [KEYID]
# Sign the key
gpg --sign-key [KEYID]
# Sign the key via the key editor
gpg --edit-key [KEYID]
gpg>fpr
gpg>sign
gpg>save
# Export the signed key
gpg -a --export [KEYID] > signed-key.asc
# Local sign a key
# The exported key to others doesn't contain the signatures
gpg --lsign-key [KEYID]
- Removing a key signature
# Removing a local key signature
gpg --edit-key [KEYID]
gpg>delsig
gpg>save
# Revoking a published key signature
gpg --edit-key [KEYID]
gpg>revsig
gpg>save
# Upload the key and revocation certificate to key servers
gpg --send-key [KEYID]
# Export the key with the revoked signature
gpg -a --export [KEYID] > exported-key.asc
- Edit UID
gpg --edit-key [KEYID]
# Adding UID
gpg>adduid
(enter details as prompted)
# removing a UID
gpg>uid X
gpg>deluid
# Changing primary UID
gpg>list
gpg>uid X
gpg>primary
# Save and quit
gpg>save
gpg>quit
- Edit key trust
gpg --edit-key [KEYID]
gpg>trust
gpg>(enter trust level)
gpg>save
| Letter | Meaning |
|---|---|
| - | No ownertrust assigned / not yet calculated. |
| e | Trust calculation has failed. |
| q | Not enough information for calculation. |
| n | Never trust this key. |
| m | Marginally trusted. |
| f | Fully trusted. |
| u | Ultimately trusted. |
- Generate a revocation certificate
gpg -a --gen-revoke KEYID > revoke.asc
- To encrypt data
gpg -e -u [SIGN-UID] -r [ENCRYT-UID] somefile
- To decrypt data
gpg -d somefile.gpg
gpg edit-key
gpg edit-key key
sign - Makes a signature on the current key. If th key is not yet signed by the default user or the user given with the option local-user, the program displays the information of the key again, together with its fingerprint and asks whether it should be signed. This question is repeated for all users specified with the option local-user.
lsign - Same as sign, but the signature is marked as non-exportable and will therefore never be used by others. This may be used to make keys valid only in the local environment.
revsig - Revoke a signature. Asks for each signature makde by a one of the private keys whether a revocation certificate should be generated.
trust - Change the owner trust value. This updates the trust database immediately and no save is required.
| Letter | Meaning |
|---|---|
| - | No ownertrust assigned / not yet calculated. |
| e | Trust calculation has failed. |
| q | Not enough information for calculation. |
| n | Never trust this key. |
| m | Marginally trusted. |
| f | Fully trusted. |
| u | Ultimately trusted. |
disable - Disable the key. A disabled key cannot normally be used for encryption.
enable - Enable a key that has been previously disabled.
adduid - Add a new user id to the current key.
deluid - Delete a user id from the current key.
addkey - Add a new subkey to the current key.
delkey - Delete a subkey from the current key.
revkey - Revoke a subkey of the current key.
expire - Change a key expiration time. If a subkey is selected, the time of that key will be changed. With no selection the expiration time of the current primary key is changed.
key n - Toggle selection of subkey with index n. Use 0 to deselect all.
uid n - Toggle selection of user id with index n. Use 0 to deselect all.
toggle - Change the passphrase of the private key of the selected key pair. - Toggle between public and private key listings.
check - Check all selected user ids.
pref - List preferences.
save - Save all changes to the current key and quit. - Quit without updating the current key.