Ir al contenido
1337skills 1337skills - Hojas de Trucos

GPG Commands

GNU Privacy Guard (GnuPG or GPG) is a complete and free implementation of the OpenPGP standard. It enables secure communication and data storage using strong cryptography. This cheat sheet covers essential commands for key management, encryption, and signing operations.

Installation

Linux/Ubuntu

sudo apt update
sudo apt install gnupg

macOS

brew install gnupg

Windows

choco install gnupg
# or download from https://www.gnupg.org/download/

Key Generation

Create New GPG Key

# Interactive key generation (recommended)
gpg --full-generate-key

# Generate with specific parameters
gpg --generate-key --batch <<EOF
Key-Type: RSA
Key-Length: 4096
Subkey-Type: RSA
Subkey-Length: 2048
Name-Real: John Doe
Name-Email: john@example.com
Expire-Date: 2y
%commit
%echo done
EOF

# Quick key generation (non-interactive)
gpg --quick-generate-key "John Doe <john@example.com>" rsa4096 sign 2y

Key Management

List Keys

# List public keys
gpg --list-keys

# List public keys verbose
gpg --list-keys --keyid-format long

# List secret (private) keys
gpg --list-secret-keys

# List keys with fingerprints
gpg -k --fingerprint

# Show key details
gpg --list-keys --with-colons john@example.com

Key Information

# Display key fingerprint
gpg --list-keys --fingerprint john@example.com

# Show key trust levels
gpg --list-sigs john@example.com

# Display detailed key info
gpg --list-keys --with-subkey-fingerprint john@example.com

# Show expiration date
gpg --list-keys --with-subkey-fingerprint | grep john

Export Keys

# Export public key to file
gpg --export -a john@example.com > public-key.asc

# Export public key binary format
gpg --export john@example.com > public-key.gpg

# Export secret key (private key)
gpg --export-secret-keys -a john@example.com > private-key.asc

# Export secret subkey only
gpg --export-secret-subkeys -a john@example.com > subkey.asc

# Export with specific key ID
gpg --export -a 1A2B3C4D > key.asc

Import Keys

# Import public key
gpg --import public-key.asc

# Import from file
gpg --import keyfile.gpg

# Import multiple keys
gpg --import keyring.asc

# List imported keys
gpg --list-keys

Delete Keys

# Delete public key
gpg --delete-key john@example.com

# Delete private key (more protective)
gpg --delete-secret-key john@example.com

# Delete both public and private
gpg --delete-secret-and-public-key john@example.com

# Force deletion without confirmation
gpg --delete-key --yes john@example.com

Edit Keys

# Edit key properties interactively
gpg --edit-key john@example.com

# Extend key expiration date
gpg --quick-set-expire 1A2B3C4D!

# Add new UID to key
gpg --quick-add-uid 1A2B3C4D "John Doe <newemail@example.com>"

# Change key trust level
gpg --edit-key john@example.com
# Then use 'trust' command in interactive mode

Encryption and Decryption

Encrypt Files

# Encrypt for specific recipient
gpg --encrypt --recipient john@example.com file.txt

# Encrypt for multiple recipients
gpg --encrypt --recipient john@example.com --recipient jane@example.com file.txt

# Encrypt as ASCII-armored output
gpg --armor --encrypt --recipient john@example.com file.txt

# Encrypt and output to specific file
gpg --output file.gpg --encrypt --recipient john@example.com file.txt

# Encrypt with symmetric cipher (password-based)
gpg --symmetric file.txt

# Encrypt symmetrically with armor
gpg --armor --symmetric file.txt

# Encrypt file without displaying progress
gpg --quiet --encrypt --recipient john@example.com file.txt

Decrypt Files

# Decrypt file
gpg --decrypt file.gpg

# Decrypt and save to file
gpg --output file.txt --decrypt file.gpg

# Decrypt with specific passphrase
gpg --passphrase 'your-passphrase' --decrypt file.gpg

# Decrypt without interactive passphrase
gpg --batch --passphrase-fd 0 --decrypt file.gpg

# Decrypt and verify signature simultaneously
gpg --decrypt --verify file.gpg

Digital Signatures

Sign Files

# Create detached signature
gpg --detach-sign file.txt

# Create signature and save to specific file
gpg --detach-sign --output file.sig file.txt

# Sign as ASCII-armored text
gpg --armor --detach-sign file.txt

# Create cleartext signature (text included in signature)
gpg --clearsign file.txt

# Sign with specific key
gpg --default-key 1A2B3C4D --detach-sign file.txt

# Sign without prompting for passphrase
gpg --batch --passphrase-fd 0 --detach-sign file.txt

# Create signature with timestamp
gpg --default-key john@example.com --detach-sign file.txt

Verify Signatures

# Verify detached signature
gpg --verify file.sig file.txt

# Verify cleartext signature
gpg --verify file.txt.asc

# Verify signature and show details
gpg --verify --verbose file.sig file.txt

# Check signature status without full output
gpg --quiet --verify file.sig file.txt

# Verify and extract data
gpg --output file.txt --decrypt file.txt.asc

Keyserver Operations

Upload Keys

# Upload public key to keyserver
gpg --keyserver keyserver.ubuntu.com --send-key 1A2B3C4D

# Upload to multiple keyservers
gpg --keyserver hkp://keys.openpgp.org --send-key 1A2B3C4D

# Upload with specific key ID
gpg --keyserver pgp.mit.edu --send-key john@example.com

Download/Receive Keys

# Download key from keyserver
gpg --keyserver keyserver.ubuntu.com --receive-key 1A2B3C4D

# Search for key on keyserver
gpg --keyserver keyserver.ubuntu.com --search-key john@example.com

# Refresh keys from keyserver
gpg --keyserver keyserver.ubuntu.com --refresh-keys

# Import key from web
gpg --keyserver hkp://keys.openpgp.org --recv-key 1A2B3C4D

# Download specific key with fingerprint verification
gpg --keyserver keyserver.ubuntu.com --recv-key 1A2B3C4D!

Trust and Signatures

Trust Management

# Edit trust level
gpg --edit-key john@example.com
# Type: trust

# Set ultimate trust
gpg --import-ownertrust <<< "1A2B3C4D:6:"

# List trust database
gpg --list-trustdb

# Check trust level
gpg --list-keys --with-colons john@example.com | grep uid

Sign Other Keys

# Sign someone else's key
gpg --sign-key john@example.com

# Sign key with specific trust level
gpg --sign-key --ask-cert-level john@example.com

# Export signed key
gpg --export john@example.com | gpg --armor --export john@example.com > signed-key.asc

# Locally sign key without uploading
gpg --lsign-key john@example.com

Advanced Operations

Export/Import Full Keyring

# Export all public keys
gpg --export --armor > keyring.asc

# Export all private keys
gpg --export-secret-keys --armor > private-keyring.asc

# Backup keyring
gpg --export-secret-keys > ~/.gnupg/backup-secret-keys.gpg

# Restore keyring
gpg --import < ~/.gnupg/backup-secret-keys.gpg

Batch Operations

# Encrypt multiple files
for file in *.txt; do
  gpg --encrypt --recipient john@example.com "$file"
done

# Decrypt all .gpg files
for file in *.gpg; do
  gpg --decrypt "$file" > "${file%.gpg}"
done

# Sign all files
for file in *; do
  [ -f "$file" ] && gpg --detach-sign "$file"
done

Advanced Key Maintenance

# Change key passphrase
gpg --passwd john@example.com

# Revoke key (before deletion)
gpg --output revoke.asc --gen-revoke john@example.com

# Import revocation certificate
gpg --import revoke.asc

# Set preferred algorithms
gpg --edit-key john@example.com
# Type: pref

# Check key strengths
gpg --list-keys --with-subkey-fingerprint john@example.com

Configuration

GPG Configuration File (~/.gnupg/gpg.conf)

# Set default key
default-key 1A2B3C4D

# Set default recipient
default-recipient john@example.com

# Use specific keyserver
keyserver hkp://keys.openpgp.org

# Automatic key refresh
auto-key-retrieve

# UTF-8 support
charset utf-8

# Show long key IDs
keyid-format long

# Strong preferences
personal-cipher-preferences AES256 AES192 AES
personal-digest-preferences SHA512 SHA384 SHA256

Common Troubleshooting

# Verify GPG installation
gpg --version

# Check GPG configuration
gpg --version --verbose

# List all configured options
gpg --dump-options

# Fix permissions (important)
chmod 700 ~/.gnupg
chmod 600 ~/.gnupg/*

# Re-initialize GPG agent
gpgconf --kill gpg-agent

# Check for corrupt keyring
gpg --rebuild-keydb

# Verify key fingerprints match
gpg --fingerprint john@example.com

Best Practices

  • Keep private keys secure with strong passphrases
  • Regularly backup your private keys in secure location
  • Use 4096-bit RSA keys for new key generation
  • Set key expiration dates (1-3 years recommended)
  • Verify fingerprints through secure channel before importing keys
  • Upload keys to multiple keyservers for redundancy
  • Sign other keys only after proper verification
  • Revoke compromised keys immediately with revocation certificate
  • Use separate encryption and signing subkeys when possible
  • Keep GPG software updated with security patches

Last updated: 2026-03-30