Commands
Query
- listing all public keys (without signatures):
gpg2 --list-keys
- listing all public keys with signatures:
gpg2 --list-keys --with-sig-list
- checking all public key signatures:
gpg2 --check-sigs
Management
- creating public / secret key pair:
gpg2 --gen-key --expert
- importing an ASCII-armored public or secret key:
gpg2 --armor --import ./key.asc
- exporting an ASCII-armored public key:
gpg2 --armor --export {id}
- exporting an ASCII-armored secret key:
gpg2 --armor --export-secret-key {id}
- signing and trusting a (public) key:
gpg2 --edit-key {id}sign trust save
- backing up secret keys:
gpg2 --armor --export-secret-key {id} | gpg2 --armor --sign --symmetric --force-mdc
- deleting a public key:
gpg2 --delete-key {id}
- delete a secret key:
gpg2 --delete-secret-and-public-key {id}
Publishing
- downloading a key from a key server:
gpg2 --keyserver {host} --recv-key {id}
- uploading a key to a key server:
gpg2 --keyserver {host} --send-key {id}
- refreshing all local keys with a key server:
gpg2 --keyserver {host} --refresh-keys
Configuration
~/.gnupg/options:
default-key ... encrypt-to ... default-recipient-self ask-cert-level default-cert-level 0 min-cert-level 3 cipher-algo aes256 digest-algo sha256 cert-digest-algo sha256 compress-algo none s2k-cipher-algo aes256 s2k-digest-algo sha256 s2k-mode 3 s2k-count 50331648 use-agent verify-options pka-lookups import-options repair-pks-subkey-bug,import-clean export-options export-clean auto-key-locate local,pka,keyserver keyserver hkp://pgp.mit.edu keyserver-options timeout=12,include-revoked,include-disabled,auto-key-retrieve,honor-keyserver-url,honor-pka-record,check-cert,repair-pks-subkey-bug,import-clean,export-clean
Scripts
- finding all public key identifiers:
( set -e -E -u -o pipefail -o noclobber -o noglob +o braceexpand || exit 1 ; trap 'printf "[ee] failed: %s\n" "${BASH_COMMAND}" >&2' ERR || exit 1 gpg2 --list-keys \ | sed -r -e 's!^pub [0-9]{4}[a-zA-Z]/([0-9A-F]{8}) [0-9]{4}-[0-9]{2}-[0-9]{2}.*$!\1!g' -e 't' -e '/^pub/Q 1' -e 'd' exit 0 ; )
- finding all secret key identifiers:
( set -e -E -u -o pipefail -o noclobber -o noglob +o braceexpand || exit 1 ; trap 'printf "[ee] failed: %s\n" "${BASH_COMMAND}" >&2' ERR || exit 1 gpg2 --list-secret-keys \ | sed -r -e 's!^sec [0-9]{4}[a-zA-Z]/([0-9A-F]{8}) [0-9]{4}-[0-9]{2}-[0-9]{2}.*$!\1!g' -e 't' -e '/^sec/Q 1' -e 'd' exit 0 ; )
- finding all signed key identifiers:
( set -e -E -u -o pipefail -o noclobber -o noglob +o braceexpand || exit 1 ; trap 'printf "[ee] failed: %s\n" "${BASH_COMMAND}" >&2' ERR || exit 1 gpg2 --list-keys \ | sed -r -e 's!^pub [0-9]{4}[a-zA-Z]/([0-9A-F]{8}) [0-9]{4}-[0-9]{2}-[0-9]{2}.*$!\1!g' -e 't' -e '/^pub/Q 1' -e 'd' \ | while read key ; do signatures="$( gpg2 --list-sigs "${key}" \ | sed -r -e 's!^sig [1-3 ] [L ][R ][P ][N ][X ][1-9T ] ([0-9A-F]{8}) [0-9]{4}-[0-9]{2}-[0-9]{2}.*$!\1!g' -e t -e '/^sig/p' -e '/^sig/Q 1' -e 'd' \ | grep -c -F -x -f <( gpg2 --list-secret-keys \ | sed -r -e 's!^sec [0-9]{4}[a-zA-Z]/([0-9A-F]{8}) [0-9]{4}-[0-9]{2}-[0-9]{2}.*$!\1!g' -e 't' -e '/^sec/Q 1' -e 'd' ) \ || true )" if test "${signatures}" -ge 1 ; then echo "${key}" fi done exit 0 ; )
- cleaning all keys:
( set -e -E -u -o pipefail -o noclobber -o noglob +o braceexpand || exit 1 ; trap 'printf "[ee] failed: %s\n" "${BASH_COMMAND}" >&2' ERR || exit 1 gpg2 --list-keys \ | sed -r -e 's!^pub [0-9]{4}[a-zA-Z]/([0-9A-F]{8}) [0-9]{4}-[0-9]{2}-[0-9]{2}.*$!\1!g' -e 't' -e '/^pub/Q 1' -e 'd' \ | xargs -d '\n' -I {} -- gpg2 --batch --edit-key {} clean save quit exit 0 ; )
Notes
Key servers
hkp://keys.gnupg.net;
hkp://pgp.mit.edu;
Signature flags
- verification status:
! -- good signature;
- -- bad signature;
% -- error while checking;
1-3 -- check level;
L -- local (non-exportable) signature;
R -- non-revocable signature;
P -- signature with policy URL;
N -- signature with a notation;
X -- expired signature;
1-9 or T -- trust level;