SYNOPSYS

GNU Privacy Guard is an easy way to encrypt and sign your communications.

DOCUMENTATION

NAME

PROCEDURE

Initialize your infrastructure

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
#default dir is ~/.gnupg, use --homedir DIR or GNUPGHOME env var to override it
gpg --full-gen-key

# this creates
.gnupg/
├── openpgp-revocs.d
│   └── 62FF53DD5F7E3FB52294634747BF5575BE796351.rev
├── private-keys-v1.d
│   ├── CC27900520B41E7A75797135635565085FC638D9.key
│   └── FFB531C74A0D6BC1B02F907E343DF5FDE2D8CE1A.key
├── pubring.kbx
└── trustdb.gpg

# that hold your fresh new gpg secret key
public and secret key created and signed.

pub   ed25519 2024-02-12 [SC]
      62FF53DD5F7E3FB52294634747BF5575BE796351
uid                      John Doe (no comment) <john@doe.org>
sub   cv25519 2024-02-12 [E]

List your secret keys

1
2
gpg --list-secret-keys --fingerprint / --keyid-format short / --keyid-format long
gpg --fingerprint <key-ID>

Edit your keys

1
2
3
4
5
6
gpg --change-passphrase <key-ID>
gpg --edit-key <user@domain> | <key-ID>
  -- list
  -- key 0
  -- expire ...
  -- save

Publish your key to a keyserver

1
2
3
4
5
6
7
# echo "keyserver hkps://keys.openpgp.org" >> ~/.gnupg/gpg.conf
gpg --keyserver keyserver.ubuntu.com --send-keys <key-ID>
gpg --search john@doe.org / <key-ID>
gpg --auto-key-locate keyserver --locate-keys john@doe.org / <key-ID>

# your sent key should be similar to :
gpg --export --armor <key-ID> > public_key.asc

Revoke a key and publish it

1
2
3
gpg --output revoke.asc --gen-revoke <key-ID>
gpg --import revoke.asc
gpg --send-keys <key-ID>

Use gpg to encrypt / decrypt a message

1
2
3
# -e --encrypt / -d --decrypt / -r --recipient :: use --symmetric to use a default symmetric cipher
gpg -e -r dst@mail.com [-o msg.gpg] msg    # recipient's key must have been imported
gpg -d [-o msg] msg.gpg                  # ok if you are the recipient

Use gpg to sign / verify a message

1
2
3
4
5
6
# -s --sign && --detach-sign / -v --verify
gpg -s [-o msg.gpg] msg
gpg --verify msg.gpg

gpg -s --detach-sign [-o msg.sig] msg
gpg --verify msg.sig msg

You may need to reload the gpg-agent

1
echo RELOADAGENT | gpg-connect-agent