GPG command line
Encrypt
Encrypt a file for multiple recipient:
gpg -r <recipient1 email> -r <recipient2 email> --encrypt <myfile>
Encrypt multiple files:
gpg -r <recipient1 email> --encrypt-files <myfile1> <myfile2>
Encrypt, and convert output to ASCII (so it can be mailed):
gpg -e -a ...
Conventional encryption (makes file.pgp, asks for a password, uses the s2k mode to salt the passphrase) : gpg –s2k-mode 3 -c file
List
List keys:
gpg --list-keys pub 1024D/0A69A19C 2004-05-27 XXX <XXX@YYY.fr> sub 1024g/8CF406CB 2004-05-27
List secret keys: gpg –list-secret-keys
List signature:
gpg --list-sigs pub 1024D/0A69A19C 2004-05-27 XXX <XXX@YYY.fr> sig 3 0A69A19C 2004-05-27 XXX <XXX@YYY.fr> sig 2 CA739793 2004-05-27 Axelle Apvrille <XXX@XXX.fr> sub 1024g/8CF406CB 2004-05-27 sig 0A69A19C 2004-05-27 XXX <XXX@YYY.fr>
Export
Export key to file:gpg -ao toto-public.key -export 0637B724Export private key (keep this file in a secure place !):
gpg -ao toto-private.key -export-secret-keys 0637B724Protect the private key with a passphrase:
gpg -a -export-secret-keys 0637B724 | gpg -aco my-private.key.gpgProtect the private key with "conventional" encryption:
gpg -a -export-secret-keys 0637B724 | gpg -c my-private.key.gpgExport public key to armour file:
gpg -armor -export email@email.com > mypkRem. attention gpg -export xxx -armor does not armour...
Import
Import key:gpg -import {key file}Import private key:
gpg -allow-secret-key-import -import {key}Importing an encrypted key:
gpg -decrypt toto-private.key.gpg | gpg –importImport a key from a keyserver:
gpg -keyserver wwwkeys.pgp.net –recv-keys <keyID>
Sign a key
- select the key ID you want to select (-list-keys)
- sign the key (-sign-key) or interactively (-edit-key + sign)
- optional: send the public part of the key to its owner, it contains your signature.
gpg [--default-key xxxxx] --sign-key 0a69a19c pub 1024D/0A69A19C créée: 2004-05-27 expire: never confiance: -/- sub 1024g/8CF406CB créée: 2004-05-27 expire: never (1). XXX <XXX@YYY.fr> pub 1024D/0A69A19C créée: 2004-05-27 expire: never confiance: -/- Empreinte de la clé principale: F233 758B 65C0 A98E 99AC 2DB0 96E7 6731 0A69 A19C Avec quel soin avez-vous vérifié que la clé que vous allez signer appartient réellement à la personne sus-nommée ? Si vous ne savez quoi répondre, entrez "0". (0) Je ne répondrai pas. (par défaut) (1) Je n'ai pas vérifié du tout. (2) J'ai un peu vérifié. (3) J'ai vérifié très soigneusement. Your selection? (enter '?' for more information): 2 Etes-vous vraiment sûr(e) que vous voulez signer cette clé avec la vôtre: "Axelle Apvrille <XXX>" (CA739793) J'ai un peu vérifié cette clé. Signer réellement ? oui Vous avez besoin d'un mot de passe pour déverrouiller la clé secrète pour l'utilisateur: "Axelle Apvrille <XXX.XXX@fr>" clé de 2048 bits RSA, ID CA739793, créée le ... Entrez le mot de passe: ****
Add a photo
The interactive way:
gpg --edit-key xxxxx Command> addphoto
choose a JPEG photo
Modify passphrase
Interactive way:
gpg --edit-key myemail@com Command> passwd
Key server
Examples of keyservers:- hkp://keys.gnupg.net
- pgp.mit.edu
gpg --send-keys D0XYZTo send a key to a particular server:
gpg --keyserver pgp.mit.edu --send-key 0x37EC490C gpg: sending key 37EC490C to hkp server pgp.mit.eduTo search for key:
gpg --keyserver hkp://subkeys.pgp.net --search-keys A120F...To retrieve a key from a keyserver:
gpg --recv-keys --keyserver hkp://keys.gnupg.net 0x11111...
Revocation
In case your key gets lost (or else), you can revoke it. For that, generate a revocation certificate:$ gpg --output revoke.asc --gen-revoke ABCD Create a revocation certificate for this key? (y/N) y Please select the reason for the revocation: 0 = No reason specified 1 = Key has been compromised 2 = Key is superseded 3 = Key is no longer used Q = Cancel ...Note you can generate the revocation certificate even when you don't want (yet) to revoke your key, and just keep the revocation certificate in a place where it is safe and use it later when you really want to revoke. Then, the day you really want to revoke the key:
- Import the revocation certificate in your keyring:
gpg --import revoke.asc
- Send the revoked key to a key server:
$ gpg --keyserver pgp.mit.edu --send-keys ABCD...
The key will then appear on the key server as "revoked".
Set trust level for a key
gpg --edit-key email@email.com > trust
Add a new user ID
gpg --edit-key myemail@com gpg> adduid
Add support for IDEA
IDEA is patented, so you should only use it if you are authorized to do so. By default, IDEA is not supported by GnuPG. To add support for IDEA:- get the sources for IDEA here/li>
- gunzip and copy the source file in the sources of gnupg, in the cipher directory.
- ./configure, then make in gnupg to rebuild gnupg with IDEA support.
GPG agent
echo RELOADAGENT | gpg-connect-agent
Design
See RFC 2440. OpenPGP buils a OpenPGP "Secret Key" Packet ("Private Key Packet" does not exist).
This packet contains:
- all information included in the Public Key Packet
- private key encryption method:
0 | PLAINTEXT PRIVATE KEY
or Algo ID | IV | ENCRYPTED PRIVATE KEY
(passphrase is MD5 hashed, the resulting key encrypts with AlgoID the private key.(CFB mode))or 255 | Algo ID | S2K spec | IV | ENCRYPTED PRIVATE KEY
(passphrase is converted into a key using S2K algorithm specified by S2K spec) with:- Simple S2K = hash the passphrase => S2KSpec = 0x00 HashAlgo
- Salted S2K = hash salt + passphrase ⇒ S2KSpec = 0×01 HashAlgo 8-byte salt
- Iterated S2K = loop hash(salt + passph) -> S2KSpec = 0×03 HashAlgo 8-byte salt 1-byte count