Home
Up

GPG command line
...Encrypt
...List
...Export
...Import
...Sign a key
...Add a photo
...Modify passphrase
...Key server
...Revocation
...Set trust level for a key
...Add a new user ID
Add support for IDEA
GPG agent
Design

GPG command line

Encrypt

Encrypt a file for multiple recipient:

gpg -r <recipient1 email> -r <recipient2 email> --encrypt <myfile>

Encrypt multiple files:

gpg -r <recipient1 email> --encrypt-files <myfile1> <myfile2>

Encrypt, and convert output to ASCII (so it can be mailed):

gpg -e -a ...

Conventional encryption (makes file.pgp, asks for a password, uses the s2k mode to salt the passphrase) : gpg –s2k-mode 3 -c file

List

List keys:

gpg --list-keys
		pub  1024D/0A69A19C 2004-05-27 XXX <XXX@YYY.fr>
		sub  1024g/8CF406CB 2004-05-27

List secret keys: gpg –list-secret-keys

List signature:

gpg --list-sigs
		pub  1024D/0A69A19C 2004-05-27 XXX <XXX@YYY.fr>
		sig 3       0A69A19C 2004-05-27   XXX <XXX@YYY.fr>
		sig 2       CA739793 2004-05-27   Axelle Apvrille <XXX@XXX.fr>
		sub  1024g/8CF406CB 2004-05-27
		sig         0A69A19C 2004-05-27   XXX <XXX@YYY.fr>

Export

Export key to file:
gpg -ao toto-public.key -export 0637B724
Export private key (keep this file in a secure place !):
gpg -ao toto-private.key -export-secret-keys 0637B724
Protect the private key with a passphrase:
gpg -a -export-secret-keys 0637B724 | gpg -aco my-private.key.gpg
Protect the private key with "conventional" encryption:
gpg -a -export-secret-keys 0637B724 | gpg -c my-private.key.gpg
Export public key to armour file:
gpg -armor -export email@email.com > mypk
Rem. attention gpg -export xxx -armor does not armour...

Import

Import key:
gpg -import {key file}
Import private key:
gpg -allow-secret-key-import -import {key}
Importing an encrypted key:
gpg -decrypt toto-private.key.gpg | gpg –import
Import a key from a keyserver:
gpg -keyserver wwwkeys.pgp.net –recv-keys <keyID>

Sign a key

  1. select the key ID you want to select (-list-keys)
  2. sign the key (-sign-key) or interactively (-edit-key + sign)
  3. optional: send the public part of the key to its owner, it contains your signature.
	gpg [--default-key xxxxx] --sign-key 0a69a19c 
		pub  1024D/0A69A19C  créée: 2004-05-27 expire: never      confiance: -/-
		sub  1024g/8CF406CB  créée: 2004-05-27 expire: never
		(1). XXX <XXX@YYY.fr>

		pub  1024D/0A69A19C  créée: 2004-05-27 expire: never      confiance: -/-
 		Empreinte de la clé principale: F233 758B 65C0 A98E 99AC  2DB0 96E7 6731 0A69 A19C

		Avec quel soin avez-vous vérifié que la clé que vous allez signer
		appartient réellement à la personne sus-nommée ? Si vous ne savez
		quoi répondre, entrez "0".

   		(0) Je ne répondrai pas. (par défaut)
   		(1) Je n'ai pas vérifié du tout.
   		(2) J'ai un peu vérifié.
   		(3) J'ai vérifié très soigneusement.

		Your selection? (enter '?' for more information): 2
		Etes-vous vraiment sûr(e) que vous voulez signer cette clé
		avec la vôtre: "Axelle Apvrille <XXX>" (CA739793)

		J'ai un peu vérifié cette clé.
		Signer réellement ? oui

		Vous avez besoin d'un mot de passe pour déverrouiller la clé secrète pour
		l'utilisateur: "Axelle Apvrille <XXX.XXX@fr>"

		clé de 2048 bits RSA, ID CA739793, créée le ...

		Entrez le mot de passe: ****

Add a photo

The interactive way:

gpg --edit-key xxxxx
Command> addphoto

choose a JPEG photo

Modify passphrase

Interactive way:

gpg --edit-key myemail@com
Command> passwd

Key server

Examples of keyservers:
  • hkp://keys.gnupg.net
  • pgp.mit.edu
To send a key to a key server:
gpg --send-keys D0XYZ
To send a key to a particular server:
gpg --keyserver pgp.mit.edu --send-key 0x37EC490C
gpg: sending key 37EC490C to hkp server pgp.mit.edu
To search for key:
gpg --keyserver hkp://subkeys.pgp.net --search-keys A120F...
To retrieve a key from a keyserver:
gpg --recv-keys --keyserver hkp://keys.gnupg.net 0x11111...

Revocation

In case your key gets lost (or else), you can revoke it. For that, generate a revocation certificate:
$ gpg --output revoke.asc --gen-revoke ABCD
Create a revocation certificate for this key? (y/N) y
Please select the reason for the revocation:
  0 = No reason specified
  1 = Key has been compromised
  2 = Key is superseded
  3 = Key is no longer used
  Q = Cancel
...
Note you can generate the revocation certificate even when you don't want (yet) to revoke your key, and just keep the revocation certificate in a place where it is safe and use it later when you really want to revoke. Then, the day you really want to revoke the key:
  1. Import the revocation certificate in your keyring:
    gpg --import revoke.asc
    
  2. Send the revoked key to a key server:
    $ gpg --keyserver pgp.mit.edu --send-keys ABCD...
    
    The key will then appear on the key server as "revoked".

Set trust level for a key

gpg --edit-key email@email.com
> trust

Add a new user ID

gpg --edit-key myemail@com
gpg> adduid

Add support for IDEA

IDEA is patented, so you should only use it if you are authorized to do so. By default, IDEA is not supported by GnuPG. To add support for IDEA:
  1. get the sources for IDEA here/li>
  2. gunzip and copy the source file in the sources of gnupg, in the cipher directory.
  3. ./configure, then make in gnupg to rebuild gnupg with IDEA support.

GPG agent

echo RELOADAGENT | gpg-connect-agent

Design

See RFC 2440. OpenPGP buils a OpenPGP "Secret Key" Packet ("Private Key Packet" does not exist).

This packet contains:

  • all information included in the Public Key Packet
  • private key encryption method:
    0 | PLAINTEXT PRIVATE KEY
    or Algo ID | IV | ENCRYPTED PRIVATE KEY
    (passphrase is MD5 hashed, the resulting key encrypts with AlgoID the private key.(CFB mode))
    or 255 | Algo ID | S2K spec | IV | ENCRYPTED PRIVATE KEY
    (passphrase is converted into a key using S2K algorithm specified by S2K spec) with:
    • Simple S2K = hash the passphrase => S2KSpec = 0x00 HashAlgo
    • Salted S2K = hash salt + passphrase ⇒ S2KSpec = 0×01 HashAlgo 8-byte salt
    • Iterated S2K = loop hash(salt + passph) -> S2KSpec = 0×03 HashAlgo 8-byte salt 1-byte count