From Attie's Wiki
Jump to: navigation, search

How to make use of GPG (GNU Privacy Guard)

# make a key (it is often necessary to copy a large file in order to generate enough random data - roughly 3GB should do for a 2048-bit key)
gpg --gen-key
# view the stored keys
gpg --list-keys
gpg --list-secret-keys
# export the public key (for use by others)
gpg --armor --output pubkey.txt --export ${key-id}
# export a secret key (be safe!)
gpg --armor --output privkey.txt --export-secret-keys ${key-id}
# import a key (public or private)
gpg --import key.asc
# send your public key to a public server - it may take a minute or two to appear, presumably there is some server-side processing to be done
gpg --send-keys ${key-id}
# retrieve a public key from a public server
gpg --search-keys ''
# encrypt a file
gpg --encrypt --recipient ${key-id} foo.txt
# decrypt a file
gpg --output foo.txt --decrypt foo.txt.gpg
# sign a file
gpg --armor --detach-sign crucial.tar.gz
# verify a file's signature
gpg --verify crucial.tar.gz.asc crucial.tar.gz
# edit a key
gpg --edit-key ${key-id}
Long Short Description
--list-keys -k list the public keys stored
--list-secret-keys -K list the private keys stored
--armor -a create ASCII armored output, the default is plain binary
--output -o write to output file
--recipient -r encrypt a file for the given recipeint
--encrypt -e encrypt a file
--decrypt -d decrypt a file
--detach-sig -b make a detached signature


Uncertain Ownership

It is NOT certain that the key belongs to the person named in the user ID.
This message can be caused if you import a key that was generated on another system. It can be prevented by one of the following methods:


  1. Run gpg --edit-key ${key-id}
  2. Enter the command trust
  3. Select the appropriate trust level

Every Execution

gpg --encrypt --yes --no-tty --trust-model always --recipient ${key-id}


The ${key-id} tags above generally mean the 32-bit identifier, in hex. It appears that you can often use the email address to identify a key as well.

$ gpg -k
pub   2048R/8462FC4A 2012-02-23
uid                  Attie Grande <>
sub   2048R/E8423A6F 2012-02-23

The fake key information from above has a ${key-id} of 0x8462FC4A
In some situations like the --recipient argument you may use the name Attie Grande, part of the name Attie, or the identifier 0x8462FC4A

Send files via a secure channel

Secure in that it is encrypted, not so much in that this example uses netcat.

The recipient is ${RECIPIENT}, I have his public key.


tar -caf - -C ${SRC_DIR} ${FILES} | gzip | gpg -e -r ${RECIPIENT} - | nc -l 27015


nc ${SERVER} 27015 | gpg -o - -d | gzip -d | tar -xv
Personal tools