PGP/GPG Cheatsheet

Below is a reference cheatsheet for GPG that I use and reference.

Generate a new key pair

gpg --gen-key


List all public keys

gpg --list-public-keys

List all private keys

gpg --list-secret-keys

List everyone who has signed a key

gpg --list-sig 0x12345678

Get the full fingerprint

gpg --list-sig 0x12345678


Export public key

gpg --armor --export 0x12345678

Using the default Key server

gpg --send-keys 0x12345678

Specifying a Key server

gpg --keyserver --send-keys 0x12345678

Export/Backup you private key

gpg –armor –export-secret-keys 0x12345678

Using the default Key server

gpg --search-keys

Specifying a Key server

gpg --keyserver --search-keys

Receive the key 0x12345678

gpg --recv

Receive the key 0x12345678 from a specific keyserver

gpg --keyserver --recv

Encrypting/ Decrypting

Encrypt a file for someone, by their email

gpg --encrypt filename.txt --recipient

Encrypt a file for multiplie people, by their email addresses – It’s usually a good idea to encyrpt to your own key as well or you will not be able to decrypt the file later

gpg --encrypt filename.txt --recipient --recipient --recipient

Encrypt a file for transmission over text – email, IRC, Jabber etc.

gpg --armour --encrypt filename.txt --recipient --recipient --recipient

Decrypting a file

gpg --output filename.txt --decrypt filename.txt.asc

Import Keys

Importing from a text file

gpg --import publickey.asc

Restore a backup of a private key

gpg --allow-secret-key-import --import privatekey.asc

Keys Maintenance Revoking

Creating a revocation certificate. You must has the private key to do this, if you have lost your private key, well thats when problems kick in

gpg --output revoke.asc --gen-revoke 0x12345678

To revoke a the key all you need do is import the revoke.asc into your keyring

gpg --import revoke.asc

To make sure everyone knows your keys been revoked you need to publish the updated public key

gpg --keyserver --send-keys  0x12345678

Keys Maintenance Key Signing

You need to edit the key gpg –edit-key 0x12345678 From here ‘help’ will give you a list of your options, but to sign a key you can ether type ‘sign’ or ‘tsign’. The man pages give a better indication of what the difference is ‘man gpg’ but ‘sign’ is usually sufficent. After they key is signed type ‘save’ and ‘quit’ then you can ether send the key to a keyserver for download by its owner of export the public key and send it by other means, this usually means encrypted email.

Signing and Verifying files

To sign a file with your default key use this

gpg --detach-sign --armour filename.txt

To verify a signed file but put the output from above filename.txt.asc

gpg --verify filename.txt.asc