gnupg: Operational GPG Commands
4.1.2 Commands to select the type of operation
----------------------------------------------
'--sign'
'-s'
Sign a message. This command may be combined with '--encrypt' (to
sign and encrypt a message), '--symmetric' (to sign and
symmetrically encrypt a message), or both '--encrypt' and
'--symmetric' (to sign and encrypt a message that can be decrypted
using a secret key or a passphrase). The signing key is chosen by
default or can be set explicitly using the '--local-user' and
'--default-key' options.
'--clear-sign'
'--clearsign'
Make a cleartext signature. The content in a cleartext signature
is readable without any special software. OpenPGP software is only
needed to verify the signature. cleartext signatures may modify
end-of-line whitespace for platform independence and are not
intended to be reversible. The signing key is chosen by default or
can be set explicitly using the '--local-user' and '--default-key'
options.
'--detach-sign'
'-b'
Make a detached signature.
'--encrypt'
'-e'
Encrypt data to one or more public keys. This command may be
combined with '--sign' (to sign and encrypt a message),
'--symmetric' (to encrypt a message that can be decrypted using a
secret key or a passphrase), or '--sign' and '--symmetric' together
(for a signed message that can be decrypted using a secret key or a
passphrase). '--recipient' and related options specify which
public keys to use for encryption.
'--symmetric'
'-c'
Encrypt with a symmetric cipher using a passphrase. The default
symmetric cipher used is AES-128, but may be chosen with the
'--cipher-algo' option. This command may be combined with '--sign'
(for a signed and symmetrically encrypted message), '--encrypt'
(for a message that may be decrypted via a secret key or a
passphrase), or '--sign' and '--encrypt' together (for a signed
message that may be decrypted via a secret key or a passphrase).
'gpg' caches the passphrase used for symmetric encryption so that a
decrypt operation may not require that the user needs to enter the
passphrase. The option '--no-symkey-cache' can be used to disable
this feature.
'--store'
Store only (make a simple literal data packet).
'--decrypt'
'-d'
Decrypt the file given on the command line (or STDIN if no file is
specified) and write it to STDOUT (or the file specified with
'--output'). If the decrypted file is signed, the signature is
also verified. This command differs from the default operation, as
it never writes to the filename which is included in the file and
it rejects files that don't begin with an encrypted message.
'--verify'
Assume that the first argument is a signed file and verify it
without generating any output. With no arguments, the signature
packet is read from STDIN. If only one argument is given, the
specified file is expected to include a complete signature.
With more than one argument, the first argument should specify a
file with a detached signature and the remaining files should
contain the signed data. To read the signed data from STDIN, use
'-' as the second filename. For security reasons, a detached
signature will not read the signed material from STDIN if not
explicitly specified.
Note: If the option '--batch' is not used, 'gpg' may assume that a
single argument is a file with a detached signature, and it will
try to find a matching data file by stripping certain suffixes.
Using this historical feature to verify a detached signature is
strongly discouraged; you should always specify the data file
explicitly.
Note: When verifying a cleartext signature, 'gpg' verifies only
what makes up the cleartext signed data and not any extra data
outside of the cleartext signature or the header lines directly
following the dash marker line. The option '--output' may be used
to write out the actual signed data, but there are other pitfalls
with this format as well. It is suggested to avoid cleartext
signatures in favor of detached signatures.
Note: Sometimes the use of the 'gpgv' tool is easier than using the
full-fledged 'gpg' with this option. 'gpgv' is designed to compare
signed data against a list of trusted keys and returns with success
only for a good signature. It has its own manual page.
'--multifile'
This modifies certain other commands to accept multiple files for
processing on the command line or read from STDIN with each
filename on a separate line. This allows for many files to be
processed at once. '--multifile' may currently be used along with
'--verify', '--encrypt', and '--decrypt'. Note that '--multifile
--verify' may not be used with detached signatures.
'--verify-files'
Identical to '--multifile --verify'.
'--encrypt-files'
Identical to '--multifile --encrypt'.
'--decrypt-files'
Identical to '--multifile --decrypt'.
'--list-keys'
'-k'
'--list-public-keys'
List the specified keys. If no keys are specified, then all keys
from the configured public keyrings are listed.
Never use the output of this command in scripts or other programs.
The output is intended only for humans and its format is likely to
change. The '--with-colons' option emits the output in a stable,
machine-parseable format, which is intended for use by scripts and
other programs.
'--list-secret-keys'
'-K'
List the specified secret keys. If no keys are specified, then all
known secret keys are listed. A '#' after the initial tags 'sec'
or 'ssb' means that the secret key or subkey is currently not
usable. We also say that this key has been taken offline (for
example, a primary key can be taken offline by exporting the key
using the command '--export-secret-subkeys'). A '>' after these
tags indicate that the key is stored on a smartcard. See also
'--list-keys'.
'--check-signatures'
'--check-sigs'
Same as '--list-keys', but the key signatures are verified and
listed too. Note that for performance reasons the revocation
status of a signing key is not shown. This command has the same
effect as using '--list-keys' with '--with-sig-check'.
The status of the verification is indicated by a flag directly
following the "sig" tag (and thus before the flags described below.
A "!" indicates that the signature has been successfully verified,
a "-" denotes a bad signature and a "%" is used if an error
occurred while checking the signature (e.g. a non supported
algorithm). Signatures where the public key is not available are
not listed; to see their keyids the command '--list-sigs' can be
used.
For each signature listed, there are several flags in between the
signature status flag and keyid. These flags give additional
information about each key signature. From left to right, they are
the numbers 1-3 for certificate check level (see
'--ask-cert-level'), "L" for a local or non-exportable signature
(see '--lsign-key'), "R" for a nonRevocable signature (see the
'--edit-key' command "nrsign"), "P" for a signature that contains a
policy URL (see '--cert-policy-url'), "N" for a signature that
contains a notation (see '--cert-notation'), "X" for an eXpired
signature (see '--ask-cert-expire'), and the numbers 1-9 or "T" for
10 and above to indicate trust signature levels (see the
'--edit-key' command "tsign").
'--locate-keys'
'--locate-external-keys'
Locate the keys given as arguments. This command basically uses
the same algorithm as used when locating keys for encryption or
signing and may thus be used to see what keys 'gpg' might use. In
particular external methods as defined by '--auto-key-locate' may
be used to locate a key. Only public keys are listed. The variant
'--locate-external-keys' does not consider a locally existing key
and can thus be used to force the refresh of a key via the defined
external methods.
'--show-keys'
This commands takes OpenPGP keys as input and prints information
about them in the same way the command '--list-keys' does for
locally stored key. In addition the list options
'show-unusable-uids', 'show-unusable-subkeys', 'show-notations' and
'show-policy-urls' are also enabled. As usual for automated
processing, this command should be combined with the option
'--with-colons'.
'--fingerprint'
List all keys (or the specified ones) along with their
fingerprints. This is the same output as '--list-keys' but with
the additional output of a line with the fingerprint. May also be
combined with '--check-signatures'. If this command is given
twice, the fingerprints of all secondary keys are listed too. This
command also forces pretty printing of fingerprints if the keyid
format has been set to "none".
'--list-packets'
List only the sequence of packets. This command is only useful for
debugging. When used with option '--verbose' the actual MPI values
are dumped and not only their lengths. Note that the output of
this command may change with new releases.
'--edit-card'
'--card-edit'
Present a menu to work with a smartcard. The subcommand "help"
provides an overview on available commands. For a detailed
description, please see the Card HOWTO at
https://gnupg.org/documentation/howtos.html#GnuPG-cardHOWTO .
'--card-status'
Show the content of the smart card.
'--change-pin'
Present a menu to allow changing the PIN of a smartcard. This
functionality is also available as the subcommand "passwd" with the
'--edit-card' command.
'--delete-keys NAME'
Remove key from the public keyring. In batch mode either '--yes'
is required or the key must be specified by fingerprint. This is a
safeguard against accidental deletion of multiple keys. If the
exclamation mark syntax is used with the fingerprint of a subkey
only that subkey is deleted; if the exclamation mark is used with
the fingerprint of the primary key the entire public key is
deleted.
'--delete-secret-keys NAME'
Remove key from the secret keyring. In batch mode the key must be
specified by fingerprint. The option '--yes' can be used to advise
gpg-agent not to request a confirmation. This extra pre-caution is
done because 'gpg' can't be sure that the secret key (as controlled
by gpg-agent) is only used for the given OpenPGP public key. If
the exclamation mark syntax is used with the fingerprint of a
subkey only the secret part of that subkey is deleted; if the
exclamation mark is used with the fingerprint of the primary key
only the secret part of the primary key is deleted.
'--delete-secret-and-public-key NAME'
Same as '--delete-key', but if a secret key exists, it will be
removed first. In batch mode the key must be specified by
fingerprint. The option '--yes' can be used to advise gpg-agent
not to request a confirmation.
'--export'
Either export all keys from all keyrings (default keyrings and
those registered via option '--keyring'), or if at least one name
is given, those of the given name. The exported keys are written
to STDOUT or to the file given with option '--output'. Use
together with '--armor' to mail those keys.
'--send-keys KEYIDS'
Similar to '--export' but sends the keys to a keyserver.
Fingerprints may be used instead of key IDs. Don't send your
complete keyring to a keyserver -- select only those keys which are
new or changed by you. If no KEYIDS are given, 'gpg' does nothing.
Take care: Keyservers are by design write only systems and thus it
is not possible to ever delete keys once they have been send to a
keyserver.
'--export-secret-keys'
'--export-secret-subkeys'
Same as '--export', but exports the secret keys instead. The
exported keys are written to STDOUT or to the file given with
option '--output'. This command is often used along with the
option '--armor' to allow for easy printing of the key for paper
backup; however the external tool 'paperkey' does a better job of
creating backups on paper. Note that exporting a secret key can be
a security risk if the exported keys are sent over an insecure
channel.
The second form of the command has the special property to render
the secret part of the primary key useless; this is a GNU extension
to OpenPGP and other implementations can not be expected to
successfully import such a key. Its intended use is in generating
a full key with an additional signing subkey on a dedicated
machine. This command then exports the key without the primary key
to the main machine.
GnuPG may ask you to enter the passphrase for the key. This is
required, because the internal protection method of the secret key
is different from the one specified by the OpenPGP protocol.
'--export-ssh-key'
This command is used to export a key in the OpenSSH public key
format. It requires the specification of one key by the usual
means and exports the latest valid subkey which has an
authentication capability to STDOUT or to the file given with
option '--output'. That output can directly be added to ssh's
'authorized_key' file.
By specifying the key to export using a key ID or a fingerprint
suffixed with an exclamation mark (!), a specific subkey or the
primary key can be exported. This does not even require that the
key has the authentication capability flag set.
'--import'
'--fast-import'
Import/merge keys. This adds the given keys to the keyring. The
fast version is currently just a synonym.
There are a few other options which control how this command works.
Most notable here is the '--import-options merge-only' option which
does not insert new keys but does only the merging of new
signatures, user-IDs and subkeys.
'--receive-keys KEYIDS'
'--recv-keys KEYIDS'
Import the keys with the given KEYIDS from a keyserver.
'--refresh-keys'
Request updates from a keyserver for keys that already exist on the
local keyring. This is useful for updating a key with the latest
signatures, user IDs, etc. Calling this with no arguments will
refresh the entire keyring.
'--search-keys NAMES'
Search the keyserver for the given NAMES. Multiple names given
here will be joined together to create the search string for the
keyserver. Note that keyservers search for NAMES in a different
and simpler way than gpg does. The best choice is to use a mail
address. Due to data privacy reasons keyservers may even not even
allow searching by user id or mail address and thus may only return
results when being used with the '--recv-key' command to search by
key fingerprint or keyid.
'--fetch-keys URIS'
Retrieve keys located at the specified URIS. Note that different
installations of GnuPG may support different protocols (HTTP, FTP,
LDAP, etc.). When using HTTPS the system provided root
certificates are used by this command.
'--update-trustdb'
Do trust database maintenance. This command iterates over all keys
and builds the Web of Trust. This is an interactive command
because it may have to ask for the "ownertrust" values for keys.
The user has to give an estimation of how far she trusts the owner
of the displayed key to correctly certify (sign) other keys. GnuPG
only asks for the ownertrust value if it has not yet been assigned
to a key. Using the '--edit-key' menu, the assigned value can be
changed at any time.
'--check-trustdb'
Do trust database maintenance without user interaction. From time
to time the trust database must be updated so that expired keys or
signatures and the resulting changes in the Web of Trust can be
tracked. Normally, GnuPG will calculate when this is required and
do it automatically unless '--no-auto-check-trustdb' is set. This
command can be used to force a trust database check at any time.
The processing is identical to that of '--update-trustdb' but it
skips keys with a not yet defined "ownertrust".
For use with cron jobs, this command can be used together with
'--batch' in which case the trust database check is done only if a
check is needed. To force a run even in batch mode add the option
'--yes'.
'--export-ownertrust'
Send the ownertrust values to STDOUT. This is useful for backup
purposes as these values are the only ones which can't be
re-created from a corrupted trustdb. Example:
gpg --export-ownertrust > otrust.txt
'--import-ownertrust'
Update the trustdb with the ownertrust values stored in 'files' (or
STDIN if not given); existing values will be overwritten. In case
of a severely damaged trustdb and if you have a recent backup of
the ownertrust values (e.g. in the file 'otrust.txt'), you may
re-create the trustdb using these commands:
cd ~/.gnupg
rm trustdb.gpg
gpg --import-ownertrust < otrust.txt
'--rebuild-keydb-caches'
When updating from version 1.0.6 to 1.0.7 this command should be
used to create signature caches in the keyring. It might be handy
in other situations too.
'--print-md ALGO'
'--print-mds'
Print message digest of algorithm ALGO for all given files or
STDIN. With the second form (or a deprecated "*" for ALGO) digests
for all available algorithms are printed.
'--gen-random 0|1|2 COUNT'
Emit COUNT random bytes of the given quality level 0, 1 or 2. If
COUNT is not given or zero, an endless sequence of random bytes
will be emitted. If used with '--armor' the output will be base64
encoded. PLEASE, don't use this command unless you know what you
are doing; it may remove precious entropy from the system!
'--gen-prime MODE BITS'
Use the source, Luke :-). The output format is subject to change
with ant release.
'--enarmor'
'--dearmor'
Pack or unpack an arbitrary input into/from an OpenPGP ASCII armor.
This is a GnuPG extension to OpenPGP and in general not very
useful.
'--tofu-policy {auto|good|unknown|bad|ask} KEYS'
Set the TOFU policy for all the bindings associated with the
specified KEYS. For more information about the meaning of the
policies, ⇒trust-model-tofu. The KEYS may be specified
either by their fingerprint (preferred) or their keyid.
Info Catalog
gnupg: General GPG Commands
gnupg: GPG Commands
gnupg: OpenPGP Key Management