Table of Contents
In this article, I will take you through 23 Practical gpg command examples to Manage Your Keys in Linux. Today in this digital age, the most important asset that we have is the Data and the biggest challenge that we face is to store and transport this data securely. To deal with this challenge we use something called Data Encryption and Decryption method. I am sure you must have heard about these concepts before. But if you don't, then let me give you a quick idea about this.
So whenever we have to transfer some data from one place to other we use encryption method to encrypt the data using a public key at the sender's end so that anyone who does not have the correct private key will not able to read that data. Then at the receiver's side user with the correct private key will be able to decrypt and read the data. So here the important thing is the Public/Private key pair which is used to encrypt/decrypt the data. There are many tools available to generate this public/private key pair. One such popular tool is GnuPG or GPG.
GnuPG, also known as GPG, is a command line tool with features for easy integration with other applications. GnuPG is a complete and free implementation of the OpenPGP standard as defined by RFC4880 (also known as PGP). GnuPG allows you to encrypt and sign your data and communications. It features a versatile key management system, along with access modules for all kinds of public key directories. More about gpg.
Practical gpg command examples to Manage Your Keys in Linux
Also Read: How to Change the MAC Address on Ubuntu 20.04 LTS Using Macchanger
Example 1: How to Check gpg version
If you want to check the current installed version of gpg command then you need to use gpg --version
command. As you can see the current version is 2.2.19
.
NOTE:
root
user to run all the below commands. You can use any user with sudo
access to run all these commands. For more information Please check Step by Step: How to Add User to Sudoers to provide sudo
access to the User.root@localhost:~# gpg --version
gpg (GnuPG) 2.2.19
libgcrypt 1.8.5
Copyright (C) 2019 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <https://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Home: /root/.gnupg
Supported algorithms:
Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA
Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
CAMELLIA128, CAMELLIA192, CAMELLIA256
Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2
Example 2: How to Generate a new Key pair Using gpg command
If you want to generate a new Public-Private Key Pair then you need to use gpg --gen-key
command. Here you need to provide Real Name
and Email Address
information to generate a new Key Pair.
root@localhost:~# gpg --gen-key gpg (GnuPG) 2.2.19; Copyright (C) 2019 Free Software Foundation, Inc. This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Note: Use "gpg --full-generate-key" for a full featured key generation dialog. GnuPG needs to construct a user ID to identify your key. Real name: CyberitHUB Email address: admin@cyberithub.com You selected this USER-ID: "CyberitHUB <admin@cyberithub.com>" Change (N)ame, (E)mail, or (O)kay/(Q)uit? o We need to generate a lot of random bytes. It is a good idea to perform some other action (type on the keyboard, move the mouse, utilize the disks) during the prime generation; this gives the random number generator a better chance to gain enough entropy. We need to generate a lot of random bytes. It is a good idea to perform some other action (type on the keyboard, move the mouse, utilize the disks) during the prime generation; this gives the random number generator a better chance to gain enough entropy. gpg: key D3895E88FF7A1B23 marked as ultimately trusted gpg: directory '/root/.gnupg/openpgp-revocs.d' created gpg: revocation certificate stored as '/root/.gnupg/openpgp-revocs.d/24F7C1FBCB67EE7EB85ED424D3895E88FF7A1B23.rev' public and secret key created and signed. pub rsa3072 2021-10-21 [SC] [expires: 2023-10-21] 24F7C1FBCB67EE7EB85ED424D3895E88FF7A1B23 uid CyberitHUB <admin@cyberithub.com> sub rsa3072 2021-10-21 [E] [expires: 2023-10-21]
Example 3: How to List all the Public Keys Using gpg command
If you want to list all the public keys then you need to use gpg --list-keys
command as shown below. It is recommended to not use the output in any script or other programs as this is in human readable format and is likely to change.
root@localhost:~# gpg --list-keys
gpg: checking the trustdb
gpg: marginals needed: 3 completes needed: 1 trust model: pgp
gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: next trustdb check due at 2023-10-21
/root/.gnupg/pubring.kbx
------------------------
pub rsa4096 2018-06-24 [SC] [expires: 2022-06-24]
7C9E68152594688862D62AF62D9AE806EC1592E2
uid [ unknown] Teabot <teabot@gitea.io>
sub rsa4096 2018-06-24 [E] [expires: 2022-06-24]
sub rsa4096 2018-06-24 [S] [expires: 2022-06-24]
pub rsa3072 2021-10-21 [SC] [expires: 2023-10-21]
24F7C1FBCB67EE7EB85ED424D3895E88FF7A1B23
uid [ultimate] CyberitHUB <admin@cyberithub.com>
sub rsa3072 2021-10-21 [E] [expires: 2023-10-21]
Example 4: How to export a Public Key
If you want to export a public key then you need to use gpg --export <name> > <my-key>.gpg
syntax. In this example, we are exporting public key using gpg --export CyberitHUB > CyberitHUB-pub.gpg
command as shown below.
root@localhost:~# gpg --export CyberitHUB > CyberitHUB-pub.gpg
You can list the exported key by using ls -lrt CyberitHUB-pub.gpg
command.
root@localhost:~# ls -lrt CyberitHUB-pub.gpg
-rw-r--r-- 1 root root 1753 Oct 21 20:54 CyberitHUB-pub.gpg
If you want to verify the type of file then you need to run file CyberitHUB-pub.gpg
command.
root@localhost:~# file CyberitHUB-pub.gpg
CyberitHUB-pub.gpg: PGP/GPG key public ring (v4) created Thu Oct 21 20:48:09 2021 RSA (Encrypt or Sign) 3072 bits MPI=0xd907c2b1ee9ffefb...
Example 5: How to Get the Key ID from a Public Key file
If you want to get the Key ID from a Public key file then you need to use --show-keys
option. Here I am checking the Key ID from CyberitHUB-pub.gpg key using gpg --show-keys CyberitHUB-pub.gpg
command as shown below.
root@localhost:~# gpg --show-keys CyberitHUB-pub.gpg
pub rsa3072 2021-10-21 [SC] [expires: 2023-10-21]
24F7C1FBCB67EE7EB85ED424D3895E88FF7A1B23
uid CyberitHUB <admin@cyberithub.com>
sub rsa3072 2021-10-21 [E] [expires: 2023-10-21]
Example 6: How to Simulate Import of a Public Key
If you just want to simulate and not really want to run the specific action given on the command then you can use --dry-run
option. In this example, we are simulating the import of CyberitHUB public key by using gpg --dry-run --import CyberitHUB-pub.gpg
command.
root@localhost:~# gpg --dry-run --import CyberitHUB-pub.gpg
gpg: Total number processed: 1
Example 7: How to Delete Private/Secret Key of a Public Key
If you want to delete a private or secret key then you need to use gpg --delete-secret-keys <key_id>
syntax. In this example we are deleting private key of CyberitHUB using gpg --delete-secret-keys 24F7C1FBCB67EE7EB85ED424D3895E88FF7A1B23
command as shown below.
root@localhost:~# gpg --delete-secret-keys 24F7C1FBCB67EE7EB85ED424D3895E88FF7A1B23
gpg (GnuPG) 2.2.19; Copyright (C) 2019 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
sec rsa3072/D3895E88FF7A1B23 2021-10-21 CyberitHUB <admin@cyberithub.com>
Delete this key from the keyring? (y/N) y
This is a secret key! - really delete? (y/N) y
Example 8: How to Delete a Public Key
If you want to delete a public key then you need to use gpg --delete-key <key_id>
command. In this example, we are deleting public key of CyberitHUB using gpg --delete-key 24F7C1FBCB67EE7EB85ED424D3895E88FF7A1B23
command. One important point to note here is that public key cannot be deleted before deleting the private key. So you always need to delete the secret key first. If you try to delete, it will ask you delete the secret key first.
root@localhost:~# gpg --delete-key 24F7C1FBCB67EE7EB85ED424D3895E88FF7A1B23 gpg (GnuPG) 2.2.19; Copyright (C) 2019 Free Software Foundation, Inc. This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. pub rsa3072/D3895E88FF7A1B23 2021-10-21 CyberitHUB <admin@cyberithub.com> Delete this key from the keyring? (y/N) y
Example 9: How to Import a Public Key
If you want to import a public key then you need to use gpg --import <public_key>
command. In this example we are importing public key CyberitHUB-pub.gpg
using gpg --import CyberitHUB-pub.gpg
command as shown below.
root@localhost:~# gpg --import CyberitHUB-pub.gpg
gpg: key D3895E88FF7A1B23: public key "CyberitHUB <admin@cyberithub.com>" imported
gpg: Total number processed: 1
gpg: imported: 1
Example 10: How to Encrypt a File with Password
If you want to encrypt a file with passphrase then you need to use gpg -c <filename>
syntax. In this example, we are encrypting hello.py
file using gpg -c hello.py
command. This command will ask you to provide a passphrase to secure your encryption.
root@localhost:~# gpg -c hello.py
Now if you check the file type of hello.py.gpg file using file hello.py.gpg
command, then it will show the file as encrypted with AES 256 bit Cipher.
root@localhost:~# file hello.py.gpg
hello.py.gpg: GPG symmetrically encrypted data (AES256 cipher)
Example 11: How to Decrypt a File using gpg command
If you want to decrypt a file then you need to use -d
option. In this example we are decrypting hello.py.gpg
file using gpg -d hello.py.gpg
command as shown below.
root@localhost:~# gpg -d hello.py.gpg
gpg: AES256 encrypted data
gpg: encrypted with 1 passphrase
print('Hello World !!')
Example 12: How to use a User's Public Key to Encrypt a File
If you want to encrypt a file say, hello.txt for user say, CyberitHUB which is the recipient of the encrypted file then you need to use gpg --recipient CyberitHUB --encrypt hello.txt
command as shown below.
root@localhost:~# gpg --recipient CyberitHUB --encrypt hello.txt
gpg: checking the trustdb
gpg: marginals needed: 3 completes needed: 1 trust model: pgp
gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: next trustdb check due at 2023-10-21
Example 13: How to Fetch New Information from Keyserver
If you want to refresh the information from configured Keyserver then you need to use gpg --refresh-keys
command as shown below.
root@localhost:~# gpg --refresh-keys
gpg: refreshing 3 keys from hkps://keys.openpgp.org
gpg: key 2D9AE806EC1592E2: "Teabot <teabot@gitea.io>" not changed
gpg: Total number processed: 1
gpg: unchanged: 1
Example 14: How to make a Clear text signature
If you want to make a clear text signature then you need to use gpg --clear-sign <public_key>
syntax. In this example we are making Clear text signature for CyberitHUB-pub.gpg key using gpg --clear-sign CyberiyHUB-pub.gpg
command as shown below. The content of Clear text signature is readable without any special software.
root@localhost:~# gpg --clear-sign CyberitHUB-pub.gpg
Example 15: How to Export in ASCII Armored Format
If you want to export the key in ASCII armored format then you need to use gpg --export --armor <user_email_id>
syntax. In this example we are exporting the CyberitHUB Public key in ASCII armored format using gpg --export --armor admin@cyberithub.com
command as shown below.
root@localhost:~# gpg --export --armor admin@cyberithub.com
-----BEGIN PGP PUBLIC KEY BLOCK-----
mQGNBGFxkSgBDAC/gCOYmnDH6fboEFtfVgAnYtgltlJrh0LvDY7gMPfhlIVpxA1d
opza2tWTKjbghdd3pBU8idA5mPXin+pEgqgiWM5BxGY3y+o+GgfKhUNLRg8TNvGY
fggnHDuU/40qcqwCUfjF1kFWPwAM6zvMC/P/g3qElJAvNFWYuzlIGm0AyA7SMCcW
Z9ffR0br+FSQhlblbNUVtJfjr0HPGRKU9rZ4zKcrKvigD2SfX2hbOrEiqe0PPyET
aufz7t5XZ+hr1kkfdLawNoPdlfb4kLFzGvWrC+WQ+2PBIT4QnL2VAoPNGgSGTTkB
LvfC7oOToYLKmz4FI5Kko0MG2WFiICBq9kFR2GNq6f3X3948sgE8nsEdctFWzyKe
WpJjmrpc45BmWQYiTXxOtEvi/XyBwNORs4u3P2EdDe921oEjOZ/MpSUQOtwR3zQg
lBglItDSMZcTBQFwbUSQZwoITx7tO4oNmJLb9w85U0bhR2eZUfpoBOJG7ekfeq/C
UduX4xFoyopc0Z8AEQEAAbQhQ3liZXJpdEhVQiA8YWRtaW5AY3liZXJpdGh1Yi5j
b20+iQHUBBMBCgA+FiEEqaa7wo+n2x1ZT3yoDej4Lk69n+sFAmFxkSgCGwMFCQPC
..............................................................................................
Example 16: How to Create Revocation Certificate
It is always recommended that after you generate your key pair, you should immediately generate a revocation certificate for the primary public key using the option --gen-revoke. If you forget your passphrase or if your private key is compromised or lost, this revocation certificate may be published to notify others that the public key should no longer be used.
root@localhost:~# gpg --gen-revoke admin@cyberithub.com sec rsa3072/0DE8F82E4EBD9FEB 2021-10-21 CyberitHUB <admin@cyberithub.com> Create a revocation certificate for this key? (y/N) y Please select the reason for the revocation: 0 = No reason specified 1 = Key has been compromised 2 = Key is superseded 3 = Key is no longer used Q = Cancel (Probably you want to select 1 here) Your decision? 1 Enter an optional description; end it with an empty line: > Reason for revocation: Key has been compromised (No description given) Is this okay? (y/N) y ASCII armored output forced. -----BEGIN PGP PUBLIC KEY BLOCK----- Comment: This is a revocation certificate iQG2BCABCgAgFiEEqaa7wo+n2x1ZT3yoDej4Lk69n+sFAmFyR0cCHQIACgkQDej4 Lk69n+uBfgv/fshwqrVAC2MuOF1R0x7n1R1XPw/4vJG+MzMqUdTHlDGdI8/XTBpl R6GNF8o8dCCBlTXH8VoPjagsMwZyI1muCtEg5igGDp3WAdCc/sjYouZpbAkWVeFy vWRKXC3M906A4y6Q5NwIVDDz4PXExaWsw69Nm/F6gyPPzY95J1yJ0Z5c7ETKEuYh +PWa2wVuBvycIz1klXYjn6YZgo+MtxGGDQ55Q0rbyg8Aq5OX+65x4Xemn75EtMLs Mtz2kDaC/03o8jFvYpGf8+6voyO+K3LIeai8/tMqX2n6jyHSBdfi/sa6J8qWEJT3 2ZmefAWyGg/SxtU7vH0X8+MEFIaC0Jih/W66dp4gaRAaEcPJAboP47EuP1tr5vks 3CzbxfyvlS1FqTbpkUJQTm3+nSBCCbxTpmqk8bv/85gOMfaSqPbadD6MzCn4b9GX EhyyIcmjFKkkLQXAM4UzEB2ILFCVDZgaMg0MEIierPFsJ8YgHm+Fyq1kvKXSk0DC vHH7cOlLux0t =6w4c -----END PGP PUBLIC KEY BLOCK----- Revocation certificate created. Please move it to a medium which you can hide away; if Mallory gets access to this certificate he can use it to make your key unusable. It is smart to print this certificate and store it away, just in case your media become unreadable. But have some caution: The print system of your machine might store the data and make it available to others!
Example 17: How to Check all the options available with gpg command
If you want to dump all the options available with gpg command then you need to use gpg --dump-options
command as shown below.
root@localhost:~# gpg --dump-options
--sign
--clear-sign
--clearsign
--detach-sign
--encrypt
--encrypt-files
--symmetric
--store
--decrypt
--decrypt-files
--verify
--verify-files
--list-keys
--list-public-keys
Example 18: How to Check the Man Page of gpg command
If you want to check the complete detail about gpg command then you need to use man gpg
command as shown below.
root@localhost:~# man gpg
GPG(1) GNU Privacy Guard 2.2 GPG(1)
NAME
gpg - OpenPGP encryption and signing tool
SYNOPSIS
gpg [--homedir dir] [--options file] [options] command [args]
DESCRIPTION
gpg is the OpenPGP part of the GNU Privacy Guard (GnuPG). It is a tool to provide digital encryption and signing services using the OpenPGP stan‐
dard. gpg features complete key management and all the bells and whistles you would expect from a full OpenPGP implementation.
There are two main versions of GnuPG: GnuPG 1.x and GnuPG 2.x. GnuPG 2.x supports modern encryption algorithms and thus should be preferred over
GnuPG 1.x. You only need to use GnuPG 1.x if your platform doesn't support GnuPG 2.x, or you need support for some features that GnuPG 2.x has
deprecated, e.g., decrypting data created with PGP-2 keys.
If you are looking for version 1 of GnuPG, you may find that version installed under the name gpg1.
Example 19: How to Export an ASCII armored version of the Public Key
If you want to export an ASCII armored version of the public key then you need to use --export
option with gpg command.
root@localhost:~# gpg --output CyberitHUB.pgp --armor --export admin@cyberithub.com
To verify you can check the type of file generated above by using file CyberitHUB.pgp
command.
root@localhost:~# file CyberitHUB.pgp
CyberitHUB.pgp: PGP public key block Public-Key (old)
Example 20: How to Export an ASCII armored version of the Secret Key
If you want to export an ASCII armored version of the secret key then you need to use --export-secret-key
option with gpg command. As you can see in the below example, we are exporting the secret key of admin@cyberithub.com into an output file called CyberitHUB.pgp
using gpg --output CyberitHUB.pgp --armor --export-secret-key admin@cyberithub.com
command as shown below.
root@localhost:~# gpg --output CyberitHUB.pgp --armor --export-secret-key admin@cyberithub.com
To verify you can check the type of file above command has generated by using file CyberitHUB.pgp
command.
root@localhost:~# file CyberitHUB.pgp
CyberitHUB.pgp: ASCII text
Example 21: How to Show Verified Key Signatures
If you want to check all the signature of a key then you need to use gpg --check-sigs <name>
syntax. In this example we are checking the signature of CyberitHUB
using gpg --check-sigs CyberitHUB
command as shown below.
root@localhost:~# gpg --check-sigs CyberitHUB
pub rsa3072 2021-10-21 [SC] [expires: 2023-10-21]
A9A6BBC28FA7DB1D594F7CA80DE8F82E4EBD9FEB
uid [ultimate] CyberitHUB <admin@cyberithub.com>
sig!3 0DE8F82E4EBD9FEB 2021-10-21 CyberitHUB <admin@cyberithub.com>
sub rsa3072 2021-10-21 [E] [expires: 2023-10-21]
sig! 0DE8F82E4EBD9FEB 2021-10-21 CyberitHUB <admin@cyberithub.com>
gpg: 2 good signatures
Example 22: How to Search a Key in a Keyserver
If you want to search a specific key from Keyserver then you need to use gpg --search-keys <key_id>
syntax. In this example we are searching Key ID 7514F77D8366B0D9
from configured https://keys.openpgp.org
keyserver using gpg --search-keys 7514F77D8366B0D9
command as shown below.
root@localhost:~# gpg --search-keys 7514F77D8366B0D9
gpg: data source: https://keys.openpgp.org:443
(1) 4096 bit RSA key 7514F77D8366B0D9, created: 2015-02-16
Keys 1-1 of 1 for "7514F77D8366B0D9". Enter number(s), N)ext, or Q)uit > N
Example 23: How to Make a Detached Signature
If you want to create a separate signature which can be used later to verify the file then you need to use gpg -b <name>
syntax. In this example we are detaching the signature of CyberitHUB using gpg -b CyberitHUB.gpg
command as shown below.
root@localhost:~# gpg -b CyberitHUB.gpg
To verify you can check the type of file above command has generated by using file CyberitHUB.gpg.sig
command.
root@localhost:~# file CyberitHUB.gpg.sig
CyberitHUB.gpg.sig: data