Tech > GnuPgTips



Hints and tips for using GPG encryption and signing tool from the GnuPG system.

Create a new Public and Private key pair

  • gpg --gen-key

Specify a different directory for creating the keyrings

  • gpg --homedir /home/xxx --gen-key

Creating a detached ascii signature

  • gpg --sign --detach-sign --armor file_to_be_signed


  • gpg -s -b -a file_to_be_signed

Signature Compatible with PGP


  • gpg --sign --detach-sign --armor --compress-algo 1 --cipher-algo cast5 file_to_be_signed


  • gpg --sign --detach-sign --armor --compress-algo 1 --cipher-algo 3des file_to_be_signed

Verifying a detached signature

  • gpg --verify signature_file signed_file

Exporting keys

These options allow you to transfer public and private keys to another machine. You can also export your trust database. You may also want to transfer your .gnupg/options or .gnupg/gpg.conf files too.

Export all public keys

  • gpg --export --armor > my_public_keys

Export specific public key

  • gpg --export --armor > my_public_key

Export all private keys

  • gpg --export-secret-keys --armor > my_secret_keys

Export trust ownership

  • gpg --export-ownertrust --armor > my_owner_trust

Importing keys

Importing public keys

  • gpg --import my_public_keys

Importing private keys

  • gpg --import --allow-secret-key-import my_secret_keys

Importing owner trust relationships

  • gpg --import-ownertrust my_owner_trust

Import a key from a dowloaded KEY file

  • gpg --import KEY_FILE_NAME

Importing a key from a public server

Imports the specified key from the specified public key server and adds it to your key chain.

  • gpg --keyserver --recv-keys 0x5072E1F5
  • gpg --keyserver --recv-keys 0x5072E1F5


When installed, gnupg should have created an example configuration file at ~/.gnupg/gpg.conf. You most likely want to change the following entries:

# If you have more than 1 secret key in your keyring, you may want to
# uncomment the following option and set your preferred keyid.

#default-key 621CC013

# If you do not pass a recipient to gpg, it will ask for one.  Using
# this option you can encrypt to a default key.  Key validation will
# not be done in this case.  The second form uses the default key as
# default recipient.

#default-recipient some-user-id

If you have more than one secret key, set the default key to one of those shown by the gpg --list-secret-keys command.

Display Fingerprint

  • gpg --fingerprint

Signing a key

  • gpg --edit-key KEYNAME
  • sign
  • save

Trusting a key

You need to sign the key first. See Signing a key

  • gpg --edit-key KEYNAME
  • trust
  • 4
  • save

Updating the expiration date

  • gpg --edit-key YOUR_KEY
  • expire

Enter the period to extend the expiration date by, e.g. 1y

Then select the sub key and extend that too:

  • key 1
  • expire
  • 1y
  • save

Specifying an alternate location for the keyrings

gpg --keyring=/somewhere/else/pubring.gpg
   --secret-keyring=/somewhere/else/secring.gpg encrypted.gpg

Linux GUI Front-Ends for GnuPG

Windows Usage



-- Frank Dean - 26 Sep 2004

Related Topics: DebianTips, LinuxHintsAndTips