GNU Privacy Guard (GPG or GnuPG) is a open source replacement for the original Pretty Good Privacy software suite. It is capable of encrypt and decrypt data.

Key Management[edit | edit source]

Creating a New Key[edit | edit source]

To generate a new key, run gpg --gen-key

# gpg --gen-key
gpg (GnuPG) 1.4.19; Copyright (C) 2015 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Please select what kind of key you want:
   (1) RSA and RSA (default)
   (2) DSA and Elgamal
   (3) DSA (sign only)
   (4) RSA (sign only)

Your default key can be set by setting the GPGKEY environment variable.

Listing Keys[edit | edit source]

gpg --list-keys

# gpg --list-keys
pub   2048R/28AF4724 2015-11-23
uid                  Leo Leung <>

Deleting Keys[edit | edit source]

Delete the private key using gpg --delete-secret-keys, and the public key using gpg --delete-keys.

# gpg --delete-secret-keys 28AF4724
sec  2048R/28AF4724 2015-11-23 Leo Leung <>

Delete this key from the keyring? (y/N) y
This is a secret key! - really delete? (y/N) y

# gpg --delete-keys 28AF4724
pub  2048R/28AF4724 2015-11-23 Leo Leung <>

Delete this key from the keyring? (y/N) y

Adding another UID[edit | edit source]

Edit the key using gpg --edit-key and run then adduid command. Exit using the save command.

Sending a key to a key server[edit | edit source]

gpg --keyserver --send-key ###

Changing Private Key Passphrase[edit | edit source]

$ gpg --edit-key [keyID]
Command> passwd
Enter passphrase: 
Enter the new passphrase for this secret key.
Enter passphrase:
Repeat passphrase:
Command> save

Exporting Public Key[edit | edit source]

gpg --armor --export --output

Basic Usage[edit | edit source]

Encrypting Files[edit | edit source]

Encrypt a file with a passphrase:

$ gpg --output test.gpg --symmetric test.out
$ gpg -o test.gpg -c test.out

Decrypt a file.

## Writes to test.out
$ gpg --output test.out -d test.gpg 

## while this writes to test and deletes test.gpg
$ gpg test.gpg

Signing Files[edit | edit source]

There are a few types of signatures:

Binary Signature[edit | edit source]

The input file is compressed and its binary data is signed. GPG places the signature and compressed file contents into a .gpg file.

Signing gpg --clearsign test.txt
Verifying gpg --verify test.txt.gpg
Retrieving gpg -d -o test.txt test.txt.gpg

Clear Signature[edit | edit source]

The contents of the input file is signed in clear text. The signature and the contents of the input file are placed in clear text in a .asc file. This file can be viewed with any text editor and the signature and contents are fully visible.

Signing gpg --clearsign test.txt
Verifying gpg --verify test.txt.asc
Retrieving gpg -d -o test.txt test.txt.asc

Detached Signature[edit | edit source]

A signature for the input file is created and stored in a .sig file. Typically, the signature file is bundled with the input file with the same name except with the .sig file extension.

Signing gpg --detach-sign test.txt
Verifying gpg --verify test.txt.sig test.txt

Tasks[edit | edit source]

Automating Encrypted Backups using Asymmetric Keys[edit | edit source]


DATE=`date +%Y-%m-%d`

# Get the public key to encrypt with
wget -O - | gpg --import

# Create archive, pipe to gpg to encrypt, then send to freebsd
tar -czpf - \
        /usr/share/sickbeard/ \
        /etc/init.d/sickbeard  \
        /usr/share/SABnzbd/ \
        /etc/init.d/SABnzbd  \
        /home/rt \
        /var/www/html/rutorrent \
        /usr/lib64/httpd/modules/ \
        /etc/httpd/conf.d \
        /etc/httpd/conf/httpd.conf \
        /etc/fstab \
        /etc/passwd \
        /etc/group \
        /etc/shadow \
	| gpg --encrypt --yes --no-tty --trust-model always --recipient \
	| ssh backup@freebsd "cd /storage/backups/archived/sickbeard; cat - > $HOSTNAME.$DATE.tar.gz.gpg"

# Requires mailx, with smtp=smtp:// set in /etc/mail.rc
echo -e "Backup Completed on `date`.\nUptime: `uptime`\n\nProcesses:\n`ps -eaf`" | mail -s "Backup Completed on `hostname`" ""

# delete the public backup key
gpg --batch --yes --delete-key

Verifying file signature[edit | edit source]

Some downloads include a signature.txt.gpg file. Decrypt the file first (which also shows whether its signature is valid)


## Verify the files with sha256sum
$ sha256sum -c --ignore-missing CHECKSUMS.TXT

## Or sum the file in question and compare it with the checksums manually
$ sha256sum [filename]

See Also[edit | edit source]