Skip to content

Elevating Security with GnuPG: A Comprehensive Guide

Discover the power of GnuPG for securing your communications and data. This guide provides essential insights into configuring GnuPG for new users, generating keys, and managing secure sockets. Learn how to seamlessly integrate GnuPG into your workflow, ensuring your digital security is top-notch. Whether you're backing up keys, exporting public keys, or setting up GnuPG for the first time, this guide has you covered with practical commands and expert tips.

Default options for new users

If you want to setup some default options for new users, put configuration files in /etc/skel/.gnupg/. When the new user is added in system, files from here will be copied to its GnuPG home directory. There is also a simple script called addgnupghome which you can use to create new GnuPG home directories for existing users:

Permission denied errors gets fixed by set the correct permissions

chown -R $(whoami) ~/.gnupg/
chmod 600 ~/.gnupg/*
chmod 700 ~/.gnupg

Add to bashrc

# Set GPG TTY
# ----------------
export GPG_TTY=$(tty)
gpg-connect-agent updatestartuptty /bye >/dev/null
unset SSH_AGENT_PID
if [ "${gnupg_SSH_AUTH_SOCK_by:-0}" -ne $$ ]; then
  export SSH_AUTH_SOCK="$(gpgconf --list-dirs agent-ssh-socket)"
fi
if ! pgrep -x -u "${USER}" gpg-agent >/dev/null 2>&1; then
  gpg-connect-agent /bye >/dev/null 2>&1
fi

Initialize a GnuPG home directory for a specified user.

addgnupghome $LOGNAME

Use password directly in commandline by using batch mode

gpg --batch --yes --symmetric --passphrase "password" testfile.txt

Full featured key pair generation

gpg --full-gen-key

Exporting a public key (The key is exported in a binary format)

gpg --output private.gpg --export <email@something.com>

Export key in ascii/plain text

The key is exported in a binary format, but this can be inconvenient when the key is to be sent though email or published on a web page. GnuPG therefore supports a command-line option --armor[1] that that causes output to be generated in an ASCII-armored format similar to uuencoded documents. In general, any output from GnuPG, e.g., keys, encrypted documents, and signatures, can be ASCII-armored by adding the --armor option."

gpg --armor --export <email@something.com>

Importing a public key

gpg --import some_email@domain.com

Encrypting and decrypting documents

You will get an output file of gpg after this command has been executed

gpg --encrypt --recipient your@domain.com text_file_to_be_encrypted.txt

Encrypt a textfile with GnuPG and AES256

gpg --symmetric --cipher-algo AES256 text_file_to_be_encrypted.txt

Hardcore encrypt a file with twofish encryption

gpg --symmetric --cipher-algo TWOFISH --digest-algo SHA512 --s2k-mode 3 --s2k-count 65011712 --s2k-digest-algo SHA512 <filename.txt>

Decrypt a GnuPG file

gpg --decrypt text_file_to_be_encrypted.txt.gpg

Decrypt file to a specifik file

gpg --output text_file_decrypted.txt --decrypt text_file_decrypted.txt.gpg

Encrypt directory with GnuPG and tar

tar -czf - foo | gpg --symmetric --cipher-algo AES256 --digest-algo SHA512 --compress-algo none -o foo.tar.gz.gpg

Use a key file instead of passphrases

dd if=/dev/random bs=32 count=1 of=keyfile.bin
chmod 600 keyfile.bin

tar -cf - foo | \
gpg --symmetric \
    --cipher-algo AES256 \
    --aead-algo OCB \
    --compress-algo none \
    --passphrase-file keyfile.bin \
    --pinentry-mode loopback \
    -o foo.tar.gpg

Importing keys

Import a private key

gpg --import private.key

Import a public key

gpg --import public.key

How to verify an important gpg key

gpg --import public.key
gpg --list-keys
gpg --edit-key <uid>
gpg> trust
gpg> lsign(or sign)
gpg --verify some-download.zip.asc some-download.zip

Export Keys

This command will export an ascii armored version of the public key

gpg --output public.pgp --armor --export username@email

This command will export an ascii armored version of the secret key

gpg --output private.pgp --armor --export-secret-key username@email

Export all public keys

gpg -a --export >mypubkeys.asc

Export all encrypted private keys (which will also include public keys)

gpg -a --export-secret-keys >myprivatekeys.asc

Export gpg's trustdb to a text file

gpg --export-ownertrust >otrust.txt

Generating a revocation certificate

Generating a revocation certificate

After your keypair is created you should immediately generate a revocation certificate for the primary public key using the option –gen-revoke. If you forget your passphrase or if your private key is compromised or lost, this revocation certificate may be published to notify others that the public key should no longer be used. A revoked public key can still be used to verify signatures made by you in the past, but it cannot be used to encrypt future messages to you. It also does not affect your ability to decrypt messages sent to you in the past if you still do have access to the private key.

gpg --output revoke.asc --gen-revoke mykey

Misc

Generate a random 50 characters long string

gpg --gen-random --armor 1 50

Print config/path location

gpgconf --list-dirs

View all keys

gpg --list-keys

List secret keys

gpg --list-secret-keys

Kill running socket

gpgconf --kill dirmngr

Launch run socket

gpgconf --launch dirmngr

Backup GnuPG configuration/keyring

(umask 077 && tar -caf $HOME/gnupg-backup_`date +%Y%m%d_%H%M%S`.tar.xz -C ${HOME} .gnupg)

Display metadata from an encrypted file

gpg --list-packets text_file_to_be_encrypted.txt

Example output from metadata

gpg --list-packets gnupg_text_encryption.md.gpg
gpg: encrypted with cv25519 key, ID 0D4CA1775E7FBA1A, created 2026-01-22
      "linux-shell <info@linux-shell.se>"
# off=0 ctb=84 tag=1 hlen=2 plen=94
:pubkey enc packet: version 3, algo 18, keyid 0D4CA1775E7FBA1A
        data: [263 bits]
        data: [392 bits]
# off=96 ctb=d4 tag=20 hlen=3 plen=461 new-ctb
:aead encrypted packet: cipher=9 aead=2 cb=16
        length: 461
# off=118 ctb=a3 tag=8 hlen=1 plen=0 indeterminate
:compressed packet: algo=2
# off=120 ctb=ad tag=11 hlen=3 plen=742
:literal data packet:
        mode b (62), created 1769042105, name="gnupg_text_encryption.md",
        raw data: 712 bytes

Send a signed and encrypted email from the command line

  • A very simple command to send a signed and encrypted message from the command line using GPG Keys
echo "Hello, this is what you should see" | gpg -e --armor -s | sendmail user@domain.com

tar.gz with gpg-ecryption on the fly

tar --create --file - | gpg --encrypt --recipient --output .tar.gpg

tar.gz with gpg-encryption on the fly

tar -cvz /<path>/ | gpg --encrypt --recipient <keyID> > /<backup-path>/backup_`date +%d_%m_%Y`.tar.gz.gpg

Import my personally gpg key from web

curl -s http://www.linux-shell.se/pubkey.asc | gpg --import

Getting GnuPG Public Keys From KeyServer

gpg --keyserver pgp.someserver.com --recv-key 19886493

Dump pretty important information about GnuPG

info gnupg | less

Delete secret keys

List key and delete

gpg --list-keys
gpg --delete-secret-key <example_id>

Key Servers

Send keys to a server

gpg --keyserver pgp.mit.edu --send-keys 8AD6C58AD226F84B
gpg --keyserver keyserver.ubuntu.com --send-keys 5BDA4A6D5D9A1C3DF4C5F0F78AD6C58AD226F84B
gpg --keyserver keys.openpgp.org --send-keys 5BDA4A6D5D9A1C3DF4C5F0F78AD6C58AD226F84B

Add a gpg key to aptitute package manager in a ubuntu system

wget -q http://keyserver.com -O- | sudo apt-key add -

GnuPG --edit-key

Edit key

gpg --edit-key <mail_address>
  • Edit Options

list preferences (verbose)

> showpref

list preferences (expert)

> pref

CHane the passphrase

> passwd

Change ownertrust

> trust

Sho selected photo ID´s

> showphoto

Dekete signatures from the selected user ID´s

> delsig

CHange the expiration date for the key for selected subkeys

> expire

Set the preferred keyserver url for the selcted user id

> keyserver

Set a notation for the selected id

> notation

Revoke signatures on the selected user id

> revsig

Revoke selected user id

> revuid

Enable key

> enable

Disable key

> disable key

Compact unusable user IDs and remove unusable signatures from key

> clean

Compact unusable user IDs and remove all signatures from key

> minimize

Add an additional decryption subkey

> addadsk

Add revocation key

> addrevoker

Delete selected subkeys

> delkey

Move backup key to a smartcard

> bkuptocard

Convert a key to TPM form using the local TPM

> keytotpm

Move key to a smartcard

> keytocard

Add a key to a smartcard

> addcardkey

Add a subkey

> addkey

Delete selected user ids

> deluid

Add a photo ID

> addphoto

Add a user id

> adduid

Sign selected user IDs see below for related commands"

> sign

Sign selected user IDs with a non-revocable signature

> nrsign

Sign selected user IDs with a trust signature

> tsign

Sign selected user IDs locally

> lsign

Check signature

> check

Select subkey N

> key

List key and user id´s

> list

Show the keygrip

> grip

Show the fingerprint

> fpr

Save and quit

> save

Quit edit menu

> quit

Get extra help

gpg --edit-key <usermail@something.com>
help

Tips and Tricks

Add the following to ~/.bashrc and you just have to type crypt filename.txt

crypt() {
    if [[ -z "$1" ]]; then
        echo "Usage: crypt <filename>"
        return 1
    fi

gpg --symmetric --cipher-algo TWOFISH --digest-algo SHA512 --s2k-mode 3 --s2k-count 65011712 --s2k-digest-algo SHA512 "$1"
}

Resource(s)