OpenPGP Cheatsheet

OpenPGP Cheatsheet

You can’t have enough cheat sheets on the net. Well you probably can, but I still wanted to add my own to the mix. I use the GnuPG command line for almost everything, bar actually sending email so this is a nice little reminder to myself what I’m doing

Creating a new Key First steps

gpg --gen-key

Browsing your keyring What have you got

  • List all public keys gpg --list-public-keys
  • List all private keys gpg --list-secret-keys
  • List everyone who has signed a key gpg --list-sig (0xKEYID)
  • Get the full fingerprint gpg --fingerprint (0xKEYID)


  • Export your public key to a file gpg --armor --export (0xKEYID)
  • Upload a key to the keyserver. Good for new keys, or after signing someone else’s
  • Using the default Key server gpg --send-keys (0xKEYID)
  • Specifying a Key server gpg --keyserver --send-keys (0xKEYID)
  • Export/Backup you private key gpg –armor –export-secret-keys (0xKEYID)

Searching for a key

  • Finding someones key
  • Using the default Key server gpg --search-keys
  • Specifying a Key server gpg --keyserver --search-keys


  • Encrypt a file for someone, by their email gpg --encrypt filename.txt --recipient
  • Encrypt a file for multiplie people, by their email addresses – It’s usually a good idea to encyrpt to your own key as well or you will not be able to decrypt the file later gpg --encrypt filename.txt --recipient --recipient
  • Encrypt a file for transmission over text – email, IRC, Jabber etc. gpg --armour --encrypt filename.txt --recipient --recipient
  • Decrypting a file gpg --output filename.txt --decrypt filename.txt.asc

Import keys You need to get them somewhere

  • Importing from a text file gpg --import publickey.asc
  • Restore a backup of a private key gpg --allow-secret-key-import --import privatekey.asc

Keys Maintenance Revoking

  • Creating a revocation certificate. You must has the private key to do this, if you have lost your private key, well thats when problems kick in gpg --output revoke.asc --gen-revoke 0xKEYID
  • To revoke a the key all you need do is import the revoke.asc into your keyring gpg --import revoke.asc
  • To make sure everyone knows your keys been revoked you need to publish the updated public key gpg --keyserver --send-keys (0xKEYID)

Keys Maintenance Key Signing

  • You need to edit the key gpg --edit-key 0xKEYID

From here ‘help’ will give you a list of your options, but to sign a key you can ether type ‘sign’ or ‘tsign’. The man pages give a better indication of what the difference is ‘man gpg’ but ‘sign’ is usually sufficent. After they key is signed type ‘save’ and ‘quit’ then you can ether send the key to a keyserver for download by its owner of export the public key and send it by other means, this usually means encrypted email.

Signing and Verifying files

  • To sign a file with your default key use this gpg --detach-sign --armour filename.txt
  • To verify a signed file but put the output from above filename.txt.asc gpg --verify filename.txt.asc

Creating a Detached Signature

  • gpg --verify doc.asc doc

Verifying a Detached Signature

  • gpg --armour --output doc.asc --detach-sig doc