Up | Home

GNU Privacy Guard (GPG) reference

Table of Contents

1. Creating new keys

The following command can be used to create a new key interactively. See this article for more information.

gpg --full-generate-key
# ...
#
# Please select what kind of key you want:
#    (1) RSA and RSA
#    (2) DSA and Elgamal
#    (3) DSA (sign only)
#    (4) RSA (sign only)
#    (9) ECC (sign and encrypt) *default*
#   (10) ECC (sign only)
#   (14) Existing key from card
# Your selection? 1
# RSA keys may be between 1024 and 4096 bits long.
# What keysize do you want? (3072) 4096
# Requested keysize is 4096 bits
# Please specify how long the key should be valid.
#          0 = key does not expire
#       <n>  = key expires in n days
#       <n>w = key expires in n weeks
#       <n>m = key expires in n months
#       <n>y = key expires in n years
# Key is valid for? (0) 0
# Key does not expire at all
# Is this correct? (y/N) y
#
# ...

2. Listing keys

The following command can be used to list the private keys on your machine.

gpg --list-secret-keys

By adding the following option, the command will use the key format expected by Git (the XXX part will be needed in Git integration).

gpg --list-secret-keys --keyid-format=long

# [keyboxd]
# ---------
# sec   ed25519/XXXXXXXXXXXXXXXX 2024-03-29 [SC] [expires: 2027-03-29]
#       YYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYY
# uid                 [ultimate] Foo Bar <foo.bar@example.com>
# ssb   cv25519/ZZZZZZZZZZZZZZZZ 2024-03-29 [E]

3. Exporting keys

See this StackOverflow answer for more information on these commands.

The following command will export an ASCII-armored version of the public key.

gpg --output public.pgp \
    --armor             \
    --export            \
    'foo.bar@example.com'

The following command will export an ASCII-armored version of the secret (i.e. private) key.

gpg --output private.pgp \
    --armor              \
    --export-secret-key  \
    'foo.bar@example.com'

If it’s a backup, the following should be used.

gpg --output backup.pgp            \
    --armor                        \
    --export-secret-keys           \
    --export-options export-backup \
    'foo.bar@example.com'

4. Importing keys

A previously-exported key can be imported with the following command.

gpg --import private.gpg

The following should be better, but it failed for me on Gentoo, while the previous worked fine.

gpg --import-options restore \
    --import                 \
    backup.pgp

5. Changing the trust level of keys

The trust level of a key is displayed between square brackets when listing them. This trust level can be changed with the following command.

$ gpg --edit-key 'foo.bar@example.com'
# ...
gpg> trust
# Please decide how far you trust this user to correctly verify other users' keys
# (by looking at passports, checking fingerprints from different sources, etc.)
#
#   1 = I don't know or won't say
#   2 = I do NOT trust
#   3 = I trust marginally
#   4 = I trust fully
#   5 = I trust ultimately
#   m = back to the main menu
#
# Your decision?
gpg> 5

6. Git integration with GPG

The following shows how to add a PGP key to Git, and how to enable commit signing by default. Note that this command enables this settings globally, but they can also be set in the current repository by removing the --global flag.

The XXX part is supposed to be the key shown in Listing.

git config --global user.signingkey "XXXXXXXXXXXXXXXX"
git config --global commit.gpgsign true