GPG Cheat Sheet
GPG (GNU Privacy Guard) is a free implementation of the OpenPGP standard for encrypting and signing data. This guide covers key generation, encryption, digital signatures, and key management.
NOTE: GPG uses asymmetric cryptography - you have a public key (shareable) and a private key (keep secret). Others use your public key to encrypt messages only you can decrypt with your private key.
/setup
Generate a new GPG key pair
# Interactive key generation with all options gpg --full-gen-key # Quick generation with defaults (RSA, 3072 bits, no expiration) gpg --gen-key
This creates a ~/.gnupg directory with your keyring:
$ tree ~/.gnupg ~/.gnupg/ ├── crls.d/ │ └── DIR.txt ├── dirmngr.conf ├── openpgp-revocs.d/ │ └── XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX.rev ├── private-keys-v1.d/ │ ├── XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX.key │ └── XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX.key ├── pubring.kbx # Public keyring ├── random_seed └── trustdb.gpg # Trust database
/keys
List your keys
# List public keys gpg --list-keys # List private keys gpg --list-secret-keys # Show key fingerprints gpg --fingerprint
Export keys
# Export public key (ASCII armored) gpg --armor --export your.email@example.com > public-key.asc # Export private key (keep this secure!) gpg --armor --export-secret-keys your.email@example.com > private-key.asc # Export to binary format (smaller) gpg --export your.email@example.com > public-key.gpg
Import keys
# Import a public key gpg --import public-key.asc # Import a private key gpg --import private-key.asc # Import from keyserver gpg --keyserver keyserver.ubuntu.com --recv-keys KEYID
/encrypt&decrypt
Encrypt files
# Encrypt for specific recipient gpg --encrypt --recipient your.email@example.com document.txt # Encrypt for multiple recipients gpg --encrypt -r alice@example.com -r bob@example.com document.txt # Encrypt and ASCII armor the output gpg --armor --encrypt --recipient your.email@example.com document.txt
Decrypt files
# Decrypt to stdout gpg --decrypt document.txt.gpg # Decrypt to specific file gpg --decrypt --output decrypted.txt document.txt.gpg # Decrypt and verify signature gpg --decrypt --verify signed-document.txt.gpg
/sign
Sign files
# Create detached signature gpg --detach-sign document.txt # Sign and encrypt gpg --sign --encrypt --recipient bob@example.com document.txt # Clear-text signature (human readable) gpg --clearsign document.txt
Verify signatures
# Verify detached signature gpg --verify document.txt.sig document.txt # Verify inline signature gpg --verify signed-document.txt.asc
/edit
Edit key properties
# Enter key editing mode gpg --edit-key your.email@example.com # Common commands in edit mode: # - passwd : Change passphrase # - expire : Set expiration date # - adduid : Add user ID # - revuid : Revoke user ID # - lsign : Locally sign # - trust : Set trust level # - save : Save and exit
Key server operations
# Upload public key to keyserver gpg --keyserver keyserver.ubuntu.com --send-keys KEYID # Refresh keys from keyserver gpg --keyserver keyserver.ubuntu.com --refresh-keys # Search for keys gpg --keyserver keyserver.ubuntu.com --search-keys "name@example.com"
/examples
Email Encryption Setup
Configure your email client (Thunderbird, Mutt, etc.) to use GPG:
# For Mutt: Add to ~/.muttrc set crypt_use_gpgme = yes set crypt_autosign = yes set pgp_timeout = 3600
File Backup Encryption
Encrypt sensitive backups before storing:
# Encrypt backup archive tar czf - ~/important-docs/ | gpg --encrypt -r your@email.com > backup.tar.gz.gpg # Decrypt and extract gpg --decrypt backup.tar.gz.gpg | tar xzf -
Git Commit Signing
Sign your git commits for authenticity:
# Configure git to use GPG git config --global user.signingkey KEYID git config --global commit.gpgsign true # Sign individual commits git commit -S -m "Signed commit message"