/ GPG Cheat Sheet
GPG (GNU Privacy Guard) is a free implementation of the OpenPGP standard for encrypting and signing data. This guide covers key generation, encryption, digital signatures, and key management.
NOTE: GPG uses asymmetric cryptography - you have a public key (shareable) and a private key (keep secret). Others use your public key to encrypt messages only you can decrypt with your private key.
// Initial Setup & Key Generation
/// Generate a new GPG key pair
# Interactive key generation with all options
gpg --full-gen-key
# Quick generation with defaults (RSA, 3072 bits, no expiration)
gpg --gen-keyThis creates a ~/.gnupg directory with your keyring:
$ tree ~/.gnupg
~/.gnupg/
├── crls.d/
│ └── DIR.txt
├── dirmngr.conf
├── openpgp-revocs.d/
│ └── XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX.rev
├── private-keys-v1.d/
│ ├── XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX.key
│ └── XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX.key
├── pubring.kbx # Public keyring
├── random_seed
└── trustdb.gpg # Trust database// Key Management
/// List your keys
# List public keys
gpg --list-keys
# List private keys
gpg --list-secret-keys
# Show key fingerprints
gpg --fingerprint/// Export keys
# Export public key (ASCII armored)
gpg --armor --export your.email@example.com > public-key.asc
# Export private key (keep this secure!)
gpg --armor --export-secret-keys your.email@example.com > private-key.asc
# Export to binary format (smaller)
gpg --export your.email@example.com > public-key.gpg/// Import keys
# Import a public key
gpg --import public-key.asc
# Import a private key
gpg --import private-key.asc
# Import from keyserver
gpg --keyserver keyserver.ubuntu.com --recv-keys KEYID// Encryption & Decryption
/// Encrypt files
# Encrypt for specific recipient
gpg --encrypt --recipient your.email@example.com document.txt
# Encrypt for multiple recipients
gpg --encrypt -r alice@example.com -r bob@example.com document.txt
# Encrypt and ASCII armor the output
gpg --armor --encrypt --recipient your.email@example.com document.txt/// Decrypt files
# Decrypt to stdout
gpg --decrypt document.txt.gpg
# Decrypt to specific file
gpg --decrypt --output decrypted.txt document.txt.gpg
# Decrypt and verify signature
gpg --decrypt --verify signed-document.txt.gpg// Digital Signatures
/// Sign files
# Create detached signature
gpg --detach-sign document.txt
# Sign and encrypt
gpg --sign --encrypt --recipient bob@example.com document.txt
# Clear-text signature (human readable)
gpg --clearsign document.txt/// Verify signatures
# Verify detached signature
gpg --verify document.txt.sig document.txt
# Verify inline signature
gpg --verify signed-document.txt.asc// Key Editing & Management
/// Edit key properties
# Enter key editing mode
gpg --edit-key your.email@example.com
# Common commands in edit mode:
# - passwd : Change passphrase
# - expire : Set expiration date
# - adduid : Add user ID
# - revuid : Revoke user ID
# - lsign : Locally sign
# - trust : Set trust level
# - save : Save and exit/// Key server operations
# Upload public key to keyserver
gpg --keyserver keyserver.ubuntu.com --send-keys KEYID
# Refresh keys from keyserver
gpg --keyserver keyserver.ubuntu.com --refresh-keys
# Search for keys
gpg --keyserver keyserver.ubuntu.com --search-keys "name@example.com"// Common Use Cases
Email Encryption Setup
Configure your email client (Thunderbird, Mutt, etc.) to use GPG:
# For Mutt: Add to ~/.muttrc
set crypt_use_gpgme = yes
set crypt_autosign = yes
set pgp_timeout = 3600File Backup Encryption
Encrypt sensitive backups before storing:
# Encrypt backup archive
tar czf - ~/important-docs/ | gpg --encrypt -r your@email.com > backup.tar.gz.gpg
# Decrypt and extract
gpg --decrypt backup.tar.gz.gpg | tar xzf -Git Commit Signing
Sign your git commits for authenticity:
# Configure git to use GPG
git config --global user.signingkey KEYID
git config --global commit.gpgsign true
# Sign individual commits
git commit -S -m "Signed commit message"