# GnuPG (gpg) — Encrypt, Sign, and Manage Keys

> Practical guide to GnuPG — generate and manage keys, encrypt and decrypt files, sign and verify data, and use the OpenPGP web of trust.

Source: https://www.jpkc.com/db/en/cheatsheets/security/gpg/

<!-- PROSE:intro -->
GnuPG (gpg for short) is the free OpenPGP implementation and the standard tool for encryption and digital signatures on Linux, macOS and Windows. With a single key pair you encrypt files and email for specific recipients, sign releases or Git commits, and verify the authenticity of other people's data through the web of trust. This guide takes you from key generation through export, import and keyservers all the way to everyday encryption and decryption. Always protect your private key with a strong passphrase — it is the master key to everything you encrypt.
<!-- PROSE:intro:end -->

## Key Generation

`gpg --full-generate-key` — Generate a new key pair with full options; pick a modern algorithm such as ECC (Ed25519) or RSA with at least 3072 bits.

```bash
gpg --full-generate-key
```

`gpg --generate-key` — Generate a key pair with defaults (quick).

```bash
gpg --generate-key
```

`gpg --quick-generate-key '<uid>'` — Quick key generation with a User ID.

```bash
gpg --quick-generate-key 'John Doe <john@example.com>'
```

## Key Management

`gpg --list-keys` — List all public keys in the keyring.

```bash
gpg --list-keys
```

`gpg --list-secret-keys` — List all private keys.

```bash
gpg --list-secret-keys --keyid-format long
```

`gpg --fingerprint <key-id>` — Show the fingerprint of a key.

```bash
gpg --fingerprint john@example.com
```

`gpg --delete-key <key-id>` — Delete a public key.

```bash
gpg --delete-key john@example.com
```

`gpg --delete-secret-key <key-id>` — Delete a private key — irreversible, so make a backup first.

```bash
gpg --delete-secret-key john@example.com
```

`gpg --edit-key <key-id>` — Edit key properties (trust, expire, etc.).

```bash
gpg --edit-key john@example.com
```

## Export & Import

`gpg --export -a <key-id> > <file>` — Export a public key in ASCII armor format.

```bash
gpg --export -a john@example.com > john-public.asc
```

`gpg --export-secret-keys -a <key-id> > <file>` — Export a private key (for backup) — never share it and store it only in a safe, encrypted place.

```bash
gpg --export-secret-keys -a john@example.com > john-private.asc
```

`gpg --import <file>` — Import a key from a file.

```bash
gpg --import colleague-public.asc
```

`gpg --keyserver <server> --send-keys <key-id>` — Upload a public key to a keyserver.

```bash
gpg --keyserver keys.openpgp.org --send-keys ABCD1234
```

`gpg --keyserver <server> --recv-keys <key-id>` — Download a key from a keyserver.

```bash
gpg --keyserver keys.openpgp.org --recv-keys ABCD1234
```

`gpg --search-keys '<query>'` — Search for keys on a keyserver.

```bash
gpg --keyserver keys.openpgp.org --search-keys 'john@example.com'
```

## Encrypt & Decrypt

`gpg -e -r <recipient> <file>` — Encrypt a file for a recipient.

```bash
gpg -e -r john@example.com secret.txt
```

`gpg -e -r <recipient> -a <file>` — Encrypt with ASCII armor output (text-safe).

```bash
gpg -e -r john@example.com -a secret.txt
```

`gpg -e -r <r1> -r <r2> <file>` — Encrypt for multiple recipients.

```bash
gpg -e -r john@example.com -r jane@example.com secret.txt
```

`gpg -d <file>` — Decrypt a file.

```bash
gpg -d secret.txt.gpg > secret.txt
```

`gpg -c <file>` — Symmetric encryption (password-based, no keys needed).

```bash
gpg -c backup.tar.gz
```

`gpg -d <file>.gpg` — Decrypt a symmetrically encrypted file.

```bash
gpg -d backup.tar.gz.gpg > backup.tar.gz
```

## Sign & Verify

`gpg -s <file>` — Create a signed (binary) file.

```bash
gpg -s document.pdf
```

`gpg --detach-sign <file>` — Create a detached signature file.

```bash
gpg --detach-sign release.tar.gz
```

`gpg --clearsign <file>` — Create a clear-text signature (readable + signed).

```bash
gpg --clearsign message.txt
```

`gpg -se -r <recipient> <file>` — Sign and encrypt a file.

```bash
gpg -se -r john@example.com secret.txt
```

`gpg --verify <signature> <file>` — Verify a detached signature.

```bash
gpg --verify release.tar.gz.sig release.tar.gz
```

`gpg --verify <file>` — Verify a signed file.

```bash
gpg --verify message.txt.asc
```

## Common Patterns

`echo '<text>' | gpg -e -r <recipient> -a` — Encrypt text from stdin.

```bash
echo 'secret password' | gpg -e -r john@example.com -a
```

`gpg --list-keys --keyid-format long` — List keys with long key IDs (for Git signing).

```bash
gpg --list-keys --keyid-format long
```

`tar czf - <dir> | gpg -c -o <file>` — Create an encrypted archive.

```bash
tar czf - secrets/ | gpg -c -o secrets.tar.gz.gpg
```

`gpg -d <file>.gpg | tar xzf -` — Decrypt and extract an encrypted archive.

```bash
gpg -d secrets.tar.gz.gpg | tar xzf -
```

<!-- PROSE:outro -->
## Conclusion

GnuPG has been the backbone of OpenPGP for decades and is the default wherever confidentiality and provable authenticity matter — from signed software releases to encrypted backups. The command line feels rough at first, but the handful of core commands for generating, encrypting and signing become second nature quickly. Secure your private key with a backup and a revocation certificate, and the same key pair will serve you for years.

## Further Reading

- [GnuPG — official documentation](https://www.gnupg.org/documentation/) — manuals and howtos
- [GNU Privacy Guard – Wikipedia](https://en.wikipedia.org/wiki/GNU_Privacy_Guard)
<!-- PROSE:outro:end -->

## Related Commands

- [age](https://www.jpkc.com/db/en/cheatsheets/security/age/) – modern, simple file encryption as a GPG alternative
- [clamav](https://www.jpkc.com/db/en/cheatsheets/security/clamav/) – open-source virus scanner for files and mail
- [fail2ban](https://www.jpkc.com/db/en/cheatsheets/security/fail2ban/) – bans attackers after failed login attempts