GPG (GNU Privacy Guard) Operations Cheatsheet

GPG (GNU Privacy Guard) is a free implementation of the OpenPGP standard that provides cryptographic privacy and authentication for data communication. This cheatsheet covers essential GPG operations for key management, encryption, and digital signatures.

Whether you’re securing communications, signing commits, or creating package repositories, GPG provides the cryptographic foundation for verifying identity and ensuring data integrity. This guide focuses on practical command-line operations that system administrators and developers use daily.

Key Generation and Management

Generating a New GPG Key

Create a new GPG key pair with interactive prompts for key type, size, and expiration:

gpg --full-generate-key

This command will prompt you to:

Select key type (RSA is recommended for most uses)
Choose key size (4096 bits recommended for strong security)
Set expiration date (recommended for security)
Provide user ID information (name, email, comment)
Create a secure passphrase

Listing Keys

List All Public Keys

gpg --list-keys --keyid-format=long

List All Secret (Private) Keys

gpg --list-secret-keys --keyid-format=long

The --keyid-format=long option displays the full key ID, which is useful for identifying specific keys and referencing them in other operations.

Key Import and Export Operations

Exporting Public Keys

Export a public key to share with others or backup:

gpg --export -a "KEY_ID" > public_key.asc

Replace KEY_ID with the actual key ID from the listing commands
The -a flag exports in ASCII armored format (text-based)
Redirect output to a file for easy sharing

Exporting Secret Keys

Export your secret key for backup purposes:

gpg --armor --export-secret-keys KEY_ID > secret_key.asc

Security Warning: Keep secret key exports secure and encrypted. Never share secret keys.

Importing Keys

Import public keys from others or restore from backup:

gpg --import public_key.asc

This command works for both public and secret keys, though you should be extremely careful when importing secret keys.

Key Trust and Validation

Setting Key Trust Level

After importing a key, you need to establish trust:

gpg --edit-key KEY_ID

In the GPG interactive prompt:

gpg> trust
gpg> 5
gpg> quit

Trust levels:

1 = I don’t know or won’t say
2 = I do NOT trust
3 = I trust marginally
4 = I trust fully
5 = I trust ultimately (use for your own keys)

Key Deletion

Delete Public Key

gpg --delete-key KEY_ID

Delete Secret Key

gpg --delete-secret-keys KEY_ID

Important: You must delete the secret key before you can delete the corresponding public key.

Digital Signatures and Verification

Signing Files

Create a detached signature for a file:

gpg --detach-sign --armor filename

This creates filename.asc containing the signature.

Verifying Signatures

gpg --verify filename.asc filename

Signing and Encrypting

gpg --sign --encrypt --armor -r recipient@example.com filename

Practical Use Cases

Package Repository Signing

For creating Arch Linux package repositories, you’ll need to:

Generate a key for package signing
Export the public key for distribution
Configure makepkg to use your key
Sign packages during repository creation

The package creation process requires GPG signatures for repository inclusion, making proper key management essential for package maintainers.

Git Commit Signing

Configure Git to use your GPG key for commit signing:

git config --global user.signingkey KEY_ID
git config --global commit.gpgsign true

Key Backup Strategy

Export your secret key to a secure location
Print your key fingerprint and store separately
Consider using a hardware security key for additional protection
Keep revocation certificates in a safe place

Troubleshooting Common Issues

Key Not Found Errors

Verify the key ID is correct using list commands
Check if the key has expired
Ensure you’re using the correct keyring

Permission Denied

Check GPG directory permissions: ~/.gnupg should be 700
Verify file permissions within the GPG directory

Signature Verification Failures

Ensure the public key is imported and trusted
Check that the signature file corresponds to the correct document
Verify the signature hasn’t been corrupted

For SSL/TLS certificate management and other cryptographic operations, see the OpenSSL commands cheatsheet. While OpenSSL handles X.509 certificates and SSL/TLS operations, GPG focuses on PGP/OpenPGP operations for email encryption, file signing, and package authentication.

GPG and OpenSSL serve complementary roles in a complete security infrastructure - GPG for identity verification and secure communications, OpenSSL for web certificates and transport layer security.

Questions Answered in This Document

Q: How do I generate a new GPG key pair? A: Use gpg --full-generate-key and follow the interactive prompts to select key type, size, expiration, and user information.

Q: What’s the difference between public and secret keys? A: Public keys can be shared freely and are used by others to encrypt messages to you or verify your signatures. Secret keys must be kept private and are used to decrypt messages and create signatures.

Q: How do I export my public key to share with others? A: Use gpg --export -a "KEY_ID" > public_key.asc to export in ASCII armored format.

Q: Why do I need to trust imported keys? A: Trust levels tell GPG how much confidence you have in a key’s authenticity. Without setting appropriate trust, GPG may not use the key for encryption or may show warnings.

Q: How do I backup my GPG keys securely? A: Export your secret key with gpg --armor --export-secret-keys KEY_ID > secret_key.asc, then store the file in a secure, encrypted location.

Q: Can I use GPG for signing Git commits? A: Yes, configure Git with your key ID using git config --global user.signingkey KEY_ID and enable automatic signing with git config --global commit.gpgsign true.

Q: What should I do if I need to revoke a compromised key? A: Generate a revocation certificate (ideally when you first create the key), then import and distribute it to revoke the compromised key.

Q: How do I verify a file signature? A: Use gpg --verify signature_file original_file to verify that the signature matches the file and was created by the expected key.

Q: What key size should I use for new GPG keys? A: 4096 bits is recommended for RSA keys to ensure strong security that will remain viable for years to come.

Q: How do I delete a GPG key pair completely? A: First delete the secret key with gpg --delete-secret-keys KEY_ID, then delete the public key with gpg --delete-key KEY_ID.

Flouda Vault

GPG (GNU Privacy Guard) Operations Cheatsheet

Key Generation and Management

Generating a New GPG Key

Listing Keys

List All Public Keys

List All Secret (Private) Keys

Key Import and Export Operations

Exporting Public Keys

Exporting Secret Keys

Importing Keys

Key Trust and Validation

Setting Key Trust Level

Key Deletion

Delete Public Key

Delete Secret Key

Digital Signatures and Verification

Signing Files

Verifying Signatures

Signing and Encrypting

Practical Use Cases

Package Repository Signing

Git Commit Signing

Key Backup Strategy

Troubleshooting Common Issues

Key Not Found Errors

Permission Denied

Signature Verification Failures

Questions Answered in This Document

Graph View

Table of Contents

Backlinks

Flouda Vault

GPG (GNU Privacy Guard) Operations Cheatsheet

Key Generation and Management

Generating a New GPG Key

Listing Keys

List All Public Keys

List All Secret (Private) Keys

Key Import and Export Operations

Exporting Public Keys

Exporting Secret Keys

Importing Keys

Key Trust and Validation

Setting Key Trust Level

Key Deletion

Delete Public Key

Delete Secret Key

Digital Signatures and Verification

Signing Files

Verifying Signatures

Signing and Encrypting

Practical Use Cases

Package Repository Signing

Git Commit Signing

Key Backup Strategy

Troubleshooting Common Issues

Key Not Found Errors

Permission Denied

Signature Verification Failures

Related Certificate and Cryptographic Operations

Questions Answered in This Document

Graph View

Table of Contents

Backlinks