Hints and tips for using GPG encryption and signing tool from the GnuPG system.

Create a new Public and Private key pair

See The default OpenSSH key encryption is worse than plaintext

  • gpg --gen-key

Specify a different directory for creating the keyrings

  • gpg --homedir /home/xxx --gen-key

Creating a detached ascii signature

  • gpg --sign --detach-sign --armor filetobe_signed


  • gpg -s -b -a filetobe_signed

Signature Compatible with PGP


  • gpg --sign --detach-sign --armor --compress-algo 1 --cipher-algo cast5 filetobe_signed


  • gpg --sign --detach-sign --armor --compress-algo 1 --cipher-algo 3des filetobe_signed

Verifying a detached signature

  • gpg --verify signaturefile signedfile

Exporting keys

These options allow you to transfer public and private keys to another machine. You can also export your trust database. You may also want to transfer your .gnupg/options or .gnupg/gpg.conf files too.

Export all public keys

  • gpg --export --armor > mypublickeys

Export specific public key

  • gpg --export --armor > mypublickey

Export all private keys

  • gpg --export-secret-keys --armor > mysecretkeys

Export trust ownership

  • gpg --export-ownertrust --armor > myownertrust

Importing keys

Importing public keys

  • gpg --import mypublickeys

Importing private keys

  • gpg --import --allow-secret-key-import mysecretkeys

Importing owner trust relationships

  • gpg --import-ownertrust myownertrust

Import a key from a dowloaded KEY file

  • gpg --import KEYFILENAME

Importing a key from a public server

Imports the specified key from the specified public key server and adds it to your key chain.

  • gpg --keyserver --recv-keys 0x5072E1F5
  • gpg --keyserver --recv-keys 0x5072E1F5


When installed, gnupg should have created an example configuration file at ~/.gnupg/gpg.conf. You most likely want to change the following entries:

# If you have more than 1 secret key in your keyring, you may want to
# uncomment the following option and set your preferred keyid.

#default-key 621CC013

# If you do not pass a recipient to gpg, it will ask for one.  Using
# this option you can encrypt to a default key.  Key validation will
# not be done in this case.  The second form uses the default key as
# default recipient.

#default-recipient some-user-id

If you have more than one secret key, set the default key to one of those shown by the gpg --list-secret-keys command.

Display Fingerprint

  • gpg --fingerprint

Signing a key

  • gpg --edit-key KEYNAME
  • sign
  • save

Trusting a key

You need to sign the key first. See Signing a key

  • gpg --edit-key KEYNAME
  • trust
  • 4
  • save

Updating the expiration date

  • gpg --edit-key YOUR_KEY
  • expire

Enter the period to extend the expiration date by, e.g. 1y

Then select the sub key and extend that too:

  • key 1
  • expire
  • 1y
  • save

Specifying an alternate location for the keyrings

gpg --keyring=/somewhere/else/pubring.gpg
   --secret-keyring=/somewhere/else/secring.gpg encrypted.gpg

Linux GUI Front-Ends for GnuPG

Windows Usage


Revoking Subkeys

$ gpg --edit-key $KEYNAME
  1. The chosen key will be displayed, listing the subkeys.

  2. Enter the number of the subkey and hit return. An asterisk is shown against the selected key.

    $ revuid
  3. Select option '4 = User ID is no longer valid'.

  4. Optionally, enter a description. A blank line terminates input.

  5. Confirm whether the changes are OK.

  6. Save the key.

  7. When everything looks good, update the public key servers with:

    $ gpg --keyserver --send-keys $FINGERPRINT_ID

-- Frank Dean - 20-Jul-2018


-- Frank Dean - 26 Sep 2004

Related Topics: DebianTips, LinuxHintsAndTips