GnuPG - Message Operations

Table of Contents
Encryption / Decryption
Signing / Verifying
Comments & Versions
Return to Index
GPG is the main program for the GnuPG system.
This man page only lists the commands and options available. For more verbose documentation get the GNU Privacy Handbook (GPH) or one of the other documents at
Please remember that option parsing stops as soon as a non option is encountered, you can explicitly stop option parsing by using the special option "--".


GPG recognizes these commands:  

Encryption / Decryption

(Options | Options | Options)    
  -e, --encrypt    Example | Example | Example    
  Encrypt data. This option may be combined with --sign.  
  --encrypt-files files        
  This is a special version of the --encrypt command. The command expects the files to be encrypted either on the command line or reads the filenames from stdin; each name must be on separate line. The command is intended for a quick encryption of multiple files.  
  -c, --symmetric   Example    
  Encrypt with symmetric cipher only. This command asks for a passphrase. (May also be combined with --sign -- see GnuPG 1.0.7 released.)  
  --decrypt file   Example | Example | Example    
  Decrypt file (or stdin if no file is specified) and write it to stdout (or the file specified with --output). If the decrypted file is signed, the signature is also verified. This command differs from the default operation, as it never writes to the filename which is included in the file and it rejects files which don't begin with an encrypted message.   
  --decrypt-files files        
  The same as --encrypt-files with the difference that files will be decrypted. The syntax or the filenames is the same.  

Signing / Verifying

(Options | Options | Options | Options)    
  -s, --sign   Example    
  Make a signature. This command may be combined with --encrypt. (May also be combined with --symmetric -- -- see GnuPG 1.0.7 released.)  
  --clearsign   Example    
  Make a clear text signature.   
  -b, --detach-sign   Example    
  Make a detached signature.   
  --verify sigfile signed_files   Example    
  Assume that sigfile is a signature and verify it without generating any output. With no arguments, the signature packet is read from stdin. If only a sigfile is given, it may be a complete signature or a detached signature, in which case the signed stuff is expected in a file without the ".sig" or ".asc" extension. With more than 1 argument, the first should be a detached signature and the remaining files are the signed stuff. To read the signed stuff from stdin, use - as the second filename. For security reasons a detached signature cannot read the signed material from stdin without denoting it in the above way.   
  --verify-files files        
  This is a special version of the --verify command which does not work with detached signatures. The command expects the files to be verified either on the command line or reads the filenames from stdin; each name must be on separate line. The command is intended for quick checking of many files.  


Starting with GnuPG 1.1.92 (incl. GnuPG 1.2.1, 1.2.0 and 1.1.92), long options can be put in an options file (default "~/.gnupg/gpg.conf"). In GnuPG versions up through GnuPG 1.1.91 (incl. 1.0.6, 1.0.7, and 1.1.91), long options can be put in an "old style" configuration file (default "~/.gnupg/options"). 

Short option names will not work -- for example, armor is a valid option for the options file, while a is not. Do not write the 2 dashes, but simply the name of the option and any required arguments. Lines with a hash as the first non-white-space character are ignored. Commands may be put in this file too, but that does not make sense.

GPG recognizes these options: 



  -a, --armor        
  Create ASCII armored output.  
  Assume the input data is not in ASCII armored format.  
  -t, --textmode        
  Use canonical text mode. If -t (but not --textmode) is used together with armoring and signing, this enables clearsigned messages. This kludge is needed for PGP compatibility; normally you would use --sign or --clearsign to selected the type of the signature.  
  -o, --output file        
  Write output to file.  
  -u, --local-user name        
  Use name as the user ID to sign. This option is silently ignored for the list commands, so that it can be used in an options file.  
  -r, --recipient name        
  Encrypt for user id name. If this option is not specified, GnuPG asks for the user-id unless --default-recipient is given.  
  --group name=value        
  Sets up a name group, which is similar to aliases in email programs. Any time the group name is a receipient (-r or --recipient), it will be expanded to the values specified. 
The values are key IDs or fingerprints, but any key description is accepted. Note that a value with spaces in it will be treated as two different values. Note also there is only one level of expansion -- you cannot make a group that points to another group.
  --default-recipient name        
  Use name as default recipient if option --recipient is not used and don't ask if this is a valid one. name must be non-empty.  
  Use the default key as default recipient if option --recipient is not used and don't ask if this is a valid one. The default key is the first one from the secret keyring or the one set with --default-key.  
  Reset --default-recipient and --default-recipient-self.  
  --default-key name        
  Use name as default user ID for signatures. If this is not used the default user ID is the first user ID found in the secret keyring.  
  --encrypt-to name   Example    
  Same as --recipient but this one is intended for use in the options file and may be used with your own user-id as an "encrypt-to-self." These keys are only used when there are other recipients given either by use of --recipient or by the asked user id. No trust checking is performed for these user ids and even disabled keys can be used.   
  Disable the use of all --encrypt-to keys.   

Comments & Versions

  --comment string        
  Use string as comment string in clear text signatures. The default is not to write a comment string.  
  Force to write the standard comment string in clear text signatures. Use this to overwrite a --comment from a config file. This option is now obsolete because there is no default comment string anymore.  
  Omit the version string in clear text signatures.  
  Force to write the version string in clear text signatures. Use this to overwrite a previous --no-version from a config file.  


  Set the "for your eyes only" flag in the message. This causes GnuPG to refuse to save the file unless the --output option is given, and PGP to use the "secure viewer" with a Tempest-resistant font to display the message. This option overrides --set-filename.  
  Resets the --for-your-eyes-only flag.  
  -z n, --compress n        
  Set compression level to n. A value of 0 for n disables compression. Default is to use the default compression level of zlib (normally 6).  
  Skip the signature verification step. This may be used to make the decryption faster if the signature verification is not needed.  
  When making a data signature, prompt for an expiration time. If this option is not specified, the expiration time is "never."  
  Resets the --ask-sig-expire option.  
  Do not put the keyid into encrypted packets. This option hides the receiver of the message and is a countermeasure against traffic analysis. It may slow down the decryption process because all available secret keys are tried.  
  Don't look at the key ID as stored in the message but try all secret keys in turn to find the right decryption key. This option forces the behaviour as used by anonymous recipients (created by using --throw-keyid) and might come handy in case where an encrypted message contains a bogus key ID.  
  -N, --notation-data name=value      
  Put the name value pair into the signature as notation data. Name must consist only of alphanumeric characters, digits or the underscore; the first character must not be a digit. Value may be any printable string; it will be encoded in UTF8, so you should check that your --charset is set correctly. If you prefix name with an exclamation mark, the notation data will be flagged as critical (rfc2440:  
  This option changes the behavior of cleartext signatures so that they can be used for patch files. You should not send such an armored file via email because all spaces and line endings are hashed too. You can not use this option for data which has 5 dashes at the beginning of a line, patch files don't have this. A special armor header line tells GnuPG about this cleartext signature option.  
  Because some mailers change lines starting with "From " to "<From " it is good to handle such lines in a special way when creating cleartext signatures. All other PGP versions do it this way too. This option is not enabled by default because it would violate rfc2440.   
  --set-filename string        
  Use string as the name of file which is stored in messages.  
  Try to create a file with a name as embedded in the data. This can be a dangerous option as it allows to overwrite files.   
  This options enables a mode in which filenames of the form "-&n," where n is a non-negative decimal number, refer to the file descriptor n and not to a file with that name.   

Home [frames]        Home [no frames]

2000, 2001, 2002 Eric L. Howes (