GnuPG - Key Management

Table of Contents

Commands

Key Generation

Export & Importing Keys

Listing Keys

Editing Keys

Signing Keys

Removing/Revoking Keys

Trust Management

Keyservers

Options

General

Keys & Keyrings

Algorithms / Hashes

Compatibility

Key Signatures / Certification

Trust Management

Key Signature Notation / Policy URLs

Keyservers

Photo IDs

Return to Index

GPG is the main program for the GnuPG system.

This man page only lists the commands and options available. For more verbose documentation get the GNU Privacy Handbook (GPH) or one of the other documents at http://www.gnupg.org/documentation/ .

Please remember that option parsing stops as soon as a non option is encountered, you can explicitly stop option parsing by using the special option "--".

Commands

GPG recognizes these commands:

Key Generation		(Options \| Options)

	--gen-key		*Example*

	Generate a new key pair. This command is normally only used interactively. There is an experimental feature which allows you to create keys in batch mode. See the file doc/DETAILS in the source distribution on how to use this.

Exporting & Importing Keys		(Options \| Options \| Options \| Options)

	--export names		*Example*

	Either export all keys from all keyrings (default keyrings and those registered via option --keyring), or if at least one name is given, those of the given name. The new keyring is written to stdout or to the file given with option "output". Use together with --armor to mail those keys.

	--export-all names

	Same as --export, but also exports keys which are not compatible with OpenPGP.

	--export-secret-keys names --export-secret-subkeys names		*Example*

	Same as --export, but exports the secret keys instead. This is normally not very useful and a security risk. The second form of the command has the special property to render the secret part of the primary key useless; this is a GNU extension to OpenPGP and other implementations can not be expected to successfully import such a key. See the option --simple-sk-checksum if you want to import such an exported key with an older OpenPGP implementation.

	--import files --fast-import files		*Example \| Example \| Example*

	Import/merge keys. This adds the given keys to the keyring. The fast version is currently just a synonym. There are a few other options which control how this command works. Most notable here is the --merge-only option which does not insert new keys but does only the merging of new signatures, user-IDs and subkeys.

Listing Keys		(Options \| Options \| Options)

	--list-keys names --list-public-keys names		Example

	List all keys from the public keyrings, or just the ones given on the command line. (See also --edit-key)

	--list-secret-keys names		*Example*

	List all keys from the secret keyrings, or just the ones given on the command line.

	--list-sigs names		*Example \| Example \| Example*

	Same as --list-keys, but the signatures are listed too.

	--check-sigs names		*Example*

	Same as --list-sigs, but the signatures are verified. (See also --edit-key \| check)

	--fingerprint names		*Example*

	List all keys with their fingerprints. This is the same output as --list-keys but with the additional output of a line with the fingerprint. May also be combined with --list-sigs or --check-sigs. If this command is given twice, the fingerprints of all secondary keys are listed too. (See also --edit-key \| fpr)

Editing Keys

(Options)

--edit-key name

Example

Present a menu which enables you to do all key related tasks:

toggle	Toggle between public and secret key listing.	*Example*
fpr	List key with its fingerprint. (See also --fingerprint)	*Example*
check	Check all selected user ids. (See also --check-sigs)	*Example*
sign	Make a signature on key of user name If the key is not yet signed by the default user (or the users given with -u), the program displays the information of the key again, together with its fingerprint and asks whether it should be signed. This question is repeated for all users specified with -u. (See also --sign-key)	*Example*
lsign	Same as --sign but the signature is marked as non-exportable and will therefore never be used by others. This may be used to make keys valid only in the local environment. (See also --lsign-key)
nrsign	Same as --sign but the signature is marked as non-revocable and can therefore never be revoked. (See also --nrsign-key)
nrlsign	Combines the functionality of nrsign and lsign to make a signature that is both non-revocable and non-exportable.
revsig	Revoke a signature. GnuPG asks for every signature which has been done by one of the secret keys, whether a revocation certificate should be generated.	*Example*
trust	Change the owner trust value. This updates the trust-db immediately and no save is required.	*Example*
adduid	Create an alternate user id.	*Example*
deluid	Delete a user id.	*Example*
primary	Flag the current user id as the primary one, removes the primary user id flag from all other user ids and sets the timestamp of all affected self-signatures one second ahead. Note that setting a photo user ID as primary makes it primary over other photo user IDs, and setting a regular user ID as primary makes it primary over other regular user IDs.	*Example*
uid n	Toggle selection of user id with index n. Use 0 to deselect all.
addkey	Add a subkey to this key.	*Example*
delkey	Remove a subkey.	*Discussion*
revkey	Revoke a subkey.	*Discussion*
key n	Toggle selection of subkey with index n. Use 0 to deselect all.
expire	Change the key expiration time. If a key is selected, the time of this key will be changed. With no selection the key expiration of the primary key is changed.	*Discussion*
addrevoker	Add a designated revoker. This takes one optional argument: "sensitive". If a designated revoker is marked as sensitive, it will not be exported by default (see export-options). (See also --desig-revoke) [Note: new in 1.0.7a]
passwd	Change the passphrase of the secret key.	*Example*
disable / enable	Disable or enable an entire key. A disabled key can normally not be used for encryption.
pref	List preferences from the selected user ID. This shows the actual preferences, without including any implied preferences.	*Example*
showpref	More verbose preferences listing for the selected user ID. This shows the preferences in effect by including the implied preferences of 3DES (cipher), SHA-1 (digest), and Uncompressed (compression) if they are not already included in the preference list.	*Example \| Example*
setpref string	Set the list of user ID preferences to string. This should be a string similar to the one printed by pref. Using an empty string will set the default preference string, using "none" will set the preferences to nil. Use gpg -v --version to get a list of available algorithms. (See also default-preference-list for a table of acceptable preferences.) This command just initializes an internal list and does not change anything unless another command (such as updpref) which changes the self-signatures is used. (The MDC feature flag is also supported and can be set -- see GnuPG 1.0.7 released.)	*Example*
updpref	Change the preferences of all user IDs (or just of the selected ones) to the current list of preferences. The timestamp of all affected self-signatures will be advanced by one second. Note that while you can change the preferences on an attribute user ID (aka "photo ID"), GnuPG does not select keys via attribute user IDs so these preferences will not be used by GnuPG.	*Example*
addphoto	Create a photographic user id.
showphoto	Display the selected photographic user id.
save	Save all changes to the key rings and quit.	*Discussion*
quit	Quit the program without updating the key rings.	*Example*

The listing shows you the key with its secondary keys and all user ids. Selected keys or user ids are indicated by an asterisk. The trust value is displayed with the primary key: the first is the assigned owner trust and the second is the calculated trust value. Letters are used for the values:

-	No ownertrust assigned / not yet calculated.
e	Trust calculation has failed; probably due to an expired key.
q	Not enough information for calculation.
n	Never trust this key.
m	Marginally trusted.
f	Fully trusted.
u	Ultimately trusted.

Signing Keys		(Options \| Options \| Options \| Options)

	--sign-key name		*Example \| Example*

	Signs a public key with your secret key. This is a shortcut version of the subcommand sign from --edit-key.

	--lsign-key name

	Signs a public key with your secret key but marks it as non-exportable. This is a shortcut version of the subcommand lsign from --edit-key.

	--nrsign-key name

	Signs a public key with your secret key but marks it as non-revocable. This is a shortcut version of the subcommand nrsign from --edit-key.

Removing / Revoking Keys		(Options)

	--delete-key name		Example

	Remove key from the public keyring. In batch mode either --yes is required or the key must be specified by fingerprint. This is a safeguard against accidental deletion of multiple keys.

	--delete-secret-key name

	Remove key from the secret and public keyring. In batch mode the key must be specified by fingerprint.

	--delete-secret-and-public-key name		*Example*

	Same as --delete-key, but if a secret key exists, it will be removed first. In batch mode the key must be specified by fingerprint.

	--gen-revoke		*Example*

	Generate a revocation certificate for the complete key. To revoke a subkey or a signature, use the subcommands revkey or revsig from --edit-key.

	--desig-revoke

	Generate a designated revocation certificate for a key. This allows a user (with the permission of the keyholder) to revoke someone elses key. (See also --edit-key \| addrevoker)

Trust Management		(Options \| Options)

	--update-trustdb

	Do trust DB maintenance. This command goes over all keys and builds the Web-of-Trust. This is an interactive command because it may has to ask for the "ownertrust" values of keys. The user has to give an estimation in how far she trusts the owner of the displayed key to correctly certify (sign) other keys. It does only ask for that value if it has not yet been assigned to a key. Using the edit menu, that value can be changed at any time later.

	--check-trustdb

	Do trust DB maintenance without user interaction. Form time to time the trust database must be updated so that expired keys and resulting changes in the Web-of-Trust can be tracked. GnuPG tries to figure when this is required and then does it implicitly; this command can be used to force such a check. The processing is identically to that of --update-trustdb but it skips keys with a not yet defined "ownertrust". For use with cron jobs, this command can be used together with --batch in which case the check is only done when it is due. To force a run even in batch mode add the option --yes.

	--export-ownertrust file

	Store the ownertrust values into file (or stdin if not given). This is useful for backup purposes as these values are the only ones which can't be re-created from a corrupted trust DB.

	--import-ownertrust files

	Update the trustdb with the ownertrust values stored in files (or stdin if not given); existing values will be overwritten.

Keyservers		(Options \| Options \| Options)

	--send-keys names

	Same as --export but sends the keys to a keyserver. Option --keyserver must be used to give the name of this keyserver. Don't send your complete keyring to a keyserver. Select only those keys which are new or changed by you.

	--recv-keys key_IDs

	Import the keys with the given key_IDs from a keyserver. Option --keyserver must be used to give the name of this keyserver.

	--search-keys names

	Search the keyserver for the given names. Multiple names given here will be joined together to create the search string for the keyserver. Option --keyserver must be used to give the name of this keyserver.

Options

Starting with GnuPG 1.1.92 (incl. GnuPG 1.2.1, 1.2.0 and 1.1.92), long options can be put in an options file (default "~/.gnupg/gpg.conf"). In GnuPG versions up through GnuPG 1.1.91 (incl. 1.0.6, 1.0.7, and 1.1.91), long options can be put in an "old style" configuration file (default "~/.gnupg/options").

Short option names will not work -- for example, armor is a valid option for the options file, while a is not. Do not write the 2 dashes, but simply the name of the option and any required arguments. Lines with a hash as the first non-white-space character are ignored. Commands may be put in this file too, but that does not make sense.

GPG recognizes these options:

General

	-a, --armor

	Create ASCII armored output.

	-o, --output file

	Write output to file.

	-u, --local-user name

	Use name as the user ID to sign. This option is silently ignored for the list commands, so that it can be used in an options file.

Keys & Keyrings

--show-keyring

Causes --list-keys, --list-public-keys, and --list-secret-keys to display the name of the keyring a given key resides on. This is only useful when you're listing a specific key or set of keys. It has no effect when listing all keys.

--keyring file

Add file to the list of keyrings. If file begins with a tilde and a slash, these are replaced by the HOME directory. If the filename does not contain a slash, it is assumed to be in the home-directory ("~/.gnupg" if --homedir is not used). The filename may be prefixed with a scheme:

"gnupg-ring:" is the default one.

It might make sense to use it together with --no-default-keyring.

--secret-keyring file

Same as --keyring but for the secret keyrings.

--no-default-keyring

Do not add the default keyrings to the list of keyrings.

--merge-only

Don't insert new keys into the keyrings while doing an import.

--allow-secret-key-import

Discussion

This is an obsolete option and is not used anywhere.

--import-options parameters

This is a space or comma delimited string that gives options for importing keys. Options can be prepended with a "no-" to give the opposite meaning. The options are:

	allow-local-sigs	Allow importing key signatures marked as "local". This is not generally useful unless a shared keyring scheme is being used. Defaults to no.
	repair-hkp-subkey-bug	During import, attempt to repair the HKP keyserver mangling multiple subkeys bug. Note that this cannot completely repair the damaged key as some crucial data is removed by the keyserver, but it does at least give you back one subkey. Defaults to no for regular --import and to yes for keyserver --recv-keys.

--export-options parameters

This is a space or comma delimited string that gives options for exporting keys. Options can be prepended with a "no-" to give the opposite meaning. The options are:

	include-non-rfc	Include non-RFC compliant keys in the export. Defaults to yes.
	include-local-sigs	Allow exporting key signatures marked as "local." This is not generally useful unless a shared keyring scheme is being used. Defaults to no.
	include-attributes	Include attribute user IDs (photo IDs) while exporting. This is useful to export keys if they are going to be used by an OpenPGP program that does not accept attribute user IDs. Defaults to yes.
	include-sensitive-revkeys	Include designated revoker information that was marked as "sensitive." Defaults to no.

--preserve-permissions

Don't change the permissions of a secret keyring back to user read/write only. Use this option only if you really know what you are doing.

--with-colons

Print key listings delimited by colons. Note, that the output will be encoded in UTF-8 regardless of any --charset setting.

--with-key-data

Print key listings delimited by colons (like --with-colons) and print the public key data.

--with-fingerprint