This document shows how to use the command line to work with PGP (GPG) for encryption.
Use the following shell command:
Answer the prompts, I typically accept all defaults which is 2048 bits and RSA. Also memorize your long passphrase and never tell anyone it, ever.
Document your new 'KeyID'.
This is a great way to determine a 'KeyID'
This process may also be used to Validate a private key passphrase.
gpg --local-user <KEYID> -as
It will prompt for a passphrase three times unless a valid one is submitted, then it will allow you to write an encrypted message. press ctrl-d to end the message.
Alternatively you may encrypt any file (text or binary) using a command like this:
gpg --local-user <KEYID> -as <file>
This will prompt for your passphrase and on success generate an 'asc' file.
For example, lets encrypt the fake test file 'secret-raw-payload.txt' using the following command:
gpg --local-user MYKEYID1 -as secret-raw-payload.txt
gpg -d <encrypted asc message file>
Then paste the encrypted message into the terminal.
Optionally omit the 'encrypted message file' and paste the payload directly into the cmd prompt.
To export a public key for transportation or sharing, run this:
gpg --export -a <KeyID>
This will output the public key for a given KeyID as ascii, which may be shared and distributed to anyone.
To export a private key for transportation or backup, run this:
gpg --export-secret-key -a <KeyID>
This will output the private key for a given KeyID as ascii, which must be safely gaurded.
gpg --import <public key file>
This adds the public key in the file to your public key ring. Alternatively you may omit the file and paste the public key directly to the command prompt.
gpg --allow-secret-key-import --import <private key file>
This adds the private key in the file to your private key ring. Alternatively you may omit the file and paste the private key directly to the command prompt.
gpg --delete-key <KeyID>
gpg --delete-secret-key <KeyID>
To edit a keys trust level (for instance to completely trust your own key) do the following:
gpg --edit-key <KeyID> trust 5 y quit
If you want to encrypt a directory instead of a file, use the gpg-zip tool:
gpg-zip ~/home/user/secret-files > ~/home/user/secret-files.gpg-zip
If you want to use a single shared key use the --symmetric flag. It will prompt you for a password twice:
gpg-zip --symmetric ~/.password-store > password-store.gpg-zip
- List the contents of the specified archive.
- Decrypt the zip, pipe to a file.
gpg-zip --decrypt ~/.password-store > password-store.gpg-zip
- create a gpg key pair
- encrypt a test file
- decrypt a test file
- export public and private key pair
- delete public and private key pair
- re-import public and private key pair
- try to decrypt test file again
- The keyring files are binary and exist in ~/.gnupg.
If you are reinstalling your operating system from scratch, make sure to delete the ~/.gnupg directory prior to restoring from your backup otherwise the keys will not load properly.
Verify the restore by running: