-o|--output                 Specify output file
  -a|--armor                  Create ascii output
  -u|--local-user <name>      Specify key for signing
  -r|--recipient              Encrypt for user

Generate new keypair

gpg --full-generate-key

List keys

gpg -k / --list-key               # public keys
gpg -K / --list-secret-keys       # secret keys

Edit keys

gpg --edit-key <KEY ID>

Gives prompt to modify KEY ID, common commands:

help         show help
save         save & quit

list         list keys and user IDs
key <N>      select subkey <N>
uid <N>      select user ID <N>

expire       change expiration of selected key

adduid       add user ID
deluid       delete selected user ID

addkey       add subkey
delkey       delete selected subkey

Export & Import Keys

gpg --export --armor --output <KEY.PUB> <KEY ID>
gpg --export-secret-key --armor --output <KEY.PRIVATE> <KEY ID>
gpg --import <FILE>

Search & Send keys

gpg --keyserver <SERVER> --send-keys <KEY ID>
gpg --keyserver <SERVER> --search-keys <KEY ID>

Encrypt (passphrase)

Encrypt file using passphrase and write encrypted data to <file>.gpg.

gpg --symmetric <file>

# Decrypt using passphrase
gpg -o <file> --decrypt <file>.gpg

Encrypt (public key)

Encrypt file with public key of specified recipient and write encrypted data to <file>.gpg.

gpg --encrypt -r <file>

# Decrypt at foos side (private key required)
gpg -o <file> --decrypt <file>.gpg


Generate a signed file and write to <file>.gpg.

# Sign with private key of
gpg --sign -u <file>

# Verify with public key of
gpg --verify <file>

# Extract content from signed file
gpg -o <file> --decrypt <file>.gpg

Without -u use first private key in list gpg -K for signing.

Files can also be signed and encrypted at once, gpg will first sign the file and then encrypt it.

gpg --sign --encrypt -r <recipient> <file>

Signing (detached)

Generate a detached signature and write to <file>.asc. Send <file>.asc along with <file> when distributing.

gpg --detach-sign --armor -u <file>

# Verify
gpg --verify <file>.asc <file>

Without -u use first private key in list gpg -K for signing.


  • sec secret key
  • ssb secret subkey
  • pub public key
  • sub public subkey

Key usage flags:

  • [S] signing
  • [C] create certificates
  • [E] encrypting
  • [A] authentication


  • hkps://


List basic key information from file with long keyids

gpg --keyid-format 0xlong <key.asc>

Extend expiring key

gpg --edit-key <key id>

# By default we are on the primary key, can switch to sub key.
gpg> key 1

# Update the expire date.
gpg> expire

gpg> save

# Update keyserver(s) and/or export new pub keyfile.