'; var adpushup = adpushup || {}; adpushup.que = adpushup.que || []; adpushup.que.push(function() { adpushup.triggerAd(ad_id); });
gpg [--homedir name] [--options file] [options] command [args]
gpg is the main program for the GnuPG system.
This man page only lists the commands and options available. For moreverbose documentation get the GNU Privacy Handbook (GPH) or one of theother documents at http://www.gnupg.org/documentation/ .
Please remember that option parsing stops as soon as a non option isencountered, you can explicitly stop option parsing by using thespecial option "--".
gpg may be run with no commands, in which case it willperform a reasonable action depending on the type of file it is givenas input (an encrypted message is decrypted, a signature is verified,a file containing keys is listed).
Tag | Description | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
-s, --sign [file] | Make a signature. This command may be combined with --encrypt (for asigned and encrypted message), --symmetric (for a signed andsymmetrically encrypted message), or --encrypt and --symmetrictogether (for a signed message that may be decrypted via a secret keyor a passphrase). | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
--clearsign [file] | Make a clear text signature. The content in a clear text signature isreadable without any special software. OpenPGP software is onlyneeded to verify the signature. Clear text signatures may modifyend-of-line whitespace for platform independence and are not intendedto be reversible. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
-b, --detach-sign [file] | Make a detached signature. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
-e, --encrypt [file] | Encrypt data. This option may be combined with --sign (for a signedand encrypted message), --symmetric (for a message that may bedecrypted via a secret key or a passphrase), or --sign and --symmetrictogether (for a signed message that may be decrypted via a secret keyor a passphrase). | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
-c, --symmetric [file] | Encrypt with a symmetric cipher using a passphrase. The defaultsymmetric cipher used is CAST5, but may be chosen with the--cipher-algo option. This option may be combined with --sign (for asigned and symmetrically encrypted message), --encrypt (for a messagethat may be decrypted via a secret key or a passphrase), or --sign and--encrypt together (for a signed message that may be decrypted via asecret key or a passphrase). | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
--store [file] | Store only (make a simple RFC1991 packet). | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
-d, --decrypt [file] | Decrypt file (or stdin if no file is specified) andwrite it to stdout (or the file specified with--output). If the decrypted file is signed, thesignature is also verified. This command differsfrom the default operation, as it never writes to thefilename which is included in the file and itrejects files which dont begin with an encryptedmessage. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
--verify [[sigfile] [signed-files]] | Assume that sigfile is a signature and verify itwithout generating any output.With no arguments,the signature packet is read from stdin. Ifonly a sigfile is given, it may be a completesignature or a detached signature, in which casethe signed stuff is expected in a file without the".sig" or ".asc" extension. With more than1 argument, the first should be a detached signatureand the remaining files are the signed stuff. To read the signedstuff from stdin, use - as the second filename.For security reasons a detached signature cannot read the signedmaterial from stdin without denoting it in the above way. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
--multifile | This modifies certain other commands to accept multiple files forprocessing on the command line or read from stdin with each filenameon a separate line. This allows for many files to be processed atonce. --multifile may currently be used along with --verify,--encrypt, and --decrypt. Note that --multifile --verify may not beused with detached signatures. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
--verify-files [files] | Identical to --multifile --verify. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
--encrypt-files [files] | Identical to --multifile --encrypt. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
--decrypt-files [files] | Identical to --multifile --decrypt. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
--list-keys [names] | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
--list-public-keys [names] | List all keys from the public keyrings, or just the ones given on thecommand line. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Avoid using the output of this command in scripts or other programs asit is likely to change as GnuPG changes. See --with-colons for amachine-parseable key listing command that is appropriate for use inscripts and other programs. | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
-K, --list-secret-keys [names] | List all keys from the secret keyrings, or just the ones given on thecommand line. A # after the letters sec means that the secret keyis not usable (for example, if it was created via--export-secret-subkeys). | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
--list-sigs [names] | Same as --list-keys, but the signatures are listed too. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
For each signature listed, there are several flags in between the"sig" tag and keyid. These flags give additional information abouteach signature. From left to right, they are the numbers 1-3 forcertificate check level (see --ask-cert-level), "L" for a local ornon-exportable signature (see --lsign-key), "R" for a nonRevocablesignature (see the --edit-key command "nrsign"), "P" for a signaturethat contains a policy URL (see --cert-policy-url), "N" for asignature that contains a notation (see --cert-notation), "X" for aneXpired signature (see --ask-cert-expire), and the numbers 1-9 or "T"for 10 and above to indicate trust signature levels (see the--edit-key command "tsign"). | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
--check-sigs [names] | Same as --list-sigs, but the signatures are verified. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
--fingerprint [names] | List all keys with their fingerprints. This is thesame output as --list-keys but with the additional outputof a line with the fingerprint. May also be combinedwith --list-sigs or --check-sigs.If this command is given twice, the fingerprints of allsecondary keys are listed too. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
--list-packets | List only the sequence of packets. This is mainlyuseful for debugging. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
--gen-key | Generate a new key pair. This command is normally only usedinteractively. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
There is an experimental feature which allows you to create keysin batch mode. See the file doc/DETAILS in the source distribution on how to use this. | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
--edit-key name | Present a menu which enables you to do all keyrelated tasks:
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Note that "l" (for local / non-exportable), "nr" (for non-revocable,and "t" (for trust) may be freely mixed and prefixed to "sign" tocreate a signature of any type desired.
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
The listing shows you the key with its secondarykeys and all user ids. Selected keys or user idsare indicated by an asterisk. The trust value isdisplayed with the primary key: the first is theassigned owner trust and the second is the calculatedtrust value. Letters are used for the values:
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
--card-edit | Present a menu to work with a smartcard. The subcommand "help" providesan overview on available commands. For a detailed description, pleasesee the Card HOWTO at http://www.gnupg.org/documentation/howtos.html#GnuPG-cardHOWTO . | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
--card-status | Show the content of the smart card. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
--change-pin | Present a menu to allow changing the PIN of a smartcard. Thisfunctionality is also available as the subcommand "passwd" with the--card-edit command. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
--sign-key name | Signs a public key with your secret key. This is a shortcut version ofthe subcommand "sign" from --edit. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
--lsign-key name | Signs a public key with your secret key but marks it asnon-exportable. This is a shortcut version of the subcommand "lsign"from --edit. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
--delete-key name | Remove key from the public keyring. In batch mode either --yes isrequired or the key must be specified by fingerprint. This is asafeguard against accidental deletion of multiple keys. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
--delete-secret-key name | Remove key from the secret and public keyring. In batch mode the keymust be specified by fingerprint. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
--delete-secret-and-public-key name | Same as --delete-key, but if a secret key exists, it will be removed first. In batch mode the key must be specified by fingerprint. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
--gen-revoke name | Generate a revocation certificate for the complete key. To revokea subkey or a signature, use the --edit command. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
--desig-revoke name | Generate a designated revocation certificate for a key. This allows auser (with the permission of the keyholder) to revoke someone elseskey. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
--export [names] | Either export all keys from all keyrings (defaultkeyrings and those registered via option --keyring),or if at least one name is given, those of the givenname. The new keyring is written to stdout or tothe file given with option "output". Use togetherwith --armor to mail those keys. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
--send-keys [names] | Same as --export but sends the keys to a keyserver.Option --keyserver must be used to give the nameof this keyserver. Dont send your complete keyringto a keyserver - select only those keys which are newor changed by you. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
--export-secret-keys [names] | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
--export-secret-subkeys [names] | Same as --export, but exports the secret keys instead.This is normally not very useful and a security risk.The second form of the command has the special property torender the secret part of the primary key useless; this isa GNU extension to OpenPGP and other implementations cannot be expected to successfully import such a key. See the option --simple-sk-checksum if you want to import such anexported key with an older OpenPGP implementation. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
--import [files] | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
--fast-import [files] | Import/merge keys. This adds the given keys to thekeyring. The fast version is currently just a synonym. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
There are a few other options which control how this command works.Most notable here is the --keyserver-options merge-only option whichdoes not insert new keys but does only the merging of new signatures,user-IDs and subkeys. | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
--recv-keys key IDs | Import the keys with the given key IDs from a keyserver. Option--keyserver must be used to give the name of this keyserver. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
--refresh-keys [key IDs] | Request updates from a keyserver for keys that already exist on thelocal keyring. This is useful for updating a key with the latestsignatures, user IDs, etc. Calling this with no arguments willrefresh the entire keyring. Option --keyserver must be used to givethe name of the keyserver for all keys that do not have preferredkeyservers set (see --keyserver-options honor-keyserver-url). | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
--search-keys names | Search the keyserver for the given names. Multiple names given herewill be joined together to create the search string for the keyserver.Option --keyserver must be used to give the name of this keyserver.Keyservers that support different search methods allow using thesyntax specified in "How to specify a user ID" below. Note thatdifferent keyserver types support different search methods. Currentlyonly LDAP supports them all. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
--fetch-keys URIs | Retrieve keys located at the specified URIs. Note that differentinstallations of GnuPG may support different protocols (HTTP, FTP,LDAP, etc.) | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
--update-trustdb | Do trust database maintenance. This command iterates over all keysand builds the Web of Trust. This is an interactive command because itmay have to ask for the "ownertrust" values for keys. The user has togive an estimation of how far she trusts the owner of the displayedkey to correctly certify (sign) other keys. GnuPG only asks for theownertrust value if it has not yet been assigned to a key. Using the--edit-key menu, the assigned value can be changed at any time. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
--check-trustdb | Do trust database maintenance without user interaction. From time totime the trust database must be updated so that expired keys orsignatures and the resulting changes in the Web of Trust can betracked. Normally, GnuPG will calculate when this is required and doit automatically unless --no-auto-check-trustdb is set. This commandcan be used to force a trust database check at any time. Theprocessing is identical to that of --update-trustdb but it skips keyswith a not yet defined "ownertrust". | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
For use with cron jobs, this command can be used together with --batchin which case the trust database check is done only if a check isneeded. To force a run even in batch mode add the option --yes. | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
--export-ownertrust | Send the ownertrust values to stdout. This is useful for backuppurposes as these values are the only ones which cant be re-createdfrom a corrupted trust DB. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
--import-ownertrust [files] | Update the trustdb with the ownertrust values storedin files (or stdin if not given); existingvalues will be overwritten. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
--rebuild-keydb-caches | When updating from version 1.0.6 to 1.0.7 this command should be usedto create signature caches in the keyring. It might be handy in othersituations too. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
--print-md algo [files] | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
--print-mds [files] | Print message digest of algorithm ALGO for all given files or stdin.With the second form (or a deprecated "*" as algo) digests for allavailable algorithms are printed. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
--gen-random 0|1|2 [count] | Emit COUNT random bytes of the given quality level. If count is not givenor zero, an endless sequence of random bytes will be emitted.PLEASE, dont use this command unless you know what you are doing; it mayremove precious entropy from the system! | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
--gen-prime mode bits [qbits] | Use the source, Luke :-). The output format is still subject to change. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
--version | Print version information along with a listof supported algorithms. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
--warranty | Print warranty information. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
-h, --help | Print usage information. This is a really long list even though itdoesnt list all options. For every option, consult this manual. |
Long options can be put in an options file (default"~/.gnupg/gpg.conf"). Short option names will not work - for example,"armor" is a valid option for the options file, while "a" is not. Donot write the 2 dashes, but simply the name of the option and anyrequired arguments. Lines with a hash (#) as the firstnon-white-space character are ignored. Commands may be put in thisfile too, but that is not generally useful as the command will executeautomatically with every execution of gpg.
Tag | Description | ||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
-a, --armor | Create ASCII armored output. | ||||||||||||||||||||||||||||
-o, --output file | Write output to file. | ||||||||||||||||||||||||||||
--max-output n | This option sets a limit on the number of bytes that will be generatedwhen processing a file. Since OpenPGP supports various levels ofcompression, it is possible that the plaintext of a given message maybe significantly larger than the original OpenPGP message. WhileGnuPG works properly with such messages, there is often a desire toset a maximum file size that will be generated before processing isforced to stop by the OS limits. Defaults to 0, which means "nolimit". | ||||||||||||||||||||||||||||
--mangle-dos-filenames | |||||||||||||||||||||||||||||
--no-mangle-dos-filenames | Older version of Windows cannot handle filenames with more than onedot. --mangle-dos-filenames causes GnuPG to replace (rather than addto) the extension of an output filename to avoid this problem. Thisoption is off by default and has no effect on non-Windows platforms. | ||||||||||||||||||||||||||||
-u, --local-user name | Use name as the key to sign with. Note that this optionoverrides --default-key. | ||||||||||||||||||||||||||||
--default-key name | Use name as the default key to sign with. If this option is notused, the default key is the first key found in the secret keyring.Note that -u or --local-user overrides this option. | ||||||||||||||||||||||||||||
-r, --recipient name | Encrypt for user id name. If this option or --hidden-recipientis not specified, GnuPG asks for the user-id unless--default-recipient is given. | ||||||||||||||||||||||||||||
-R, --hidden-recipient name | Encrypt for user ID name, but hide the key ID of this userskey. This option helps to hide the receiver of the message and is alimited countermeasure against traffic analysis. If this option or--recipient is not specified, GnuPG asks for the user ID unless--default-recipient is given. | ||||||||||||||||||||||||||||
--default-recipient name | Use name as default recipient if option --recipient is not used anddont ask if this is a valid one. name must be non-empty. | ||||||||||||||||||||||||||||
--default-recipient-self | Use the default key as default recipient if option --recipient is not used anddont ask if this is a valid one. The default key is the first one from thesecret keyring or the one set with --default-key. | ||||||||||||||||||||||||||||
--no-default-recipient | Reset --default-recipient and --default-recipient-self. | ||||||||||||||||||||||||||||
--encrypt-to name | Same as --recipient but this one is intended for usein the options file and may be used withyour own user-id as an "encrypt-to-self". These keysare only used when there are other recipients giveneither by use of --recipient or by the asked user id.No trust checking is performed for these user ids andeven disabled keys can be used. | ||||||||||||||||||||||||||||
--hidden-encrypt-to name | Same as --hidden-recipient but this one is intended for use in theoptions file and may be used with your own user-id as a hidden"encrypt-to-self". These keys are only used when there are otherrecipients given either by use of --recipient or by the asked user id.No trust checking is performed for these user ids and even disabledkeys can be used. | ||||||||||||||||||||||||||||
--no-encrypt-to | Disable the use of all --encrypt-to and --hidden-encrypt-to keys. | ||||||||||||||||||||||||||||
-v, --verbose | Give more information during processing. If usedtwice, the input data is listed in detail. | ||||||||||||||||||||||||||||
-q, --quiet | Try to be as quiet as possible. | ||||||||||||||||||||||||||||
-z n | |||||||||||||||||||||||||||||
--compress-level n | |||||||||||||||||||||||||||||
--bzip2-compress-level n | Set compression level to n for the ZIP and ZLIB compressionalgorithms. The default is to use the default compression level ofzlib (normally 6). --bzip2-compress-level sets the compression levelfor the BZIP2 compression algorithm (defaulting to 6 as well). Thisis a different option from --compress-level since BZIP2 uses asignificant amount of memory for each additional compression level.-z sets both. A value of 0 for n disables compression. | ||||||||||||||||||||||||||||
--bzip2-decompress-lowmem | Use a different decompression method for BZIP2 compressed files. Thisalternate method uses a bit more than half the memory, but also runsat half the speed. This is useful under extreme low memorycirc*mstances when the file was originally compressed at a high--bzip2-compress-level. | ||||||||||||||||||||||||||||
-t, --textmode | |||||||||||||||||||||||||||||
--no-textmode | Treat input files as text and store them in the OpenPGP canonical textform with standard "CRLF" line endings. This also sets the necessaryflags to inform the recipient that the encrypted or signed data istext and may need its line endings converted back to whatever thelocal system uses. This option is useful when communicating betweentwo platforms that have different line ending conventions (UNIX-liketo Mac, Mac to Windows, etc). --no-textmode disables this option, andis the default. | ||||||||||||||||||||||||||||
If -t (but not --textmode) is used together with armoring and signing,this enables clearsigned messages. This kludge is needed forcommand-line compatibility with command-line versions of PGP; normallyyou would use --sign or --clearsign to select the type of thesignature. | |||||||||||||||||||||||||||||
-n, --dry-run | Dont make any changes (this is not completely implemented). | ||||||||||||||||||||||||||||
-i, --interactive | Prompt before overwriting any files. | ||||||||||||||||||||||||||||
--batch | |||||||||||||||||||||||||||||
--no-batch | Use batch mode. Never ask, do not allow interactive commands.--no-batch disables this option. | ||||||||||||||||||||||||||||
--no-tty | Make sure that the TTY (terminal) is never used for any output.This option is needed in some cases because GnuPG sometimes printswarnings to the TTY if --batch is used. | ||||||||||||||||||||||||||||
--yes | Assume "yes" on most questions. | ||||||||||||||||||||||||||||
--no | Assume "no" on most questions. | ||||||||||||||||||||||||||||
--ask-cert-level | |||||||||||||||||||||||||||||
--no-ask-cert-level | When making a key signature, prompt for a certification level. Ifthis option is not specified, the certification level used is set via--default-cert-level. See --default-cert-level for information on thespecific levels and how they are used. --no-ask-cert-level disablesthis option. This option defaults to no. | ||||||||||||||||||||||||||||
--default-cert-level n | The default to use for the check level when signing a key. | ||||||||||||||||||||||||||||
0 means you make no particular claim as to how carefully you verifiedthe key. | |||||||||||||||||||||||||||||
1 means you believe the key is owned by the person who claims to ownit but you could not, or did not verify the key at all. This isuseful for a "persona" verification, where you sign the key of apseudonymous user. | |||||||||||||||||||||||||||||
2 means you did casual verification of the key. For example, thiscould mean that you verified that the key fingerprint and checked theuser ID on the key against a photo ID. | |||||||||||||||||||||||||||||
3 means you did extensive verification of the key. For example, thiscould mean that you verified the key fingerprint with the owner of thekey in person, and that you checked, by means of a hard to forgedocument with a photo ID (such as a passport) that the name of the keyowner matches the name in the user ID on the key, and finally that youverified (by exchange of email) that the email address on the keybelongs to the key owner. | |||||||||||||||||||||||||||||
Note that the examples given above for levels 2 and 3 are just that:examples. In the end, it is up to you to decide just what "casual"and "extensive" mean to you. | |||||||||||||||||||||||||||||
This option defaults to 0 (no particular claim). | |||||||||||||||||||||||||||||
--min-cert-level | When building the trust database, treat any signatures with acertification level below this as invalid. Defaults to 2, whichdisregards level 1 signatures. Note that level 0 "no particularclaim" signatures are always accepted. | ||||||||||||||||||||||||||||
--trusted-key long key ID | Assume that the specified key (which must be givenas a full 8 byte key ID) is as trustworthy as one ofyour own secret keys. This option is useful if youdont want to keep your secret keys (or one of them)online but still want to be able to check the validity of a givenrecipients or signators key. | ||||||||||||||||||||||||||||
--trust-model pgp|classic|direct|always|auto | Set what trust model GnuPG should follow. The models are:
| ||||||||||||||||||||||||||||
--always-trust | Identical to --trust-model always. This option is deprecated. | ||||||||||||||||||||||||||||
--auto-key-locate parameters | |||||||||||||||||||||||||||||
--no-auto-key-locate | GnuPG can automatically locate and retrieve keys as needed using thisoption. This happens when encrypting to an email address (in the"user@example.com" form), and there are no user@example.com keys onthe local keyring. This option takes any number of the followingarguments, in the order they are to be tried:
| ||||||||||||||||||||||||||||
--keyid-format short|0xshort|long|0xlong | Select how to display key IDs. "short" is the traditional 8-characterkey ID. "long" is the more accurate (but less convenient)16-character key ID. Add an "0x" to either to include an "0x" at thebeginning of the key ID, as in 0x99242560. | ||||||||||||||||||||||||||||
--keyserver name [name=value1 value2 value3 ...] | Use name as your keyserver. This is the server that--recv-keys, --send-keys, and --search-keys will communicate with toreceive keys from, send keys to, and search for keys on. The formatof the name is a URI: scheme:[//]keyservername[:port] Thescheme is the type of keyserver: "hkp" for the HTTP (or compatible)keyservers, "ldap" for the LDAP keyservers, or "mailto" for the Graffemail keyserver. Note that your particular installation of GnuPG mayhave other keyserver types available as well. Keyserver schemes arecase-insensitive. After the keyserver name, optional keyserverconfiguration options may be provided. These are the same as theglobal --keyserver-options from below, but apply only to thisparticular keyserver. | ||||||||||||||||||||||||||||
Most keyservers synchronize with each other, so there is generally noneed to send keys to more than one server. The keyserver"hkp://subkeys.pgp.net" uses round robin DNS to give a differentkeyserver each time you use it. | |||||||||||||||||||||||||||||
--keyserver-options name=value1 [value2 value3 ...] | This is a space or comma delimited string that gives options for thekeyserver. Options can be prepended with a no- to give the oppositemeaning. Valid import-options or export-options may be used here aswell to apply to importing (--recv-key) or exporting (--send-key) akey from a keyserver. While not all options are available for allkeyserver types, some common options are:
| ||||||||||||||||||||||||||||
--import-options parameters | This is a space or comma delimited string that gives options forimporting keys. Options can be prepended with a no- to give theopposite meaning. The options are:
| ||||||||||||||||||||||||||||
--export-options parameters | This is a space or comma delimited string that gives options forexporting keys. Options can be prepended with a no- to give theopposite meaning. The options are:
| ||||||||||||||||||||||||||||
--list-options parameters | This is a space or comma delimited string that gives options used whenlisting keys and signatures (that is, --list-keys, --list-sigs,--list-public-keys, --list-secret-keys, and the --edit-key functions).Options can be prepended with a no- to give the opposite meaning.The options are:
| ||||||||||||||||||||||||||||
--verify-options parameters | This is a space or comma delimited string that gives options used whenverifying signatures. Options can be prepended with a no- to givethe opposite meaning. The options are:
| ||||||||||||||||||||||||||||
--enable-dsa2 | |||||||||||||||||||||||||||||
--disable-dsa2 | Enables new-style DSA keys which (unlike the old style) may be largerthan 1024 bit and use hashes other than SHA-1 and RIPEMD/160. Notethat very few programs currently support these keys and signaturesfrom them. | ||||||||||||||||||||||||||||
--show-photos | |||||||||||||||||||||||||||||
--no-show-photos | Causes --list-keys, --list-sigs, --list-public-keys,--list-secret-keys, and verifying a signature to also display thephoto ID attached to the key, if any. See also --photo-viewer. Theseoptions are deprecated. Use --list-options [no-]show-photos and/or--verify-options [no-]show-photos instead. | ||||||||||||||||||||||||||||
--photo-viewer string | This is the command line that should be run to view a photo ID. "%i"will be expanded to a filename containing the photo. "%I" does thesame, except the file will not be deleted once the viewer exits.Other flags are "%k" for the key ID, "%K" for the long key ID, "%f"for the key fingerprint, "%t" for the extension of the image type(e.g. "jpg"), "%T" for the MIME type of the image (e.g. "image/jpeg"),and "%%" for an actual percent sign. If neither %i or %I are present,then the photo will be supplied to the viewer on standard input. | ||||||||||||||||||||||||||||
The default viewer is "xloadimage -fork -quiet -title KeyID 0x%kstdin". Note that if your image viewer program is not secure, thenexecuting it from GnuPG does not make it secure. | |||||||||||||||||||||||||||||
--exec-path string | Sets a list of directories to search for photo viewers and keyserverhelpers. If not provided, keyserver helpers use the compiled-indefault directory, and photo viewers use the $PATH environmentvariable.Note, that on W32 system this value is ignored when searching forkeyserver helpers. | ||||||||||||||||||||||||||||
--show-keyring | Display the keyring name at the head of key listings to show whichkeyring a given key resides on. This option is deprecated: use--list-options [no-]show-keyring instead. | ||||||||||||||||||||||||||||
--keyring file | Add file to the current list of keyrings. If file beginswith a tilde and a slash, these are replaced by the $HOMEdirectory. If the filename does not contain a slash, it is assumed tobe in the GnuPG home directory ("~/.gnupg" if --homedir or $GNUPGHOMEis not used). | ||||||||||||||||||||||||||||
Note that this adds a keyring to the current list. If the intent isto use the specified keyring alone, use --keyring along with--no-default-keyring. | |||||||||||||||||||||||||||||
--secret-keyring file | Same as --keyring but for the secret keyrings. | ||||||||||||||||||||||||||||
--primary-keyring file | Designate file as the primary public keyring. This means thatnewly imported keys (via --import or keyserver --recv-from) will go tothis keyring. | ||||||||||||||||||||||||||||
--trustdb-name file | Use file instead of the default trustdb. If file beginswith a tilde and a slash, these are replaced by the $HOMEdirectory. If the filename does not contain a slash, it is assumed tobe in the GnuPG home directory ("~/.gnupg" if --homedir or $GNUPGHOMEis not used). | ||||||||||||||||||||||||||||
--homedir directory | Set the name of the home directory to directory If this option is notused it defaults to "~/.gnupg". It does not make sense to use this ina options file. This also overrides the environment variable$GNUPGHOME. | ||||||||||||||||||||||||||||
--pcsc-driver file | Use file to access the smartcard reader. The current default islibpcscl*te.so.1 for GLIBC based systems,/System/Library/Frameworks/PCSC.framework/PCSC for MAC OS X,winscard.dll for Windows and libpcscl*te.so for other systems. | ||||||||||||||||||||||||||||
--ctapi-driver file | Use file to access the smartcard reader. The current defaultis libtowitoko.so. Note that the use of this interface isdeprecated; it may be removed in future releases. | ||||||||||||||||||||||||||||
--disable-ccid | Disable the integrated support for CCID compliant readers. Thisallows to fall back to one of the other drivers even if the internalCCID driver can handle the reader. Note, that CCID support is onlyavailable if libusb was available at build time. | ||||||||||||||||||||||||||||
--reader-port number_or_string | This option may be used to specify the port of the card terminal. Avalue of 0 refers to the first serial device; add 32768 to access USBdevices. The default is 32768 (first USB device). PC/SC or CCIDreaders might need a string here; run the program in verbose mode to geta list of available readers. The default is then the first readerfound. | ||||||||||||||||||||||||||||
--display-charset name | Set the name of the native character set. This is used to convertsome informational strings like user IDs to the proper UTF-8 encoding.Note that this has nothing to do with the character set of data to beencrypted or signed; GnuPG does not recode user supplied data. Ifthis option is not used, the default character set is determined fromthe current locale. A verbosity level of 3 shows the chosen set.Valid values for name are:
| ||||||||||||||||||||||||||||
--utf8-strings | |||||||||||||||||||||||||||||
--no-utf8-strings | Assume that command line arguments are given as UTF8 strings. Thedefault (--no-utf8-strings) is to assume that arguments are encoded inthe character set as specified by --display-charset. These optionsaffect all following arguments. Both options may be used multipletimes. | ||||||||||||||||||||||||||||
--options file | Read options from file and do not try to readthem from the default options file in the homedir(see --homedir). This option is ignored if usedin an options file. | ||||||||||||||||||||||||||||
--no-options | Shortcut for "--options /dev/null". This option isdetected before an attempt to open an option file.Using this option will also prevent the creation of a "~./gnupg" homedir. | ||||||||||||||||||||||||||||
--load-extension name | Load an extension module. If name does not contain a slash it issearched for in the directory configured when GnuPG was built(generally "/usr/local/lib/gnupg"). Extensions are not generallyuseful anymore, and the use of this option is deprecated. | ||||||||||||||||||||||||||||
--debug flags | Set debugging flags. All flags are or-ed and flags maybe given in C syntax (e.g. 0x0042). | ||||||||||||||||||||||||||||
--debug-all | Set all useful debugging flags. | ||||||||||||||||||||||||||||
--debug-ccid-driver | Enable debug output from the included CCID driver for smartcards.Note that this option is only available on some system. | ||||||||||||||||||||||||||||
--enable-progress-filter | Enable certain PROGRESS status outputs. This option allows frontendsto display a progress indicator while gpg is processing larger files.There is a slight performance overhead using it. | ||||||||||||||||||||||||||||
--status-fd n | Write special status strings to the file descriptor n.See the file DETAILS in the documentation for a listing of them. | ||||||||||||||||||||||||||||
--status-file file | Same as --status-fd, except the status data is written to filefile. | ||||||||||||||||||||||||||||
--logger-fd n | Write log output to file descriptor n and not to stderr. | ||||||||||||||||||||||||||||
--logger-file file | Same as --logger-fd, except the logger data is written to filefile. | ||||||||||||||||||||||||||||
--attribute-fd n | Write attribute subpackets to the file descriptor n. This ismost useful for use with --status-fd, since the status messages areneeded to separate out the various subpackets from the streamdelivered to the file descriptor. | ||||||||||||||||||||||||||||
--attribute-file file | Same as --attribute-fd, except the attribute data is written to filefile. | ||||||||||||||||||||||||||||
--comment string | |||||||||||||||||||||||||||||
--no-comments | Use string as a comment string in clear text signatures andASCII armored messages or keys (see --armor). The default behavior isnot to use a comment string. --comment may be repeated multiple timesto get multiple comment strings. --no-comments removes all comments.It is a good idea to keep the length of a single comment below 60characters to avoid problems with mail programs wrapping such lines.Note that comment lines, like all other header lines, are notprotected by the signature. | ||||||||||||||||||||||||||||
--emit-version | |||||||||||||||||||||||||||||
--no-emit-version | Force inclusion of the version string in ASCII armored output.--no-emit-version disables this option. | ||||||||||||||||||||||||||||
--sig-notation name=value | |||||||||||||||||||||||||||||
--cert-notation name=value | |||||||||||||||||||||||||||||
-N, --set-notation name=value | Put the name value pair into the signature as notation data.name must consist only of printable characters or spaces, andmust contain a @ character in the form keyname@domain.example.com(substituting the appropriate keyname and domain name, of course).This is to help prevent pollution of the IETF reserved notationnamespace. The --expert flag overrides the @ check. value may be any printable string; it will be encoded in UTF8, so you shouldcheck that your --display-charset is set correctly. If you prefixname with an exclamation mark (!), the notation data will beflagged as critical (rfc2440:5.2.3.15). --sig-notation sets anotation for data signatures. --cert-notation sets a notation for keysignatures (certifications). --set-notation sets both. | ||||||||||||||||||||||||||||
There are special codes that may be used in notation names. "%k" willbe expanded into the key ID of the key being signed, "%K" into thelong key ID of the key being signed, "%f" into the fingerprint of thekey being signed, "%s" into the key ID of the key making thesignature, "%S" into the long key ID of the key making the signature,"%g" into the fingerprint of the key making the signature (which mightbe a subkey), "%p" into the fingerprint of the primary key of the keymaking the signature, "%c" into the signature count from the OpenPGPsmartcard, and "%%" results in a single "%". %k, %K, and %f are onlymeaningful when making a key signature (certification), and %c is onlymeaningful when using the OpenPGP smartcard. | |||||||||||||||||||||||||||||
--show-notation | |||||||||||||||||||||||||||||
--no-show-notation | Show signature notations in the --list-sigs or --check-sigs listingsas well as when verifying a signature with a notation in it. Theseoptions are deprecated. Use --list-options [no-]show-notationand/or --verify-options [no-]show-notation instead. | ||||||||||||||||||||||||||||
--sig-policy-url string | |||||||||||||||||||||||||||||
--cert-policy-url string | |||||||||||||||||||||||||||||
--set-policy-url string | Use string as a Policy URL for signatures (rfc2440:5.2.3.19).If you prefix it with an exclamation mark (!), the policy URL packetwill be flagged as critical. --sig-policy-url sets a policy url fordata signatures. --cert-policy-url sets a policy url for keysignatures (certifications). --set-policy-url sets both. | ||||||||||||||||||||||||||||
The same %-expandos used for notation data are available here as well. | |||||||||||||||||||||||||||||
--show-policy-url | |||||||||||||||||||||||||||||
--no-show-policy-url | Show policy URLs in the --list-sigs or --check-sigs listings as wellas when verifying a signature with a policy URL in it. These optionsare deprecated. Use --list-options [no-]show-policy-url and/or--verify-options [no-]show-policy-url instead. | ||||||||||||||||||||||||||||
--sig-keyserver-url string | Use string as a preferred keyserver URL for data signatures. Ifyou prefix it with an exclamation mark, the keyserver URL packet willbe flagged as critical. | ||||||||||||||||||||||||||||
The same %-expandos used for notation data are available here as well. | |||||||||||||||||||||||||||||
--set-filename string | Use string as the filename which is stored inside messages.This overrides the default, which is to use the actual filename of thefile being encrypted. | ||||||||||||||||||||||||||||
--for-your-eyes-only | |||||||||||||||||||||||||||||
--no-for-your-eyes-only | Set the for your eyes only flag in the message. This causes GnuPGto refuse to save the file unless the --output option is given, andPGP to use the "secure viewer" with a Tempest-resistant font todisplay the message. This option overrides --set-filename.--no-for-your-eyes-only disables this option. | ||||||||||||||||||||||||||||
--use-embedded-filename | |||||||||||||||||||||||||||||
--no-use-embedded-filename | Try to create a file with a name as embedded in the data. This can bea dangerous option as it allows to overwrite files. Defaults to no. | ||||||||||||||||||||||||||||
--completes-needed n | Number of completely trusted users to introduce a newkey signer (defaults to 1). | ||||||||||||||||||||||||||||
--marginals-needed n | Number of marginally trusted users to introduce a newkey signer (defaults to 3) | ||||||||||||||||||||||||||||
--max-cert-depth n | Maximum depth of a certification chain (default is 5). | ||||||||||||||||||||||||||||
--cipher-algo name | Use name as cipher algorithm. Running the program with thecommand --version yields a list of supported algorithms. If this isnot used the cipher algorithm is selected from the preferences storedwith the key. In general, you do not want to use this option as itallows you to violate the OpenPGP standard.--personal-cipher-preferences is the safe way to accomplish the samething. | ||||||||||||||||||||||||||||
--digest-algo name | Use name as the message digest algorithm. Running the programwith the command --version yields a list of supported algorithms. Ingeneral, you do not want to use this option as it allows you toviolate the OpenPGP standard. --personal-digest-preferences is thesafe way to accomplish the same thing. | ||||||||||||||||||||||||||||
--compress-algo name | Use compression algorithm name. "zlib" is RFC-1950 ZLIBcompression. "zip" is RFC-1951 ZIP compression which is used by PGP."bzip2" is a more modern compression scheme that can compress somethings better than zip or zlib, but at the cost of more memory usedduring compression and decompression. "uncompressed" or "none"disables compression. If this option is not used, the defaultbehavior is to examine the recipient key preferences to see whichalgorithms the recipient supports. If all else fails, ZIP is used formaximum compatibility. | ||||||||||||||||||||||||||||
ZLIB may give better compression results than ZIP, as the compressionwindow size is not limited to 8k. BZIP2 may give even bettercompression results than that, but will use a significantly largeramount of memory while compressing and decompressing. This may besignificant in low memory situations. Note, however, that PGP (allversions) only supports ZIP compression. Using any algorithm otherthan ZIP or "none" will make the message unreadable with PGP. Ingeneral, you do not want to use this option as it allows you toviolate the OpenPGP standard. --personal-compress-preferences is thesafe way to accomplish the same thing. | |||||||||||||||||||||||||||||
--cert-digest-algo name | Use name as the message digest algorithm used when signing akey. Running the program with the command --version yields a list ofsupported algorithms. Be aware that if you choose an algorithm thatGnuPG supports but other OpenPGP implementations do not, then someusers will not be able to use the key signatures you make, or quitepossibly your entire key. | ||||||||||||||||||||||||||||
--s2k-cipher-algo name | Use name as the cipher algorithm used to protect secret keys.The default cipher is CAST5. This cipher is also used forconventional encryption if --personal-cipher-preferences and--cipher-algo is not given. | ||||||||||||||||||||||||||||
--s2k-digest-algo name | Use name as the digest algorithm used to mangle the passphrases.The default algorithm is SHA-1. | ||||||||||||||||||||||||||||
--s2k-mode n | Selects how passphrases are mangled. If n is 0 a plainpassphrase (which is not recommended) will be used, a 1 adds a salt tothe passphrase and a 3 (the default) iterates the whole process acouple of times. Unless --rfc1991 is used, this mode is also used forconventional encryption. | ||||||||||||||||||||||||||||
--simple-sk-checksum | Secret keys are integrity protected by using a SHA-1 checksum. Thismethod is part of the upcoming enhanced OpenPGP specification butGnuPG already uses it as a countermeasure against certain attacks.Old applications dont understand this new format, so this option maybe used to switch back to the old behaviour. Using this option bearsa security risk. Note that using this option only takes effect whenthe secret key is encrypted - the simplest way to make this happen isto change the passphrase on the key (even changing it to the samevalue is acceptable). | ||||||||||||||||||||||||||||
--disable-cipher-algo name | Never allow the use of name as cipher algorithm.The given name will not be checked so that a later loaded algorithmwill still get disabled. | ||||||||||||||||||||||||||||
--disable-pubkey-algo name | Never allow the use of name as public key algorithm.The given name will not be checked so that a later loaded algorithmwill still get disabled. | ||||||||||||||||||||||||||||
--no-sig-cache | Do not cache the verification status of key signatures.Caching gives a much better performance in key listings. However, ifyou suspect that your public keyring is not save against writemodifications, you can use this option to disable the caching. Itprobably does not make sense to disable it because all kind of damagecan be done if someone else has write access to your public keyring. | ||||||||||||||||||||||||||||
--no-sig-create-check | GnuPG normally verifies each signature right after creation to protectagainst bugs and hardware malfunctions which could leak out bits fromthe secret key. This extra verification needs some time (about 115%for DSA keys), and so this option can be used to disable it.However, due to the fact that the signature creation needs manualinteraction, this performance penalty does not matter in most settings. | ||||||||||||||||||||||||||||
--auto-check-trustdb | |||||||||||||||||||||||||||||
--no-auto-check-trustdb | If GnuPG feels that its information about the Web of Trust has to beupdated, it automatically runs the --check-trustdb command internally.This may be a time consuming process. --no-auto-check-trustdbdisables this option. | ||||||||||||||||||||||||||||
--throw-keyids | |||||||||||||||||||||||||||||
--no-throw-keyids | Do not put the recipient key IDs into encrypted messages. This helpsto hide the receivers of the message and is a limited countermeasureagainst traffic analysis. On the receiving side, it may slow down thedecryption process because all available secret keys must be tried.--no-throw-keyids disables this option. This option is essentiallythe same as using --hidden-recipient for all recipients. | ||||||||||||||||||||||||||||
--not-dash-escaped | This option changes the behavior of cleartext signaturesso that they can be used for patch files. You should notsend such an armored file via email because all spacesand line endings are hashed too. You can not use thisoption for data which has 5 dashes at the beginning of aline, patch files dont have this. A special armor headerline tells GnuPG about this cleartext signature option. | ||||||||||||||||||||||||||||
--escape-from-lines | |||||||||||||||||||||||||||||
--no-escape-from-lines | Because some mailers change lines starting with "From " to ">From" it is good to handle such lines in a special way when creatingcleartext signatures to prevent the mail system from breaking thesignature. Note that all other PGP versions do it this way too.Enabled by default. --no-escape-from-lines disables this option. | ||||||||||||||||||||||||||||
--passphrase-fd n | Read the passphrase from file descriptor n. Only the first linewill be read from file descriptor n. If you use 0 for n,the passphrase will be read from stdin. This can only be used if onlyone passphrase is supplied. | ||||||||||||||||||||||||||||
--passphrase-file file | Read the passphrase from file file. Only the first line willbe read from file file. This can only be used if only one passphrase is supplied. Obviously, a passphrase stored in a file isof questionable security if other users can read this file. Dont usethis option if you can avoid it. | ||||||||||||||||||||||||||||
--passphrase string | Use string as the passphrase. This can only be used if only onepassphrase is supplied. Obviously, this is of very questionablesecurity on a multi-user system. Dont use this option if you canavoid it. | ||||||||||||||||||||||||||||
--command-fd n | This is a replacement for the deprecated shared-memory IPC mode.If this option is enabled, user input on questions is not expectedfrom the TTY but from the given file descriptor. It should be usedtogether with --status-fd. See the file doc/DETAILS in the sourcedistribution for details on how to use it. | ||||||||||||||||||||||||||||
--command-file file | Same as --command-fd, except the commands are read out of filefile | ||||||||||||||||||||||||||||
--use-agent | |||||||||||||||||||||||||||||
--no-use-agent | Try to use the GnuPG-Agent. Please note that this agent is still underdevelopment. With this option, GnuPG first tries to connect to theagent before it asks for a passphrase. --no-use-agent disables thisoption. | ||||||||||||||||||||||||||||
--gpg-agent-info | Override the value of the environment variableGPG_AGENT_INFO. This is only used when --use-agent has been given | ||||||||||||||||||||||||||||
Compliance options | These options control what GnuPG is compliant to. Only one of theseoptions may be active at a time. Note that the default setting ofthis is nearly always the correct one. See the INTEROPERABILITY WITHOTHER OPENPGP PROGRAMS section below before using one of theseoptions.
| ||||||||||||||||||||||||||||
--force-v3-sigs | |||||||||||||||||||||||||||||
--no-force-v3-sigs | OpenPGP states that an implementation should generate v4 signaturesbut PGP versions 5 through 7 only recognize v4 signatures on keymaterial. This option forces v3 signatures for signatures on data.Note that this option overrides --ask-sig-expire, as v3 signaturescannot have expiration dates. --no-force-v3-sigs disables thisoption. | ||||||||||||||||||||||||||||
--force-v4-certs | |||||||||||||||||||||||||||||
--no-force-v4-certs | Always use v4 key signatures even on v3 keys. This option alsochanges the default hash algorithm for v3 RSA keys from MD5 to SHA-1.--no-force-v4-certs disables this option. | ||||||||||||||||||||||||||||
--force-mdc | Force the use of encryption with a modification detection code. Thisis always used with the newer ciphers (those with a blocksize greaterthan 64 bits), or if all of the recipient keys indicate MDC support intheir feature flags. | ||||||||||||||||||||||||||||
--disable-mdc | Disable the use of the modification detection code. Note that byusing this option, the encrypted message becomes vulnerable to amessage modification attack. | ||||||||||||||||||||||||||||
--allow-non-selfsigned-uid | |||||||||||||||||||||||||||||
--no-allow-non-selfsigned-uid | Allow the import and use of keys with user IDs which are notself-signed. This is not recommended, as a non self-signed user ID istrivial to forge. --no-allow-non-selfsigned-uid disables. | ||||||||||||||||||||||||||||
--allow-freeform-uid | Disable all checks on the form of the user ID while generating a newone. This option should only be used in very special environments asit does not ensure the de-facto standard format of user IDs. | ||||||||||||||||||||||||||||
--ignore-time-conflict | GnuPG normally checks that the timestamps associated with keys andsignatures have plausible values. However, sometimes a signatureseems to be older than the key due to clock problems. This optionmakes these checks just a warning. See also --ignore-valid-from fortimestamp issues on subkeys. | ||||||||||||||||||||||||||||
--ignore-valid-from | GnuPG normally does not select and use subkeys created in the future.This option allows the use of such keys and thus exhibits thepre-1.0.7 behaviour. You should not use this option unless you thereis some clock problem. See also --ignore-time-conflict for timestampissues with signatures. | ||||||||||||||||||||||||||||
--ignore-crc-error | The ASCII armor used by OpenPGP is protected by a CRC checksum againsttransmission errors. Occasionally the CRC gets mangled somewhere onthe transmission channel but the actual content (which is protected bythe OpenPGP protocol anyway) is still okay. This option allows GnuPGto ignore CRC errors. | ||||||||||||||||||||||||||||
--ignore-mdc-error | This option changes a MDC integrity protection failure into a warning.This can be useful if a message is partially corrupt, but it isnecessary to get as much data as possible out of the corrupt message.However, be aware that a MDC protection failure may also mean that themessage was tampered with intentionally by an attacker. | ||||||||||||||||||||||||||||
--lock-once | Lock the databases the first time a lock is requestedand do not release the lock until the processterminates. | ||||||||||||||||||||||||||||
--lock-multiple | Release the locks every time a lock is no longerneeded. Use this to override a previous --lock-oncefrom a config file. | ||||||||||||||||||||||||||||
--lock-never | Disable locking entirely. This option should be used only in veryspecial environments, where it can be assured that only one processis accessing those files. A bootable floppy with a stand-aloneencryption system will probably use this. Improper usage of thisoption may lead to data and key corruption. | ||||||||||||||||||||||||||||
--exit-on-status-write-error | This option will cause write errors on the status FD to immediatelyterminate the process. That should in fact be the default but itnever worked this way and thus we need an option to enable this, sothat the change wont break applications which close their end of astatus fd connected pipe too early. Using this option along with--enable-progress-filter may be used to cleanly cancel long runninggpg operations. | ||||||||||||||||||||||||||||
--limit-card-insert-tries n | With n greater than 0 the number of prompts asking to insert asmartcard gets limited to N-1. Thus with a value of 1 gpg wont atall ask to insert a card if none has been inserted at startup. Thisoption is useful in the configuration file in case an application doesnot know about the smartcard support and waits ad infinitum for aninserted card. | ||||||||||||||||||||||||||||
--no-random-seed-file | GnuPG uses a file to store its internal random pool over invocations.This makes random generation faster; however sometimes write operationsare not desired. This option can be used to achieve that with the cost ofslower random generation. | ||||||||||||||||||||||||||||
--no-verbose | Reset verbose level to 0. | ||||||||||||||||||||||||||||
--no-greeting | Suppress the initial copyright message. | ||||||||||||||||||||||||||||
--no-secmem-warning | Suppress the warning about "using insecure memory". | ||||||||||||||||||||||||||||
--no-permission-warning | Suppress the warning about unsafe file and home directory (--homedir)permissions. Note that the permission checks that GnuPG performs arenot intended to be authoritative, but rather they simply warn aboutcertain common permission problems. Do not assume that the lack of awarning means that your system is secure. | ||||||||||||||||||||||||||||
Note that the warning for unsafe --homedir permissions cannot besuppressed in the gpg.conf file, as this would allow an attacker toplace an unsafe gpg.conf file in place, and use this file to suppresswarnings about itself. The --homedir permissions warning may only besuppressed on the command line. | |||||||||||||||||||||||||||||
--no-mdc-warning | Suppress the warning about missing MDC integrity protection. | ||||||||||||||||||||||||||||
--require-secmem | |||||||||||||||||||||||||||||
--no-require-secmem | Refuse to run if GnuPG cannot get secure memory. Defaults to no(i.e. run, but give a warning). | ||||||||||||||||||||||||||||
--no-armor | Assume the input data is not in ASCII armored format. | ||||||||||||||||||||||||||||
--no-default-keyring | Do not add the default keyrings to the list of keyrings. Note thatGnuPG will not operate without any keyrings, so if you use this optionand do not provide alternate keyrings via --keyring or--secret-keyring, then GnuPG will still use the default public orsecret keyrings. | ||||||||||||||||||||||||||||
--skip-verify | Skip the signature verification step. This may beused to make the decryption faster if the signatureverification is not needed. | ||||||||||||||||||||||||||||
--with-colons | Print key listings delimited by colons. Note that the output will beencoded in UTF-8 regardless of any --display-charset setting. Thisformat is useful when GnuPG is called from scripts and other programsas it is easily machine parsed. The details of this format aredocumented in the file doc/DETAILS, which is included in the GnuPGsource distribution. | ||||||||||||||||||||||||||||
--with-key-data | Print key listings delimited by colons (like --with-colons) and print the public key data. | ||||||||||||||||||||||||||||
--with-fingerprint | Same as the command --fingerprint but changes only the format of the outputand may be used together with another command. | ||||||||||||||||||||||||||||
--fast-list-mode | Changes the output of the list commands to work faster; this is achievedby leaving some parts empty. Some applications dont need the user ID andthe trust information given in the listings. By using this options theycan get a faster listing. The exact behaviour of this option may changein future versions. | ||||||||||||||||||||||||||||
--fixed-list-mode | Do not merge primary user ID and primary key in --with-colon listingmode and print all timestamps as seconds since 1970-01-01. | ||||||||||||||||||||||||||||
--list-only | Changes the behaviour of some commands. This is like --dry-run butdifferent in some cases. The semantic of this command may be extended inthe future. Currently it only skips the actual decryption pass andtherefore enables a fast listing of the encryption keys. | ||||||||||||||||||||||||||||
--no-literal | This is not for normal use. Use the source to see for what it might be useful. | ||||||||||||||||||||||||||||
--set-filesize | This is not for normal use. Use the source to see for what it might be useful. | ||||||||||||||||||||||||||||
--show-session-key | Display the session key used for one message. See --override-session-keyfor the counterpart of this option. | ||||||||||||||||||||||||||||
We think that Key Escrow is a Bad Thing; however the user should havethe freedom to decide whether to go to prison or to reveal the contentof one specific message without compromising all messages everencrypted for one secret key. DONT USE IT UNLESS YOU ARE REALLYFORCED TO DO SO. | |||||||||||||||||||||||||||||
--override-session-key string | Dont use the public key but the session key string. The format of thisstring is the same as the one printed by --show-session-key. This optionis normally not used but comes handy in case someone forces you to reveal thecontent of an encrypted message; using this option you can do this withouthanding out the secret key. | ||||||||||||||||||||||||||||
--require-cross-certification | |||||||||||||||||||||||||||||
--no-require-certification | When verifying a signature made from a subkey, ensure that the crosscertification "back signature" on the subkey is present and valid.This protects against a subtle attack against subkeys that can sign.Currently defaults to --no-require-cross-certification, but will bechanged to --require-cross-certification in the future. | ||||||||||||||||||||||||||||
--ask-sig-expire | |||||||||||||||||||||||||||||
--no-ask-sig-expire | When making a data signature, prompt for an expiration time. If thisoption is not specified, the expiration time set via--default-sig-expire is used. --no-ask-sig-expire disables thisoption. Note that by default, --force-v3-sigs is set which alsodisables this option. If you want signature expiration, you must set--no-force-v3-sigs as well as turning --ask-sig-expire on. | ||||||||||||||||||||||||||||
--default-sig-expire | The default expiration time to use for signature expiration. Validvalues are "0" for no expiration, a number followed by the letter d(for days), w (for weeks), m (for months), or y (for years) (forexample "2m" for two months, or "5y" for five years), or an absolutedate in the form YYYY-MM-DD. Defaults to "0". | ||||||||||||||||||||||||||||
--ask-cert-expire | |||||||||||||||||||||||||||||
--no-ask-cert-expire | When making a key signature, prompt for an expiration time. If thisoption is not specified, the expiration time set via--default-cert-expire is used. --no-ask-cert-expire disables thisoption. | ||||||||||||||||||||||||||||
--default-cert-expire | The default expiration time to use for key signature expiration.Valid values are "0" for no expiration, a number followed by theletter d (for days), w (for weeks), m (for months), or y (for years)(for example "2m" for two months, or "5y" for five years), or anabsolute date in the form YYYY-MM-DD. Defaults to "0". | ||||||||||||||||||||||||||||
--expert | |||||||||||||||||||||||||||||
--no-expert | Allow the user to do certain nonsensical or "silly" things likesigning an expired or revoked key, or certain potentially incompatiblethings like generating unusual key types. This also disables certainwarning messages about potentially incompatible actions. As the nameimplies, this option is for experts only. If you dont fullyunderstand the implications of what it allows you to do, leave thisoff. --no-expert disables this option. | ||||||||||||||||||||||||||||
--allow-secret-key-import | This is an obsolete option and is not used anywhere. | ||||||||||||||||||||||||||||
--try-all-secrets | Dont look at the key ID as stored in the message but try all secretkeys in turn to find the right decryption key. This option forces thebehaviour as used by anonymous recipients (created by using--throw-keyids) and might come handy in case where an encryptedmessage contains a bogus key ID. | ||||||||||||||||||||||||||||
--allow-multisig-verification | Allow verification of concatenated signed messages. This will run asignature verification for each data+signature block. There are somesecurity issues with this option and thus it is off by default. Notethat versions of GPG prior to version 1.4.3 implicitly allowed this. | ||||||||||||||||||||||||||||
--enable-special-filenames | This options enables a mode in which filenames of the form-&n, where n is a non-negative decimal number,refer to the file descriptor n and not to a file with that name. | ||||||||||||||||||||||||||||
--no-expensive-trust-checks | Experimental use only. | ||||||||||||||||||||||||||||
--group name=value1 [value2 value3 ...] | Sets up a named group, which is similar to aliases in email programs.Any time the group name is a recipient (-r or --recipient), it will beexpanded to the values specified. Multiple groups with the same nameare automatically merged into a single group. | ||||||||||||||||||||||||||||
The values are key IDs or fingerprints, but any key descriptionis accepted. Note that a value with spaces in it will be treated astwo different values. Note also there is only one level of expansion- you cannot make an group that points to another group. When usedfrom the command line, it may be necessary to quote the argument tothis option to prevent the shell from treating it as multiplearguments. | |||||||||||||||||||||||||||||
--ungroup name | Remove a given entry from the --group list. | ||||||||||||||||||||||||||||
--no-groups | Remove all entries from the --group list. | ||||||||||||||||||||||||||||
--preserve-permissions | Dont change the permissions of a secret keyring back to userread/write only. Use this option only if you really know what you are doing. | ||||||||||||||||||||||||||||
--personal-cipher-preferences string | Set the list of personal cipher preferences to string, this listshould be a string similar to the one printed by the command "pref" inthe edit menu. This allows the user to factor in their own preferredalgorithms when algorithms are chosen via recipient key preferences.The most highly ranked cipher in this list is also used for the--symmetric encryption command. | ||||||||||||||||||||||||||||
--personal-digest-preferences string | Set the list of personal digest preferences to string, this listshould be a string similar to the one printed by the command "pref" inthe edit menu. This allows the user to factor in their own preferredalgorithms when algorithms are chosen via recipient key preferences.The most highly ranked digest algorithm in this list is algo used whensigning without encryption (e.g. --clearsign or --sign). The defaultvalue is SHA-1. | ||||||||||||||||||||||||||||
--personal-compress-preferences string | Set the list of personal compression preferences to string, thislist should be a string similar to the one printed by the command"pref" in the edit menu. This allows the user to factor in their ownpreferred algorithms when algorithms are chosen via recipient keypreferences. The most highly ranked algorithm in this list is alsoused when there are no recipient keys to consider (e.g. --symmetric). | ||||||||||||||||||||||||||||
--default-preference-list string | Set the list of default preferences to string. This preferencelist is used for new keys and becomes the default for "setpref" in theedit menu. | ||||||||||||||||||||||||||||
--default-keyserver-url name | Set the default keyserver URL to name. This keyserver will beused as the keyserver URL when writing a new self-signature on a key,which includes key generation and changing preferences. | ||||||||||||||||||||||||||||
--list-config [names] | Display various internal configuration parameters of GnuPG. Thisoption is intended for external programs that call GnuPG to performtasks, and is thus not generally useful. See the filedoc/DETAILS in the source distribution for thedetails of which configuration items may be listed. --list-config isonly usable with --with-colons set. |
Tag | Description |
---|---|
234567C4 | |
0F34E556E | |
01347A56A | |
0xAB123456 | Here the key ID is given in the usual short form. |
234AABBCC34567C4 | |
0F323456784E56EAB | |
01AB3FED1347A5612 | |
0x234AABBCC34567C4 | Here the key ID is given in the long form as used by OpenPGP(you can get the long key ID using the option --with-colons). |
1234343434343434C434343434343434 | |
123434343434343C3434343434343734349A3434 | |
0E12343434343434343434EAB3484343434343434 | |
0xE12343434343434343434EAB3484343434343434 | The best way to specify a key ID is by using the fingerprint ofthe key. This avoids any ambiguities in case that there are duplicatedkey IDs (which are really rare for the long key IDs). |
=Heinrich Heine <heinrichh@uni-duesseldorf.de> | Using an exact to match string. The equal sign indicates this. |
<heinrichh@uni-duesseldorf.de> | Using the email address part which must match exactly.The left angle bracketindicates this email address mode. |
@heinrichh | Match within the <email.address> part of a user ID. The at signindicates this email address mode. |
Heine | |
*Heine | By case insensitive substring matching. This is the default mode butapplications may want to explicitly indicate this by putting the asteriskin front. |
Note that you can append an exclamation mark (!) to key IDs orfingerprints. This flag tells GnuPG to use the specified primary orsecondary key and not to try and calculate which primary or secondarykey to use.
The program returns 0 if everything was fine, 1 if at leasta signature was bad, and other error codes for fatal errors.
Tag | Description |
---|---|
gpg -se -r Bob file | sign and encrypt for user Bob |
gpg --clearsign file | make a clear text signature |
gpg -sb file | make a detached signature |
gpg --list-keys user_ID | show keys |
gpg --fingerprint user_ID | show fingerprint |
gpg --verify pgpfile | |
gpg --verify sigfile [files] | Verify the signature of the file but do not output the data. Thesecond form is used for detached signatures, where sigfile is the detached signature (either ASCII armored or binary) and[files] are the signed data; if this is not given, the name ofthe file holding the signed data is constructed by cutting off theextension (".asc" or ".sig") of sigfile or by asking theuser for the filename. |
Tag | Description |
---|---|
HOME | Used to locate the default home directory. |
GNUPGHOME | If set directory used instead of "~/.gnupg". |
GPG_AGENT_INFO | Used to locate the gpg-agent; only honored when--use-agent is set. The value consists of 3 colon delimited fields: The first is the path to the Unix Domain Socket, the second the PID ofthe gpg-agent and the protocol version which should be set to 1. Whenstarting the gpg-agent as described in its documentation, thisvariable is set to the correct value. The option --gpg-agent-info canbe used to override it. |
COLUMNS | |
LINES | Used to size some displays to the full size of the screen. |
Tag | Description |
---|---|
~/.gnupg/secring.gpg | The secret keyring |
~/.gnupg/secring.gpg.lock | and the lock file |
~/.gnupg/pubring.gpg | The public keyring |
~/.gnupg/pubring.gpg.lock | and the lock file |
~/.gnupg/trustdb.gpg | The trust database |
~/.gnupg/trustdb.gpg.lock | and the lock file |
~/.gnupg/random_seed | used to preserve the internal random pool |
~/.gnupg/gpg.conf | Default configuration file |
~/.gnupg/options | Old style configuration file; only used when gpg.confis not found |
/usr[/local]/share/gnupg/options.skel | Skeleton options file |
/usr[/local]/lib/gnupg/ | Default location for extensions |
Use a *good* password for your user account and a *good* passphraseto protect your secret key. This passphrase is the weakest part of thewhole system. Programs to do dictionary attacks on your secret keyringare very easy to write and so you should protect your "~/.gnupg/"directory very well.
Keep in mind that, if this program is used over a network (telnet), itis *very* easy to spy out your passphrase!
If you are going to verify detached signatures, make sure that theprogram knows about it; either give both filenames on the command lineor use - to specify stdin.
GnuPG tries to be a very flexible implementation of the OpenPGPstandard. In particular, GnuPG implements many of the optional partsof the standard, such as the SHA-512 hash, and the ZLIB and BZIP2compression algorithms. It is important to be aware that not allOpenPGP programs implement these optional algorithms and that byforcing their use via the --cipher-algo, --digest-algo,--cert-digest-algo, or --compress-algo options in GnuPG, it ispossible to create a perfectly valid OpenPGP message, but one thatcannot be read by the intended recipient.
There are dozens of variations of OpenPGP programs available, and eachsupports a slightly different subset of these optional algorithms.For example, until recently, no (unhacked) version of PGP supportedthe BLOWFISH cipher algorithm. A message using BLOWFISH simply couldnot be read by a PGP user. By default, GnuPG uses the standardOpenPGP preferences system that will always do the right thing andcreate messages that are usable by all recipients, regardless of whichOpenPGP program they use. Only override this safe default if youreally know what you are doing.
If you absolutely must override the safe default, or if thepreferences on a given key are invalid for some reason, you are farbetter off using the --pgp6, --pgp7, or --pgp8 options. These optionsare safe as they do not force any particular algorithms in violationof OpenPGP, but rather reduce the available algorithms to a "PGP-safe"list.
GPG (GNU Privacy Guard) is a public key cryptography implementation.It allows for the secure transmission of information and can be used toverify that the origin of a message is genuine. Below are few examples of usage.
Above command will take you through series of questions like type of encryption (DSA, RSA), key size, key validity days, Real name, email address, Pass phrase, etc. and generate public and private key.
This is required to invalidate the key pair and should be created when key pairs are created.
Signing the key means, you trust the key which has been given to you.