gpg

Generate private and public key

Generate key

gpg --default-new-key-algo rsa4096 --gen-key

Set encryption flag on key

gpg --edit-key me@email.com change-usage

List

List public keys

gpg --list-public-keys --keyid-format long

List private keys

gpg --list-secret-keys --keyid-format long --with-keygrip --with-subkey-fingerprints

Extract image from key

gpg --list-options show-photos --photo-viewer "cat > <path>/0x%k.%t" --list-keys [key_identifier]

Sign and verify

clear-sign (original file content plus signature)

gpg --clear-sign --local-user me@email.com --output test.txt.asc test.txt

Verify clear-sign

gpg --verify test.txt.asc

Detached signature (signature only)

gpg --detach-sign --local-user me@email.com --armor --output test.txt.asc2 test.txt

Verify detached signature

gpg --verify test.txt.asc2 test.txt

Encrypt and decrypt

Encrypt file

gpg --encrypt --recipient username@email.com --output test.txt.gpg test.txt

Sign and encrypt file

gpg --sign --encrypt [...]

Specify algorithm

gpg --encrypt --cipher-algo AES256 [...]

Disable compression

gpg --encrypt --compress-algo none [...]

List recipients of encrypted file (via Sequoia)

sq inspect test.txt.gpg

Decrypt file (and automatically check signature, if available)

gpg --decrypt test.txt.gpg --output test.decrypted.txt

Inspect .gpg file

gpg --list-packets -vv --show-session-key test.txt.gpg

Export

Export public key

gpg --output public.asc --armor --export username@email.com

Export private key

gpg --output private.asc --armor --export-secret-key username@email.com

Renew

Renew key and all non-expired subkeys

gpg --quick-set-expire 1111111190ABCDEF1234567890ABCDEF11111111 7w '*'

CLI Language

Set language to english

LANG=en gpg --version

Password generation

Without special characters

cat /dev/urandom | tr -dc 'a-zA-Z0-9' | head -c 12 | sed -r 's/(.{4})/\1-/g' | sed -r 's/(.*)-$/\1\n/g'

Use GPG key for SSH connections

Print SSH Public key

gpg --export-ssh-key 1111111190ABCDEF1234567890ABCDEF11111111

sign vs. clear-sign vs. detach-sign

sign: The user needs to have gpg installed to read the resulting .gpg file. The .gpg file contains both, the original file content plus the signature. The content is compressed.
clear-sign: The output file contains both, the original file content plus the signature. The content is retained in plain-text, so no additional program like gpg is needed to read it on the other side. The content is not compressed though, so the resulting file size might be bigger.
detach-sign: The output file contains the signature only. To have a signature in ASCII format, use the --armor flag. Otherwise, it will be a binary signature.

In general, I also like to specify the --local-user flag explicitly to the signing commands. If you do not specify it, the default private key is used. The default key is the first key found in the secret keyring.

To set a default signing key, edit the file ~/.gnupg/gpg.conf and add the line:

default-key <key-id>

Where key-id is either the long keyid or the fingerprint of your key.

list-packets

list-packets shows detailed information about a .gpg file.

This information includes:

who the recipient is (the keyid hints who can decrypt the file)
which algorithm has been used for the symmetric part

Nitrokey

Move private key to external smart card (e.g. Nitrokey)

gpg --edit-key --expert username@email.com

It will show you some info, then type the keytocard command to transfer the key to the NitroKey. I had to enter the admin PIN twice (default: 12345678). After this, type quit and confirm.

Import reference to private key on another computer

Import public key from file or server

gpg --import public.asc

Reference private key on smartcard

gpg --card-edit

then enter fetch and quit to import the reference to the secret key on the NitroKey.