markdown GPG备忘单

Posted 2021-05-06

# Quick'n easy gpg cheatsheet

Just a brief explanation of some of the command line functionality from gnu privacy guard ([gpg](https://www.gnupg.org/)). 

-- Originaly from http://irtfweb.ifa.hawaii.edu/~lockhart/gpg/  (no relation)

## Create a key:
`gpg --gen-key`
generally you can select the defaults.

## Export a public key into file public.key:
`gpg --export -a "User Name" > public.key`

This will create a file called `public.key` with the ascii representation of the public key for *User Name*. Note the shell redirection.

## Export a private key:
`gpg --export-secret-key -a "User Name" > private.key`

This will create a file called `private.key` with the ascii representation of the *private* key for User Name.
It's pretty much like exporting a public key, but you have to override some default protections.

## Import a public key:
`gpg --import public.key`
This adds the public key in the file "*public.key*" to your public key ring.

## Import a private key:
**NOTE**: The manpage indicates that "this is an obsolete option and is not used anywhere." This may no longer work in the future, in which case we're going to have interesting times moving private keys from one key chain to another (on another computer, for instance).

`gpg --allow-secret-key-import --import private.key`

This adds the private key in the file "*private.key*" to your private key ring.

## Delete a public key (from your public key ring):
`gpg --delete-key "User Name"`
This removes the public key from your public key ring.
**NOTE**: If there is a private key on your private key ring associated with this public key, you will get an error! ***You must delete your private key for this key pair from your private key ring first***.

## Delete an private key (a key on your private key ring):
`gpg --delete-secret-key "User Name"`
This deletes the secret key from your secret key ring.

## List the keys in your public key ring:
`gpg --list-keys`

## List the keys in your secret key ring:
`gpg --list-secret-keys`

## Generate a key fingerprints for verifying public keys:
`gpg --fingerprint > fingerprint`
This creates the file *fingerprint* with your fingerprint info.

## Encrypt data:
`gpg -e -u "Sender User Name" -r "Receiver User Name" somefile`
There are some useful options here, such as `-u` to specify the secret key to sign with, and `-r` to specify the public key of the recipient.  You can have more than one recipient of the *same* file. You may specify yourself as recipient to keep a secret file for yourself.

As an example: `gpg -e -u "Mike Lockhart" -r "A Friend" mydata.tar`

This creates a file called "*mydata.tar.gpg*" that contains the encrypted data. You (optionaly) specify the senders username so that the recipient can verify that the contents are from that person (using your public key).

**NOTE**: `mydata.tar` is not removed, you end up with ***two files***, so if you want to have only the encrypted file in existance, you must delete `mydata.tar` yourself.

An interesting side note: encryption can also compress. E.g. encrypted a patch file of 55,247 bytes, and end up with an encrypted file of only 15,276 bytes.

## Decrypt data:
`gpg -d mydata.tar.gpg -o mydata.tar`

If you have multiple secret keys, gpg will choose the correct one, or output an error if the correct one doesn't exist. You'll be prompted to enter your passphrase. 

Afterwards there will exist the file "*mydata.tar*", and the encrypted *original* `mydata.tar.gpg`.