1GPG2(1)                        GNU Privacy Guard                       GPG2(1)
2
3
4

NAME

6       gpg2 - OpenPGP encryption and signing tool
7

SYNOPSIS

9       gpg2 [--homedir dir] [--options file] [options] command [args]
10
11

DESCRIPTION

13       gpg2 is the OpenPGP part of the GNU Privacy Guard (GnuPG). It is a tool
14       to provide digital encryption and signing services  using  the  OpenPGP
15       standard. gpg2 features complete key management and all bells and whis‐
16       tles you can expect from a decent OpenPGP implementation.
17
18
19       In contrast to the standalone version gpg, which  is  more  suited  for
20       server and embedded platforms, this version is installed under the name
21       gpg2 and more targeted to the desktop as it requires several other mod‐
22       ules  to  be installed.  The standalone version will be kept maintained
23       and it is possible to install both versions on the same system.  If you
24       need to use different configuration files, you should make use of some‐
25       thing like ‘gpg.conf-2’ instead of just ‘gpg.conf’.
26
27
28
29
30
31
32

RETURN VALUE

34       The program returns 0 if everything was fine, 1 if at least a signature
35       was bad, and other error codes for fatal errors.
36
37

WARNINGS

39       Use  a *good* password for your user account and a *good* passphrase to
40       protect your secret key. This passphrase is the  weakest  part  of  the
41       whole  system. Programs to do dictionary attacks on your secret keyring
42       are very easy to write and  so  you  should  protect  your  "~/.gnupg/"
43       directory very well.
44
45       Keep  in mind that, if this program is used over a network (telnet), it
46       is *very* easy to spy out your passphrase!
47
48       If you are going to verify detached signatures, make sure that the pro‐
49       gram  knows about it; either give both filenames on the command line or
50       use '-' to specify STDIN.
51
52

INTEROPERABILITY

54       GnuPG tries to be a very flexible implementation of the  OpenPGP  stan‐
55       dard. In particular, GnuPG implements many of the optional parts of the
56       standard, such as the SHA-512 hash, and the ZLIB and BZIP2  compression
57       algorithms.  It  is important to be aware that not all OpenPGP programs
58       implement these optional algorithms and that by forcing their  use  via
59       the  --cipher-algo,  --digest-algo,  --cert-digest-algo, or --compress-
60       algo options in GnuPG, it is  possible  to  create  a  perfectly  valid
61       OpenPGP message, but one that cannot be read by the intended recipient.
62
63       There  are dozens of variations of OpenPGP programs available, and each
64       supports a slightly different subset of these optional algorithms.  For
65       example,  until  recently,  no  (unhacked) version of PGP supported the
66       BLOWFISH cipher algorithm. A message using BLOWFISH simply could not be
67       read by a PGP user. By default, GnuPG uses the standard OpenPGP prefer‐
68       ences system that will always do the right thing  and  create  messages
69       that  are usable by all recipients, regardless of which OpenPGP program
70       they use. Only override this safe default if you really know  what  you
71       are doing.
72
73       If you absolutely must override the safe default, or if the preferences
74       on a given key are invalid for some reason,  you  are  far  better  off
75       using  the --pgp6, --pgp7, or --pgp8 options. These options are safe as
76       they do not force any particular algorithms in  violation  of  OpenPGP,
77       but rather reduce the available algorithms to a "PGP-safe" list.
78
79

COMMANDS

81       Commands  are  not  distinguished from options except for the fact that
82       only one command is allowed.
83
84       gpg2 may be run with no commands, in which case it will perform a  rea‐
85       sonable  action  depending on the type of file it is given as input (an
86       encrypted message is decrypted, a signature is verified,  a  file  con‐
87       taining keys is listed).
88
89       Please remember that option as well as command parsing stops as soon as
90       a non-option is encountered, you can explicitly stop parsing  by  using
91       the special option --.
92
93
94
95
96
97
98   Commands not specific to the function
99
100
101
102       --version
103              Print  the program version and licensing information.  Note that
104              you cannot abbreviate this command.
105
106
107       --help
108
109       -h     Print a usage message summarizing the most useful  command  line
110              options.  Note that you cannot abbreviate this command.
111
112
113       --warranty
114              Print warranty information.
115
116
117       --dump-options
118              Print  a  list of all available options and commands.  Note that
119              you cannot abbreviate this command.
120
121
122
123
124   Commands to select the type of operation
125
126
127
128
129
130       --sign
131
132       -s     Make a signature. This command may be  combined  with  --encrypt
133              (for  a signed and encrypted message), --symmetric (for a signed
134              and symmetrically encrypted message), or --encrypt and --symmet‐
135              ric  together  (for a signed message that may be decrypted via a
136              secret key or a passphrase).  The key to be used for signing  is
137              chosen  by  default  or  can  be  set  with the --local-user and
138              --default-key options.
139
140
141       --clearsign
142              Make a clear text signature.  The content in a clear text signa‐
143              ture  is readable without any special software. OpenPGP software
144              is only needed to verify the signature.  Clear  text  signatures
145              may  modify end-of-line whitespace for platform independence and
146              are not intended to be reversible.  The key to be used for sign‐
147              ing is chosen by default or can be set with the --local-user and
148              --default-key options.
149
150
151
152       --detach-sign
153
154       -b     Make a detached signature.
155
156
157       --encrypt
158
159       -e     Encrypt data. This option may be combined  with  --sign  (for  a
160              signed  and  encrypted message), --symmetric (for a message that
161              may be decrypted via a secret key or a  passphrase),  or  --sign
162              and  --symmetric  together  (for  a  signed  message that may be
163              decrypted via a secret key or a passphrase).
164
165
166       --symmetric
167
168       -c     Encrypt with a symmetric cipher using a passphrase. The  default
169              symmetric  cipher  used  is  CAST5,  but  may be chosen with the
170              --cipher-algo option. This option may be  combined  with  --sign
171              (for  a  signed  and symmetrically encrypted message), --encrypt
172              (for a message that may be decrypted  via  a  secret  key  or  a
173              passphrase), or --sign and --encrypt together (for a signed mes‐
174              sage that may be decrypted via a secret key or a passphrase).
175
176
177       --store
178              Store only (make a simple RFC1991 literal data packet).
179
180
181       --decrypt
182
183       -d     Decrypt the file given on the command line (or STDIN if no  file
184              is specified) and write it to STDOUT (or the file specified with
185              --output). If the decrypted file is  signed,  the  signature  is
186              also  verified. This command differs from the default operation,
187              as it never writes to the filename which is included in the file
188              and  it  rejects  files which don't begin with an encrypted mes‐
189              sage.
190
191
192       --verify
193              Assume that the first argument is a signed file  or  a  detached
194              signature  and  verify it without generating any output. With no
195              arguments, the signature packet is read from STDIN.  If  only  a
196              sigfile  is  given, it may be a complete signature or a detached
197              signature, in which case the signed stuff is expected in a  file
198              without  the ".sig" or ".asc" extension.  With more than 1 argu‐
199              ment, the first should be a detached signature and the remaining
200              files are the signed stuff. To read the signed stuff from STDIN,
201              use '-' as the second filename.  For security reasons a detached
202              signature  cannot  read  the  signed material from STDIN without
203              denoting it in the above way.
204
205
206       --multifile
207              This modifies certain other commands to  accept  multiple  files
208              for  processing on the command line or read from STDIN with each
209              filename on a separate line. This allows for many  files  to  be
210              processed  at once. --multifile may currently be used along with
211              --verify, --encrypt, and --decrypt. Note that --multifile --ver‐
212              ify may not be used with detached signatures.
213
214
215       --verify-files
216              Identical to --multifile --verify.
217
218
219       --encrypt-files
220              Identical to --multifile --encrypt.
221
222
223       --decrypt-files
224              Identical to --multifile --decrypt.
225
226
227       --list-keys
228
229       -k
230
231       --list-public-keys
232              List  all  keys from the public keyrings, or just the keys given
233              on the command line.
234
235              Avoid using the output of this command in scripts or other  pro‐
236              grams  as  it  is likely to change as GnuPG changes. See --with-
237              colons for a  machine-parseable  key  listing  command  that  is
238              appropriate for use in scripts and other programs.
239
240
241       --list-secret-keys
242
243       -K     List  all  keys from the secret keyrings, or just the ones given
244              on the command line. A # after the letters sec  means  that  the
245              secret  key  is  not  usable (for example, if it was created via
246              --export-secret-subkeys).
247
248
249       --list-sigs
250              Same as --list-keys, but the signatures are  listed  too.   This
251              command  has  the  same effect as using --list-keys with --with-
252              sig-list.
253
254              For each signature listed, there are several  flags  in  between
255              the "sig" tag and keyid. These flags give additional information
256              about each signature. From left to right, they are  the  numbers
257              1-3  for certificate check level (see --ask-cert-level), "L" for
258              a local or non-exportable signature (see --lsign-key), "R" for a
259              nonRevocable  signature  (see  the --edit-key command "nrsign"),
260              "P" for a signature that contains a policy URL (see  --cert-pol‐
261              icy-url),  "N"  for  a  signature  that contains a notation (see
262              --cert-notation), "X" for an eXpired signature (see  --ask-cert-
263              expire), and the numbers 1-9 or "T" for 10 and above to indicate
264              trust signature levels (see the --edit-key command "tsign").
265
266
267       --check-sigs
268              Same as --list-sigs, but the signatures are verified.  Note that
269              for  performance  reasons the revocation status of a signing key
270              is not shown.  This command has the same effect as using --list-
271              keys with --with-sig-check.
272
273              The  status  of the verification is indicated by a flag directly
274              following the "sig" tag (and thus  before  the  flags  described
275              above  for --list-sigs).  A "!" indicates that the signature has
276              been successfully verified, a "-" denotes a bad signature and  a
277              "%"  is  used  if an error occurred while checking the signature
278              (e.g. a non supported algorithm).
279
280
281       --locate-keys
282              Locate the keys given as arguments.  This command basically uses
283              the  same algorithm as used when locating keys for encryption or
284              signing and may thus be used to see what keys  gpg2  might  use.
285              In  particular  external methods as defined by --auto-key-locate
286              may be used to locate a key.  Only public keys are listed.
287
288
289
290       --fingerprint
291              List all keys (or the specified ones) along with  their  finger‐
292              prints.  This  is  the  same  output as --list-keys but with the
293              additional output of a line with the fingerprint.  May  also  be
294              combined  with  --list-sigs or --check-sigs.  If this command is
295              given twice, the fingerprints of all secondary keys  are  listed
296              too.
297
298
299       --list-packets
300              List  only  the  sequence  of packets. This is mainly useful for
301              debugging.
302
303
304
305       --card-edit
306              Present a menu to work with a smartcard. The  subcommand  "help"
307              provides  an  overview  on  available  commands.  For a detailed
308              description,    please     see     the     Card     HOWTO     at
309              http://www.gnupg.org/documentation/howtos.html#GnuPG-cardHOWTO .
310
311
312       --card-status
313              Show the content of the smart card.
314
315
316       --change-pin
317              Present  a  menu  to allow changing the PIN of a smartcard. This
318              functionality is also available as the subcommand "passwd"  with
319              the --card-edit command.
320
321
322       --delete-key name
323              Remove  key  from the public keyring. In batch mode either --yes
324              is required or the key must be specified by fingerprint. This is
325              a safeguard against accidental deletion of multiple keys.
326
327
328       --delete-secret-key name
329              Remove key from the secret and public keyring. In batch mode the
330              key must be specified by fingerprint.
331
332
333       --delete-secret-and-public-key name
334              Same as --delete-key, but if a secret key  exists,  it  will  be
335              removed  first.  In batch mode the key must be specified by fin‐
336              gerprint.
337
338
339       --export
340              Either export all keys from all keyrings (default  keyrings  and
341              those  registered via option --keyring), or if at least one name
342              is given, those of the given name. The new keyring is written to
343              STDOUT  or  to the file given with option --output. Use together
344              with --armor to mail those keys.
345
346
347       --send-keys key IDs
348              Similar to --export but sends the keys to a keyserver.   Finger‐
349              prints  may  be used instead of key IDs. Option --keyserver must
350              be used to give the name of this keyserver. Don't send your com‐
351              plete  keyring  to  a keyserver --- select only those keys which
352              are new or changed by you.  If no key IDs are  given,  gpg  does
353              nothing.
354
355
356       --export-secret-keys
357
358       --export-secret-subkeys
359              Same  as --export, but exports the secret keys instead.  This is
360              normally not very useful and a security risk.  The  second  form
361              of  the  command  has  the special property to render the secret
362              part of the primary key useless; this  is  a  GNU  extension  to
363              OpenPGP  and  other  implementations can not be expected to suc‐
364              cessfully import such a key.  See the option  --simple-sk-check‐
365              sum  if  you  want  to import such an exported key with an older
366              OpenPGP implementation.
367
368
369       --import
370
371       --fast-import
372              Import/merge keys. This adds the given keys to the keyring.  The
373              fast version is currently just a synonym.
374
375              There  are  a  few  other options which control how this command
376              works.  Most notable here  is  the  --import-options  merge-only
377              option  which does not insert new keys but does only the merging
378              of new signatures, user-IDs and subkeys.
379
380
381       --recv-keys key IDs
382              Import the keys with the given key IDs from a keyserver.  Option
383              --keyserver must be used to give the name of this keyserver.
384
385
386       --refresh-keys
387              Request  updates from a keyserver for keys that already exist on
388              the local keyring. This is useful for updating a  key  with  the
389              latest signatures, user IDs, etc. Calling this with no arguments
390              will refresh the entire keyring. Option --keyserver must be used
391              to  give the name of the keyserver for all keys that do not have
392              preferred keyservers  set  (see  --keyserver-options  honor-key‐
393              server-url).
394
395
396       --search-keys names
397              Search  the  keyserver for the given names. Multiple names given
398              here will be joined together to create the search string for the
399              keyserver.   Option --keyserver must be used to give the name of
400              this keyserver.  Keyservers that support different search  meth‐
401              ods  allow  using the syntax specified in "How to specify a user
402              ID" below. Note that different keyserver types support different
403              search methods. Currently only LDAP supports them all.
404
405
406       --fetch-keys URIs
407              Retrieve keys located at the specified URIs. Note that different
408              installations of GnuPG may support  different  protocols  (HTTP,
409              FTP, LDAP, etc.)
410
411
412       --update-trustdb
413              Do  trust  database  maintenance. This command iterates over all
414              keys and builds the Web of Trust. This is an interactive command
415              because it may have to ask for the "ownertrust" values for keys.
416              The user has to give an estimation of how  far  she  trusts  the
417              owner  of  the  displayed  key to correctly certify (sign) other
418              keys. GnuPG only asks for the ownertrust value if it has not yet
419              been  assigned to a key. Using the --edit-key menu, the assigned
420              value can be changed at any time.
421
422
423       --check-trustdb
424              Do trust database maintenance  without  user  interaction.  From
425              time  to time the trust database must be updated so that expired
426              keys or signatures and the resulting changes in the Web of Trust
427              can  be  tracked.  Normally,  GnuPG  will calculate when this is
428              required and do it automatically unless  --no-auto-check-trustdb
429              is set. This command can be used to force a trust database check
430              at any time. The processing is identical to  that  of  --update-
431              trustdb but it skips keys with a not yet defined "ownertrust".
432
433              For  use  with cron jobs, this command can be used together with
434              --batch in which case the trust database check is done only if a
435              check  is  needed.  To  force  a  run even in batch mode add the
436              option --yes.
437
438
439
440       --export-ownertrust
441              Send the ownertrust values to STDOUT. This is useful for  backup
442              purposes  as  these  values are the only ones which can't be re-
443              created from a corrupted trustdb.  Example:
444                  gpg2 --export-ownertrust > otrust.txt
445
446
447
448       --import-ownertrust
449              Update the trustdb with the ownertrust values  stored  in  files
450              (or  STDIN  if  not given); existing values will be overwritten.
451              In case of a severely damaged trustdb and if you have  a  recent
452              backup  of the ownertrust values (e.g. in the file ‘otrust.txt’,
453              you may re-create the trustdb using these commands:
454                  cd ~/.gnupg
455                  rm trustdb.gpg
456                  gpg2 --import-ownertrust < otrust.txt
457
458
459
460       --rebuild-keydb-caches
461              When updating from version 1.0.6 to 1.0.7 this command should be
462              used  to  create  signature  caches  in the keyring. It might be
463              handy in other situations too.
464
465
466       --print-md algo
467
468       --print-mds
469              Print message digest of algorithm ALGO for all  given  files  or
470              STDIN.   With  the  second  form  (or  a deprecated "*" as algo)
471              digests for all available algorithms are printed.
472
473
474       --gen-random 0|1|2
475              Emit count random bytes of the given quality level. If count  is
476              not  given  or zero, an endless sequence of random bytes will be
477              emitted.  PLEASE, don't use this command unless  you  know  what
478              you are doing; it may remove precious entropy from the system!
479
480
481       --gen-prime mode bits
482              Use  the source, Luke :-). The output format is still subject to
483              change.
484
485
486
487       --enarmor
488
489       --dearmor
490              Pack or unpack an arbitrary input  into/from  an  OpenPGP  ASCII
491              armor.   This is a GnuPG extension to OpenPGP and in general not
492              very useful.
493
494
495
496
497
498   How to manage your keys
499
500
501       This section explains the main commands for key management
502
503
504
505       --gen-key
506              Generate a new key pair. This  command  is  normally  only  used
507              interactively.
508
509              There is an experimental feature which allows you to create keys
510              in batch mode. See the file ‘doc/DETAILS’ in the source  distri‐
511              bution on how to use this.
512
513
514       --gen-revoke name
515              Generate  a  revocation  certificate  for  the  complete key. To
516              revoke a subkey or a signature, use the --edit command.
517
518
519       --desig-revoke name
520              Generate a designated revocation certificate  for  a  key.  This
521              allows  a  user (with the permission of the keyholder) to revoke
522              someone else's key.
523
524
525
526       --edit-key
527              Present a menu which enables you to do most of the  key  manage‐
528              ment  related  tasks.   It expects the specification of a key on
529              the command line.
530
531
532
533              uid n  Toggle selection of user ID or photographic user ID  with
534                     index n.  Use * to select all and 0 to deselect all.
535
536
537              key n  Toggle selection of subkey with index n.  Use * to select
538                     all and 0 to deselect all.
539
540
541              sign   Make a signature on key of user name If the  key  is  not
542                     yet  signed  by the default user (or the users given with
543                     -u), the program displays  the  information  of  the  key
544                     again,  together with its fingerprint and asks whether it
545                     should be signed. This question is repeated for all users
546                     specified with -u.
547
548
549              lsign  Same  as  "sign"  but  the  signature  is  marked as non-
550                     exportable and will therefore never be  used  by  others.
551                     This  may  be  used  to make keys valid only in the local
552                     environment.
553
554
555              nrsign Same as "sign" but the signature is marked as non-revoca‐
556                     ble and can therefore never be revoked.
557
558
559              tsign  Make a trust signature. This is a signature that combines
560                     the notions of certification (like a regular  signature),
561                     and  trust  (like  the  "trust" command). It is generally
562                     only useful in distinct communities or groups.
563
564              Note that "l" (for local / non-exportable), "nr" (for  non-revo‐
565              cable,  and  "t" (for trust) may be freely mixed and prefixed to
566              "sign" to create a signature of any type desired.
567
568
569
570              delsig Delete a signature. Note  that  it  is  not  possible  to
571                     retract  a signature, once it has been send to the public
572                     (i.e. to a keyserver).   In  that  case  you  better  use
573                     revsig.
574
575
576              revsig Revoke  a  signature.  For every signature which has been
577                     generated by one of the secret keys, GnuPG asks whether a
578                     revocation certificate should be generated.
579
580
581              check  Check the signatures on all selected user IDs.
582
583
584              adduid Create an additional user ID.
585
586
587              addphoto
588                     Create  a  photographic  user  ID. This will prompt for a
589                     JPEG file that will be embedded into the  user  ID.  Note
590                     that  a  very  large JPEG will make for a very large key.
591                     Also note that  some  programs  will  display  your  JPEG
592                     unchanged (GnuPG), and some programs will scale it to fit
593                     in a dialog box (PGP).
594
595
596              showphoto
597                     Display the selected photographic user ID.
598
599
600              deluid Delete a user ID or photographic user ID.  Note  that  it
601                     is  not  possible  to retract a user id, once it has been
602                     send to the public (i.e. to a keyserver).  In  that  case
603                     you better use revuid.
604
605
606              revuid Revoke a user ID or photographic user ID.
607
608
609              primary
610                     Flag  the current user id as the primary one, removes the
611                     primary user id flag from all other user ids and sets the
612                     timestamp  of  all  affected  self-signatures  one second
613                     ahead. Note that setting a photo user ID as primary makes
614                     it primary over other photo user IDs, and setting a regu‐
615                     lar user ID as primary makes it primary over other  regu‐
616                     lar user IDs.
617
618
619              keyserver
620                     Set  a  preferred keyserver for the specified user ID(s).
621                     This allows other users to know where you prefer they get
622                     your  key  from. See --keyserver-options honor-keyserver-
623                     url for more on how  this  works.   Setting  a  value  of
624                     "none" removes an existing preferred keyserver.
625
626
627              notation
628                     Set  a  name=value notation for the specified user ID(s).
629                     See --cert-notation for more on how this works. Setting a
630                     value of "none" removes all notations, setting a notation
631                     prefixed with a minus sign (-) removes that notation, and
632                     setting  a  notation  name  (without the =value) prefixed
633                     with a minus sign removes all notations with that name.
634
635
636              pref   List preferences from the selected user  ID.  This  shows
637                     the  actual  preferences,  without  including any implied
638                     preferences.
639
640
641              showpref
642                     More verbose preferences listing for  the  selected  user
643                     ID. This shows the preferences in effect by including the
644                     implied preferences of 3DES (cipher), SHA-1 (digest), and
645                     Uncompressed   (compression)  if  they  are  not  already
646                     included in the preference list. In  addition,  the  pre‐
647                     ferred  keyserver  and  signature  notations (if any) are
648                     shown.
649
650
651              setpref string
652                     Set the list of user ID preferences to string for all (or
653                     just  the  selected)  user  IDs.  Calling setpref with no
654                     arguments sets the preference list to the default (either
655                     built-in or set via --default-preference-list), and call‐
656                     ing setpref with "none" as the  argument  sets  an  empty
657                     preference  list.  Use  gpg2  --version  to get a list of
658                     available algorithms. Note that while you can change  the
659                     preferences  on  an  attribute  user ID (aka "photo ID"),
660                     GnuPG does not select keys  via  attribute  user  IDs  so
661                     these preferences will not be used by GnuPG.
662
663                     When  setting preferences, you should list the algorithms
664                     in the order which you'd like to see them used by someone
665                     else when encrypting a message to your key.  If you don't
666                     include 3DES, it will be automatically added at the  end.
667                     Note that there are many factors that go into choosing an
668                     algorithm (for example, your key  may  not  be  the  only
669                     recipient),  and  so the remote OpenPGP application being
670                     used to send to you may or may not follow your exact cho‐
671                     sen  order  for  a given message.  It will, however, only
672                     choose an algorithm that is  present  on  the  preference
673                     list of every recipient key.  See also the INTEROPERABIL‐
674                     ITY WITH OTHER OPENPGP PROGRAMS section below.
675
676
677              addkey Add a subkey to this key.
678
679
680              addcardkey
681                     Generate a subkey on a card and add it to this key.
682
683
684              keytocard
685                     Transfer the selected secret subkey (or the  primary  key
686                     if  no  subkey  has  been  selected)  to a smartcard. The
687                     secret key in the keyring will be replaced by a  stub  if
688                     the  key could be stored successfully on the card and you
689                     use the save command later. Only certain key types may be
690                     transferred  to the card. A sub menu allows you to select
691                     on what card to store the key. Note that it is not possi‐
692                     ble to get that key back from the card - if the card gets
693                     broken your secret key will be lost  unless  you  have  a
694                     backup somewhere.
695
696
697              bkuptocard file
698                     Restore  the  given  file  to a card. This command may be
699                     used to restore a backup key (as  generated  during  card
700                     initialization)  to  a new card. In almost all cases this
701                     will be the encryption key. You should use  this  command
702                     only with the corresponding public key and make sure that
703                     the file given  as  argument  is  indeed  the  backup  to
704                     restore.  You  should then select 2 to restore as encryp‐
705                     tion  key.   You  will  first  be  asked  to  enter   the
706                     passphrase  of  the backup key and then for the Admin PIN
707                     of the card.
708
709
710              delkey Remove a subkey (secondart key). Note that it is not pos‐
711                     sible  to  retract a subkey, once it has been send to the
712                     public (i.e. to a keyserver).  In that  case  you  better
713                     use revkey.
714
715
716              revkey Revoke a subkey.
717
718
719              expire Change  the key or subkey expiration time. If a subkey is
720                     selected, the expiration time  of  this  subkey  will  be
721                     changed.  With  no  selection,  the key expiration of the
722                     primary key is changed.
723
724
725              trust  Change the owner trust value for the  key.  This  updates
726                     the trust-db immediately and no save is required.
727
728
729              disable
730
731              enable Disable  or  enable an entire key. A disabled key can not
732                     normally be used for encryption.
733
734
735              addrevoker
736                     Add a designated revoker  to  the  key.  This  takes  one
737                     optional  argument:  "sensitive". If a designated revoker
738                     is marked as  sensitive,  it  will  not  be  exported  by
739                     default (see export-options).
740
741
742              passwd Change the passphrase of the secret key.
743
744
745              toggle Toggle between public and secret key listing.
746
747
748              clean  Compact  (by  removing all signatures except the selfsig)
749                     any user ID that is no longer usable  (e.g.  revoked,  or
750                     expired). Then, remove any signatures that are not usable
751                     by the trust calculations.   Specifically,  this  removes
752                     any  signature that does not validate, any signature that
753                     is superseded by a later signature,  revoked  signatures,
754                     and signatures issued by keys that are not present on the
755                     keyring.
756
757
758              minimize
759                     Make the key as small as possible. This removes all  sig‐
760                     natures  from  each  user  ID  except for the most recent
761                     self-signature.
762
763
764              cross-certify
765                     Add cross-certification  signatures  to  signing  subkeys
766                     that  may  not  currently  have them. Cross-certification
767                     signatures protect against a subtle attack against  sign‐
768                     ing  subkeys. See --require-cross-certification.  All new
769                     keys generated have this signature by  default,  so  this
770                     option is only useful to bring older keys up to date.
771
772
773              save   Save all changes to the key rings and quit.
774
775
776              quit   Quit the program without updating the key rings.
777
778
779              The  listing  shows  you the key with its secondary keys and all
780              user ids. Selected keys or user ids are indicated by  an  aster‐
781              isk.  The  trust  value  is  displayed with the primary key: the
782              first is the assigned owner trust and the second is  the  calcu‐
783              lated trust value. Letters are used for the values:
784
785
786
787              -      No ownertrust assigned / not yet calculated.
788
789
790              e      Trust  calculation has failed; probably due to an expired
791                     key.
792
793
794              q      Not enough information for calculation.
795
796
797              n      Never trust this key.
798
799
800              m      Marginally trusted.
801
802
803              f      Fully trusted.
804
805
806              u      Ultimately trusted.
807
808
809       --sign-key name
810              Signs a public key with your secret key. This is a shortcut ver‐
811              sion of the subcommand "sign" from --edit.
812
813
814       --lsign-key name
815              Signs  a  public  key  with your secret key but marks it as non-
816              exportable. This is a shortcut version of the subcommand "lsign"
817              from --edit-key.
818
819
820
821
822
823

OPTIONS

825       gpg2  comes  features a bunch of options to control the exact behaviour
826       and to change the default configuration.
827
828
829       Long   options   can   be   put   in   an   options    file    (default
830       "~/.gnupg/gpg.conf").  Short  option names will not work - for example,
831       "armor" is a valid option for the options file, while "a"  is  not.  Do
832       not  write  the  2  dashes,  but  simply the name of the option and any
833       required arguments. Lines with a hash ('#')  as  the  first  non-white-
834       space  character are ignored. Commands may be put in this file too, but
835       that is not generally useful as the command will execute  automatically
836       with every execution of gpg.
837
838       Please  remember  that  option parsing stops as soon as a non-option is
839       encountered, you can explicitly  stop  parsing  by  using  the  special
840       option --.
841
842
843
844   How to change the configuration
845
846
847       These  options  are  used  to  change the configuration and are usually
848       found in the option file.
849
850
851
852       --default-key name
853              Use name as the default key to sign with. If this option is  not
854              used,  the  default  key  is  the  first key found in the secret
855              keyring.  Note that -u or --local-user overrides this option.
856
857
858       --default-recipient name
859              Use name as default recipient if option --recipient is not  used
860              and don't ask if this is a valid one. name must be non-empty.
861
862
863       --default-recipient-self
864              Use  the  default key as default recipient if option --recipient
865              is not used and don't ask if this is a valid  one.  The  default
866              key is the first one from the secret keyring or the one set with
867              --default-key.
868
869
870       --no-default-recipient
871              Reset --default-recipient and --default-recipient-self.
872
873
874       -v, --verbose
875              Give more information during  processing.  If  used  twice,  the
876              input data is listed in detail.
877
878
879       --no-verbose
880              Reset verbose level to 0.
881
882
883       -q, --quiet
884              Try to be as quiet as possible.
885
886
887       --batch
888
889       --no-batch
890              Use  batch  mode.  Never ask, do not allow interactive commands.
891              --no-batch disables this option.  Note that even with a filename
892              given  on  the  command  line, gpg might still need to read from
893              STDIN (in particular if gpg figures that the input is a detached
894              signature  and no data file has been specified).  Thus if you do
895              not want to feed data via STDIN, you  should  connect  STDIN  to
896/dev/null’.
897
898
899       --no-tty
900              Make  sure that the TTY (terminal) is never used for any output.
901              This option is needed in  some  cases  because  GnuPG  sometimes
902              prints warnings to the TTY even if --batch is used.
903
904
905       --yes  Assume "yes" on most questions.
906
907
908       --no   Assume "no" on most questions.
909
910
911
912       --list-options parameters
913              This  is  a  space  or comma delimited string that gives options
914              used when listing keys and  signatures  (that  is,  --list-keys,
915              --list-sigs,  --list-public-keys,  --list-secret-keys,  and  the
916              --edit-key functions).  Options can  be  prepended  with  a  no-
917              (after  the  two  dashes)  to  give  the  opposite meaning.  The
918              options are:
919
920
921
922              show-photos
923                     Causes --list-keys, --list-sigs, --list-public-keys,  and
924                     --list-secret-keys  to  display any photo IDs attached to
925                     the key.  Defaults to no. See also --photo-viewer.
926
927
928              show-policy-urls
929                     Show policy URLs in the --list-sigs or --check-sigs list‐
930                     ings.  Defaults to no.
931
932
933              show-notations
934
935              show-std-notations
936
937              show-user-notations
938                     Show  all, IETF standard, or user-defined signature nota‐
939                     tions  in  the  --list-sigs  or  --check-sigs   listings.
940                     Defaults to no.
941
942
943              show-keyserver-urls
944
945                     Show  any  preferred  keyserver URL in the --list-sigs or
946                     --check-sigs listings. Defaults to no.
947
948
949              show-uid-validity
950                     Display the calculated validity of user  IDs  during  key
951                     listings.  Defaults to no.
952
953
954              show-unusable-uids
955                     Show  revoked  and  expired  user  IDs  in  key listings.
956                     Defaults to no.
957
958
959              show-unusable-subkeys
960                     Show  revoked  and  expired  subkeys  in  key   listings.
961                     Defaults to no.
962
963
964              show-keyring
965                     Display  the  keyring name at the head of key listings to
966                     show which keyring a given key resides  on.  Defaults  to
967                     no.
968
969
970              show-sig-expire
971                     Show  signature  expiration dates (if any) during --list-
972                     sigs or --check-sigs listings. Defaults to no.
973
974
975              show-sig-subpackets
976                     Include signature subpackets in  the  key  listing.  This
977                     option can take an optional argument list of the subpack‐
978                     ets to list. If no argument is passed, list all  subpack‐
979                     ets.  Defaults to no. This option is only meaningful when
980                     using --with-colons along with  --list-sigs  or  --check-
981                     sigs.
982
983
984       --verify-options parameters
985              This  is  a  space  or comma delimited string that gives options
986              used when verifying signatures. Options can be prepended with  a
987              `no-' to give the opposite meaning. The options are:
988
989
990
991              show-photos
992                     Display  any photo IDs present on the key that issued the
993                     signature.  Defaults to no. See also --photo-viewer.
994
995
996              show-policy-urls
997                     Show  policy  URLs  in  the  signature  being   verified.
998                     Defaults to no.
999
1000
1001              show-notations
1002
1003              show-std-notations
1004
1005              show-user-notations
1006                     Show  all, IETF standard, or user-defined signature nota‐
1007                     tions in the signature being verified. Defaults  to  IETF
1008                     standard.
1009
1010
1011              show-keyserver-urls
1012                     Show  any  preferred keyserver URL in the signature being
1013                     verified.  Defaults to no.
1014
1015
1016              show-uid-validity
1017                     Display the calculated validity of the user  IDs  on  the
1018                     key that issued the signature. Defaults to no.
1019
1020
1021              show-unusable-uids
1022                     Show  revoked and expired user IDs during signature veri‐
1023                     fication.  Defaults to no.
1024
1025
1026              show-primary-uid-only
1027                     Show only the primary user ID during signature  verifica‐
1028                     tion.  That is all the AKA lines as well as photo Ids are
1029                     not shown with the signature verification status.
1030
1031
1032              pka-lookups
1033                     Enable PKA lookups to verify sender addresses. Note  that
1034                     PKA is based on DNS, and so enabling this option may dis‐
1035                     close information on when and what signatures  are  veri‐
1036                     fied or to whom data is encrypted. This is similar to the
1037                     "web bug" described for the auto-key-retrieve feature.
1038
1039
1040              pka-trust-increase
1041                     Raise the trust in a signature to full if  the  signature
1042                     passes  PKA validation. This option is only meaningful if
1043                     pka-lookups is set.
1044
1045
1046       --enable-dsa2
1047
1048       --disable-dsa2
1049              Enable hash truncation for all DSA keys even for old DSA Keys up
1050              to  1024  bit.   This  is also the default with --openpgp.  Note
1051              that older versions of GnuPG also required this  flag  to  allow
1052              the generation of DSA larger than 1024 bit.
1053
1054
1055       --photo-viewer string
1056              This  is the command line that should be run to view a photo ID.
1057              "%i" will be expanded to a filename containing the  photo.  "%I"
1058              does  the  same,  except  the  file will not be deleted once the
1059              viewer exits.  Other flags are "%k" for the key ID, "%K" for the
1060              long  key  ID, "%f" for the key fingerprint, "%t" for the exten‐
1061              sion of the image type (e.g. "jpg"), "%T" for the MIME  type  of
1062              the  image  (e.g.  "image/jpeg"), and "%%" for an actual percent
1063              sign. If neither %i or %I are present, then the  photo  will  be
1064              supplied to the viewer on standard input.
1065
1066              The  default  viewer  is  "xloadimage -fork -quiet -title 'KeyID
1067              0x%k' STDIN". Note that if your  image  viewer  program  is  not
1068              secure, then executing it from GnuPG does not make it secure.
1069
1070
1071       --exec-path string
1072              Sets  a list of directories to search for photo viewers and key‐
1073              server helpers. If not provided, keyserver helpers use the  com‐
1074              piled-in  default  directory,  and  photo  viewers use the $PATH
1075              environment variable.  Note, that on W32 system  this  value  is
1076              ignored when searching for keyserver helpers.
1077
1078
1079       --keyring file
1080              Add  file to the current list of keyrings. If file begins with a
1081              tilde and a slash, these are replaced by the $HOME directory. If
1082              the  filename  does  not contain a slash, it is assumed to be in
1083              the GnuPG home directory ("~/.gnupg" if --homedir or  $GNUPGHOME
1084              is not used).
1085
1086              Note that this adds a keyring to the current list. If the intent
1087              is to use the specified keyring alone, use --keyring along  with
1088              --no-default-keyring.
1089
1090
1091       --secret-keyring file
1092              Same as --keyring but for the secret keyrings.
1093
1094
1095       --primary-keyring file
1096              Designate  file  as  the primary public keyring. This means that
1097              newly imported keys (via --import or keyserver --recv-from) will
1098              go to this keyring.
1099
1100
1101       --trustdb-name file
1102              Use  file  instead of the default trustdb. If file begins with a
1103              tilde and a slash, these are replaced by the $HOME directory. If
1104              the  filename  does  not contain a slash, it is assumed to be in
1105              the GnuPG home directory (‘~/.gnupg’ if --homedir or  $GNUPGHOME
1106              is not used).
1107
1108
1109       --homedir dir
1110              Set the name of the home directory to dir. If this option is not
1111              used, the home directory defaults to  ‘~/.gnupg’.   It  is  only
1112              recognized  when  given  on the command line.  It also overrides
1113              any home  directory  stated  through  the  environment  variable
1114GNUPGHOME’  or  (on W32 systems) by means of the Registry entry
1115              HKCU\Software\GNU\GnuPG:HomeDir.
1116
1117
1118
1119
1120
1121
1122
1123       --display-charset name
1124              Set the name of the native character set. This is used  to  con‐
1125              vert  some  informational  strings  like  user IDs to the proper
1126              UTF-8 encoding.  Note that this has nothing to do with the char‐
1127              acter  set  of  data  to  be encrypted or signed; GnuPG does not
1128              recode user-supplied data. If  this  option  is  not  used,  the
1129              default  character  set is determined from the current locale. A
1130              verbosity level of 3 shows the chosen  set.   Valid  values  for
1131              name are:
1132
1133
1134
1135              iso-8859-1
1136                     This is the Latin 1 set.
1137
1138
1139              iso-8859-2
1140                     The Latin 2 set.
1141
1142
1143              iso-8859-15
1144                     This is currently an alias for the Latin 1 set.
1145
1146
1147              koi8-r The usual Russian set (rfc1489).
1148
1149
1150              utf-8  Bypass  all  translations  and  assume  that  the OS uses
1151                     native UTF-8 encoding.
1152
1153
1154       --utf8-strings
1155
1156       --no-utf8-strings
1157              Assume that command line arguments are given  as  UTF8  strings.
1158              The  default (--no-utf8-strings) is to assume that arguments are
1159              encoded in the character set as specified by  --display-charset.
1160              These  options  affect all following arguments. Both options may
1161              be used multiple times.
1162
1163
1164       --options file
1165              Read options from file and do not try  to  read  them  from  the
1166              default options file in the homedir (see --homedir). This option
1167              is ignored if used in an options file.
1168
1169
1170       --no-options
1171              Shortcut for --options /dev/null. This option is detected before
1172              an  attempt to open an option file.  Using this option will also
1173              prevent the creation of a ‘~/.gnupg’ homedir.
1174
1175
1176
1177
1178       -z n
1179
1180       --compress-level n
1181
1182       --bzip2-compress-level n
1183              Set compression level to n for  the  ZIP  and  ZLIB  compression
1184              algorithms.  The default is to use the default compression level
1185              of zlib (normally 6). --bzip2-compress-level sets  the  compres‐
1186              sion  level for the BZIP2 compression algorithm (defaulting to 6
1187              as well). This is a different option from --compress-level since
1188              BZIP2  uses  a  significant amount of memory for each additional
1189              compression level.  -z sets both. A value of 0  for  n  disables
1190              compression.
1191
1192
1193       --bzip2-decompress-lowmem
1194              Use a different decompression method for BZIP2 compressed files.
1195              This alternate method uses a bit more than half the memory,  but
1196              also  runs  at  half the speed. This is useful under extreme low
1197              memory circumstances when the file was originally compressed  at
1198              a high --bzip2-compress-level.
1199
1200
1201
1202       --mangle-dos-filenames
1203
1204       --no-mangle-dos-filenames
1205              Older  version of Windows cannot handle filenames with more than
1206              one dot. --mangle-dos-filenames causes GnuPG to replace  (rather
1207              than  add  to) the extension of an output filename to avoid this
1208              problem. This option is off by default and has no effect on non-
1209              Windows platforms.
1210
1211
1212       --ask-cert-level
1213
1214       --no-ask-cert-level
1215              When  making  a key signature, prompt for a certification level.
1216              If this option is not specified, the certification level used is
1217              set   via  --default-cert-level.  See  --default-cert-level  for
1218              information on the specific levels and how they are used.  --no-
1219              ask-cert-level disables this option. This option defaults to no.
1220
1221
1222       --default-cert-level n
1223              The default to use for the check level when signing a key.
1224
1225              0  means  you  make  no particular claim as to how carefully you
1226              verified the key.
1227
1228              1 means you believe the key is owned by the person who claims to
1229              own it but you could not, or did not verify the key at all. This
1230              is useful for a "persona" verification, where you sign  the  key
1231              of a pseudonymous user.
1232
1233              2  means  you  did  casual verification of the key. For example,
1234              this could mean that you verified that the key  fingerprint  and
1235              checked the user ID on the key against a photo ID.
1236
1237              3  means you did extensive verification of the key. For example,
1238              this could mean that you verified the key fingerprint  with  the
1239              owner  of the key in person, and that you checked, by means of a
1240              hard to forge document with a photo ID (such as a passport) that
1241              the name of the key owner matches the name in the user ID on the
1242              key, and finally that you verified (by exchange of  email)  that
1243              the email address on the key belongs to the key owner.
1244
1245              Note  that  the examples given above for levels 2 and 3 are just
1246              that: examples. In the end, it is up to you to decide just  what
1247              "casual" and "extensive" mean to you.
1248
1249              This option defaults to 0 (no particular claim).
1250
1251
1252       --min-cert-level
1253              When  building  the  trust database, treat any signatures with a
1254              certification level below this as invalid. Defaults to 2,  which
1255              disregards  level 1 signatures. Note that level 0 "no particular
1256              claim" signatures are always accepted.
1257
1258
1259       --trusted-key long key ID
1260              Assume that the specified key (which must be given as a  full  8
1261              byte  key  ID) is as trustworthy as one of your own secret keys.
1262              This option is useful if you don't want to keep your secret keys
1263              (or  one  of them) online but still want to be able to check the
1264              validity of a given recipient's or signator's key.
1265
1266
1267       --trust-model pgp|classic|direct|always|auto
1268              Set what trust model GnuPG should follow. The models are:
1269
1270
1271
1272              pgp    This is the Web of Trust combined with  trust  signatures
1273                     as  used  in PGP 5.x and later. This is the default trust
1274                     model when creating a new trust database.
1275
1276
1277              classic
1278                     This is the standard Web of Trust as used in PGP 2.x  and
1279                     earlier.
1280
1281
1282              direct Key  validity  is set directly by the user and not calcu‐
1283                     lated via the Web of Trust.
1284
1285
1286              always Skip key validation and assume that used keys are  always
1287                     fully  trusted.  You  generally won't use this unless you
1288                     are using some external validation  scheme.  This  option
1289                     also suppresses the "[uncertain]" tag printed with signa‐
1290                     ture checks when there is no evidence that the user ID is
1291                     bound to the key.
1292
1293
1294              auto   Select the trust model depending on whatever the internal
1295                     trust database says. This is the default model if such  a
1296                     database already exists.
1297
1298
1299       --auto-key-locate parameters
1300
1301       --no-auto-key-locate
1302              GnuPG can automatically locate and retrieve keys as needed using
1303              this option. This happens when encrypting to  an  email  address
1304              (in  the  "user@example.com"  form), and there are no user@exam‐
1305              ple.com keys on the local keyring.  This option takes any number
1306              of the following mechanisms, in the order they are to be tried:
1307
1308
1309
1310              cert   Locate a key using DNS CERT, as specified in rfc4398.
1311
1312
1313              pka    Locate a key using DNS PKA.
1314
1315
1316              ldap   Using DNS Service Discovery, check the domain in question
1317                     for any LDAP keyservers to use.  If this  fails,  attempt
1318                     to  locate  the  key  using  the  PGP Universal method of
1319                     checking 'ldap://keys.(thedomain)'.
1320
1321
1322              keyserver
1323                     Locate a key using whatever keyserver  is  defined  using
1324                     the --keyserver option.
1325
1326
1327              keyserver-URL
1328                     In  addition,  a keyserver URL as used in the --keyserver
1329                     option may be used here to  query  that  particular  key‐
1330                     server.
1331
1332
1333              local  Locate  the key using the local keyrings.  This mechanism
1334                     allows to select the order a local key  lookup  is  done.
1335                     Thus  using  '--auto-key-locate  local'  is  identical to
1336                     --no-auto-key-locate.
1337
1338
1339              nodefault
1340                     This flag disables the standard local  key  lookup,  done
1341                     before  any  of the mechanisms defined by the --auto-key-
1342                     locate are tried.  The position of this mechanism in  the
1343                     list  does  not  matter.   It is not required if local is
1344                     also used.
1345
1346
1347
1348       --keyid-format short|0xshort|long|0xlong
1349              Select how to  display  key  IDs.  "short"  is  the  traditional
1350              8-character key ID. "long" is the more accurate (but less conve‐
1351              nient) 16-character key ID. Add an "0x" to either to include  an
1352              "0x" at the beginning of the key ID, as in 0x99242560.
1353
1354
1355       --keyserver name
1356              Use name as your keyserver. This is the server that --recv-keys,
1357              --send-keys, and --search-keys will communicate with to  receive
1358              keys  from,  send keys to, and search for keys on. The format of
1359              the name is a URI: `scheme:[//]keyservername[:port]' The  scheme
1360              is  the  type  of  keyserver: "hkp" for the HTTP (or compatible)
1361              keyservers, "ldap" for the LDAP keyservers, or "mailto" for  the
1362              Graff email keyserver. Note that your particular installation of
1363              GnuPG may have other keyserver types  available  as  well.  Key‐
1364              server  schemes  are case-insensitive. After the keyserver name,
1365              optional keyserver configuration options may be provided.  These
1366              are  the  same as the global --keyserver-options from below, but
1367              apply only to this particular keyserver.
1368
1369              Most keyservers synchronize with each other, so there is  gener‐
1370              ally no need to send keys to more than one server. The keyserver
1371              hkp://keys.gnupg.net uses round robin DNS to  give  a  different
1372              keyserver each time you use it.
1373
1374
1375       --keyserver-options name=value1
1376              This is a space or comma delimited string that gives options for
1377              the keyserver. Options can be prefixed with a `no-' to give  the
1378              opposite  meaning. Valid import-options or export-options may be
1379              used here as well to apply to importing (--recv-key) or  export‐
1380              ing  (--send-key)  a key from a keyserver. While not all options
1381              are available for all keyserver types, some common options are:
1382
1383
1384
1385              include-revoked
1386                     When searching for a key with --search-keys, include keys
1387                     that  are  marked  on the keyserver as revoked. Note that
1388                     not all  keyservers  differentiate  between  revoked  and
1389                     unrevoked  keys,  and  for such keyservers this option is
1390                     meaningless. Note also that most keyservers do  not  have
1391                     cryptographic  verification  of  key  revocations, and so
1392                     turning this option off may result in skipping keys  that
1393                     are incorrectly marked as revoked.
1394
1395
1396              include-disabled
1397                     When searching for a key with --search-keys, include keys
1398                     that are marked on the keyserver as disabled.  Note  that
1399                     this option is not used with HKP keyservers.
1400
1401
1402              auto-key-retrieve
1403                     This option enables the automatic retrieving of keys from
1404                     a keyserver when verifying signatures made by  keys  that
1405                     are not on the local keyring.
1406
1407                     Note  that  this  option  makes a "web bug" like behavior
1408                     possible.  Keyserver operators can  see  which  keys  you
1409                     request,  so  by  sending you a message signed by a brand
1410                     new key (which you naturally will not have on your  local
1411                     keyring),  the operator can tell both your IP address and
1412                     the time when you verified the signature.
1413
1414
1415              honor-keyserver-url
1416                     When using --refresh-keys, if the key in question  has  a
1417                     preferred  keyserver  URL,  then  use that preferred key‐
1418                     server to refresh the key from. In addition, if auto-key-
1419                     retrieve  is  set, and the signature being verified has a
1420                     preferred keyserver URL, then  use  that  preferred  key‐
1421                     server to fetch the key from. Defaults to yes.
1422
1423
1424              honor-pka-record
1425                     If auto-key-retrieve is set, and the signature being ver‐
1426                     ified has a PKA record, then use the PKA  information  to
1427                     fetch the key. Defaults to yes.
1428
1429
1430              include-subkeys
1431                     When  receiving  a key, include subkeys as potential tar‐
1432                     gets. Note that this option is not  used  with  HKP  key‐
1433                     servers, as they do not support retrieving keys by subkey
1434                     id.
1435
1436
1437              use-temp-files
1438                     On most Unix-like platforms, GnuPG communicates with  the
1439                     keyserver  helper  program  via  pipes, which is the most
1440                     efficient method. This option forces GnuPG to use  tempo‐
1441                     rary  files  to  communicate.  On some platforms (such as
1442                     Win32 and RISC OS), this option is always enabled.
1443
1444
1445              keep-temp-files
1446                     If using `use-temp-files', do not delete the  temp  files
1447                     after using them. This option is useful to learn the key‐
1448                     server communication protocol by  reading  the  temporary
1449                     files.
1450
1451
1452              verbose
1453                     Tell  the  keyserver  helper  program to be more verbose.
1454                     This option can be repeated multiple  times  to  increase
1455                     the verbosity level.
1456
1457
1458              timeout
1459                     Tell  the  keyserver helper program how long (in seconds)
1460                     to try and perform a keyserver action before  giving  up.
1461                     Note  that  performing  multiple actions at the same time
1462                     uses this timeout value per action.   For  example,  when
1463                     retrieving  multiple  keys  via  --recv-keys, the timeout
1464                     applies separately to each key retrieval, and not to  the
1465                     --recv-keys command as a whole. Defaults to 30 seconds.
1466
1467
1468              http-proxy=value
1469                     Set  the  proxy to use for HTTP and HKP keyservers.  This
1470                     overrides the "http_proxy" environment variable, if any.
1471
1472
1473              max-cert-size
1474                     When retrieving a key via DNS CERT, only accept  keys  up
1475                     to this size.  Defaults to 16384 bytes.
1476
1477
1478              debug  Turn  on  debug  output  in the keyserver helper program.
1479                     Note that the details of debug output  depends  on  which
1480                     keyserver  helper  program is being used, and in turn, on
1481                     any libraries that  the  keyserver  helper  program  uses
1482                     internally (libcurl, openldap, etc).
1483
1484
1485              check-cert
1486                     Enable certificate checking if the keyserver presents one
1487                     (for hkps or ldaps).  Defaults to on.
1488
1489
1490              ca-cert-file
1491                     Provide  a  certificate  file  to  override  the   system
1492                     default.   Only  necessary  if check-cert is enabled, and
1493                     the keyserver is using a certificate that is not  present
1494                     in a system default certificate list.
1495
1496
1497
1498       --completes-needed n
1499              Number of completely trusted users to introduce a new key signer
1500              (defaults to 1).
1501
1502
1503       --marginals-needed n
1504              Number of marginally trusted users to introduce a new key signer
1505              (defaults to 3)
1506
1507
1508       --max-cert-depth n
1509              Maximum depth of a certification chain (default is 5).
1510
1511
1512       --simple-sk-checksum
1513              Secret  keys  are integrity protected by using a SHA-1 checksum.
1514              This method is part of the upcoming enhanced OpenPGP  specifica‐
1515              tion  but GnuPG already uses it as a countermeasure against cer‐
1516              tain attacks.  Old applications don't understand this  new  for‐
1517              mat, so this option may be used to switch back to the old behav‐
1518              iour. Using this option bears a security risk. Note  that  using
1519              this option only takes effect when the secret key is encrypted -
1520              the simplest way to make this happen is to change the passphrase
1521              on the key (even changing it to the same value is acceptable).
1522
1523
1524       --no-sig-cache
1525              Do not cache the verification status of key signatures.  Caching
1526              gives a much better performance in key listings. However, if you
1527              suspect that your public keyring is not save against write modi‐
1528              fications, you can use this option to disable  the  caching.  It
1529              probably  does  not make sense to disable it because all kind of
1530              damage can be done if someone else has write access to your pub‐
1531              lic keyring.
1532
1533
1534       --no-sig-create-check
1535              GnuPG  normally  verifies each signature right after creation to
1536              protect against bugs and hardware malfunctions which could  leak
1537              out bits from the secret key. This extra verification needs some
1538              time (about 115% for DSA keys), and so this option can  be  used
1539              to disable it.  However, due to the fact that the signature cre‐
1540              ation needs manual interaction, this  performance  penalty  does
1541              not matter in most settings.
1542
1543
1544       --auto-check-trustdb
1545
1546       --no-auto-check-trustdb
1547              If  GnuPG  feels that its information about the Web of Trust has
1548              to be updated, it automatically runs the --check-trustdb command
1549              internally.   This  may  be a time consuming process. --no-auto-
1550              check-trustdb disables this option.
1551
1552
1553       --use-agent
1554
1555       --no-use-agent
1556              This is dummy option. gpg2 always requires the agent.
1557
1558
1559       --gpg-agent-info
1560              This is dummy option. It has no effect when used with gpg2.
1561
1562
1563       --lock-once
1564              Lock the databases the first time a lock is requested and do not
1565              release the lock until the process terminates.
1566
1567
1568       --lock-multiple
1569              Release  the  locks  every  time a lock is no longer needed. Use
1570              this to override a previous --lock-once from a config file.
1571
1572
1573       --lock-never
1574              Disable locking entirely. This option should  be  used  only  in
1575              very special environments, where it can be assured that only one
1576              process is accessing those  files.  A  bootable  floppy  with  a
1577              stand-alone  encryption  system will probably use this. Improper
1578              usage of this option may lead to data and key corruption.
1579
1580
1581       --exit-on-status-write-error
1582              This option will cause write errors on the status FD to  immedi‐
1583              ately  terminate the process. That should in fact be the default
1584              but it never worked this way and  thus  we  need  an  option  to
1585              enable  this,  so that the change won't break applications which
1586              close their end of a status fd connected pipe too  early.  Using
1587              this  option  along with --enable-progress-filter may be used to
1588              cleanly cancel long running gpg operations.
1589
1590
1591       --limit-card-insert-tries n
1592              With n greater than 0 the number of prompts asking to  insert  a
1593              smartcard  gets limited to N-1. Thus with a value of 1 gpg won't
1594              at all ask to insert  a  card  if  none  has  been  inserted  at
1595              startup. This option is useful in the configuration file in case
1596              an application does not know about  the  smartcard  support  and
1597              waits ad infinitum for an inserted card.
1598
1599
1600       --no-random-seed-file
1601              GnuPG uses a file to store its internal random pool over invoca‐
1602              tions.  This makes random generation faster;  however  sometimes
1603              write  operations  are  not  desired. This option can be used to
1604              achieve that with the cost of slower random generation.
1605
1606
1607       --no-greeting
1608              Suppress the initial copyright message.
1609
1610
1611       --no-secmem-warning
1612              Suppress the warning about "using insecure memory".
1613
1614
1615       --no-permission-warning
1616              Suppress the  warning  about  unsafe  file  and  home  directory
1617              (--homedir)  permissions.  Note  that the permission checks that
1618              GnuPG performs are not intended to be authoritative, but  rather
1619              they  simply  warn  about certain common permission problems. Do
1620              not assume that the lack of a warning means that your system  is
1621              secure.
1622
1623              Note that the warning for unsafe --homedir permissions cannot be
1624              suppressed in the gpg.conf file, as this would allow an attacker
1625              to  place an unsafe gpg.conf file in place, and use this file to
1626              suppress warnings about itself. The --homedir permissions  warn‐
1627              ing may only be suppressed on the command line.
1628
1629
1630       --no-mdc-warning
1631              Suppress the warning about missing MDC integrity protection.
1632
1633
1634       --require-secmem
1635
1636       --no-require-secmem
1637              Refuse  to run if GnuPG cannot get secure memory. Defaults to no
1638              (i.e. run, but give a warning).
1639
1640
1641
1642       --require-cross-certification
1643
1644       --no-require-cross-certification
1645              When verifying a signature made from a subkey, ensure  that  the
1646              cross  certification  "back  signature" on the subkey is present
1647              and valid.  This protects against a subtle attack  against  sub‐
1648              keys  that  can sign.  Defaults to --require-cross-certification
1649              for gpg2.
1650
1651
1652       --expert
1653
1654       --no-expert
1655              Allow the user to do certain nonsensical or "silly" things  like
1656              signing an expired or revoked key, or certain potentially incom‐
1657              patible things like generating unusual key types. This also dis‐
1658              ables  certain  warning  messages about potentially incompatible
1659              actions. As the name implies, this option is for  experts  only.
1660              If you don't fully understand the implications of what it allows
1661              you to do, leave this off. --no-expert disables this option.
1662
1663
1664
1665
1666
1667
1668
1669
1670   Key related options
1671
1672
1673
1674
1675       --recipient name
1676
1677       -r     Encrypt for user id name. If this option  or  --hidden-recipient
1678              is  not  specified, GnuPG asks for the user-id unless --default-
1679              recipient is given.
1680
1681
1682       --hidden-recipient name
1683
1684       -R     Encrypt for user ID name, but hide the key  ID  of  this  user's
1685              key.  This  option helps to hide the receiver of the message and
1686              is a limited countermeasure against traffic  analysis.  If  this
1687              option  or --recipient is not specified, GnuPG asks for the user
1688              ID unless --default-recipient is given.
1689
1690
1691       --encrypt-to name
1692              Same as --recipient but this one is  intended  for  use  in  the
1693              options  file  and  may  be  used  with  your  own user-id as an
1694              "encrypt-to-self". These keys are only used when there are other
1695              recipients  given  either  by use of --recipient or by the asked
1696              user id.  No trust checking is performed for these user ids  and
1697              even disabled keys can be used.
1698
1699
1700       --hidden-encrypt-to name
1701              Same  as  --hidden-recipient but this one is intended for use in
1702              the options file and may be used with your own user-id as a hid‐
1703              den  "encrypt-to-self".  These keys are only used when there are
1704              other recipients given either by use of --recipient  or  by  the
1705              asked  user  id.   No trust checking is performed for these user
1706              ids and even disabled keys can be used.
1707
1708
1709       --no-encrypt-to
1710              Disable the use  of  all  --encrypt-to  and  --hidden-encrypt-to
1711              keys.
1712
1713
1714       --group name=value1
1715              Sets up a named group, which is similar to aliases in email pro‐
1716              grams.  Any time the group name is a recipient (-r or  --recipi‐
1717              ent),  it  will  be  expanded  to the values specified. Multiple
1718              groups with the same name are automatically merged into a single
1719              group.
1720
1721              The  values are key IDs or fingerprints, but any key description
1722              is accepted. Note that a value with spaces in it will be treated
1723              as  two  different  values. Note also there is only one level of
1724              expansion --- you cannot make an group that  points  to  another
1725              group.  When  used from the command line, it may be necessary to
1726              quote the argument to this option  to  prevent  the  shell  from
1727              treating it as multiple arguments.
1728
1729
1730       --ungroup name
1731              Remove a given entry from the --group list.
1732
1733
1734       --no-groups
1735              Remove all entries from the --group list.
1736
1737
1738       --local-user name
1739
1740       -u     Use  name  as  the key to sign with. Note that this option over‐
1741              rides --default-key.
1742
1743
1744       --try-all-secrets
1745              Don't look at the key ID as stored in the message  but  try  all
1746              secret  keys  in  turn  to  find  the right decryption key. This
1747              option forces the behaviour  as  used  by  anonymous  recipients
1748              (created  by  using --throw-keyids) and might come handy in case
1749              where an encrypted message contains a bogus key ID.
1750
1751
1752
1753
1754
1755
1756
1757
1758   Input and Output
1759
1760
1761
1762
1763       --armor
1764
1765       -a     Create ASCII armored output.   The  default  is  to  create  the
1766              binary OpenPGP format.
1767
1768
1769       --no-armor
1770              Assume the input data is not in ASCII armored format.
1771
1772
1773       --output file
1774
1775       -o file
1776              Write output to file.
1777
1778
1779       --max-output n
1780              This  option  sets  a  limit on the number of bytes that will be
1781              generated when processing a file. Since OpenPGP supports various
1782              levels  of  compression,  it is possible that the plaintext of a
1783              given message may be  significantly  larger  than  the  original
1784              OpenPGP  message. While GnuPG works properly with such messages,
1785              there is often a desire to set a maximum file size that will  be
1786              generated  before processing is forced to stop by the OS limits.
1787              Defaults to 0, which means "no limit".
1788
1789
1790       --import-options parameters
1791              This is a space or comma delimited string that gives options for
1792              importing  keys.  Options  can be prepended with a `no-' to give
1793              the opposite meaning. The options are:
1794
1795
1796
1797              import-local-sigs
1798                     Allow importing key signatures marked as "local". This is
1799                     not  generally  useful  unless a shared keyring scheme is
1800                     being used.  Defaults to no.
1801
1802
1803              repair-pks-subkey-bug
1804                     During import, attempt to repair the damage caused by the
1805                     PKS  keyserver  bug (pre version 0.9.6) that mangles keys
1806                     with multiple subkeys. Note that this  cannot  completely
1807                     repair the damaged key as some crucial data is removed by
1808                     the keyserver, but it does at least  give  you  back  one
1809                     subkey.  Defaults  to  no for regular --import and to yes
1810                     for keyserver --recv-keys.
1811
1812
1813              merge-only
1814                     During import, allow key updates to existing keys, but do
1815                     not allow any new keys to be imported. Defaults to no.
1816
1817
1818              import-clean
1819                     After  import,  compact (remove all signatures except the
1820                     self-signature) any user IDs from the new  key  that  are
1821                     not usable.  Then, remove any signatures from the new key
1822                     that are not usable.  This includes signatures that  were
1823                     issued  by keys that are not present on the keyring. This
1824                     option is the same  as  running  the  --edit-key  command
1825                     "clean" after import. Defaults to no.
1826
1827
1828              import-minimal
1829                     Import the smallest key possible. This removes all signa‐
1830                     tures except the most recent self-signature on each  user
1831                     ID.  This  option  is  the same as running the --edit-key
1832                     command "minimize" after import.  Defaults to no.
1833
1834
1835       --export-options parameters
1836              This is a space or comma delimited string that gives options for
1837              exporting  keys.  Options  can be prepended with a `no-' to give
1838              the opposite meaning. The options are:
1839
1840
1841
1842              export-local-sigs
1843                     Allow exporting key signatures marked as "local". This is
1844                     not  generally  useful  unless a shared keyring scheme is
1845                     being used.  Defaults to no.
1846
1847
1848              export-attributes
1849                     Include attribute user IDs (photo IDs)  while  exporting.
1850                     This  is  useful  to  export keys if they are going to be
1851                     used by an OpenPGP program that does not accept attribute
1852                     user IDs. Defaults to yes.
1853
1854
1855              export-sensitive-revkeys
1856                     Include designated revoker information that was marked as
1857                     "sensitive". Defaults to no.
1858
1859
1860              export-reset-subkey-passwd
1861                     When  using  the  --export-secret-subkeys  command,  this
1862                     option resets the passphrases for all exported subkeys to
1863                     empty. This is useful when the exported subkey is  to  be
1864                     used  on an unattended machine where a passphrase doesn't
1865                     necessarily make sense. Defaults to no.
1866
1867
1868              export-clean
1869                     Compact (remove all signatures from) user IDs on the  key
1870                     being  exported  if the user IDs are not usable. Also, do
1871                     not export any  signatures  that  are  not  usable.  This
1872                     includes signatures that were issued by keys that are not
1873                     present on the keyring. This option is the same  as  run‐
1874                     ning  the --edit-key command "clean" before export except
1875                     that the local copy of the key is not modified.  Defaults
1876                     to no.
1877
1878
1879              export-minimal
1880                     Export the smallest key possible. This removes all signa‐
1881                     tures except the most recent self-signature on each  user
1882                     ID.  This  option  is  the same as running the --edit-key
1883                     command "minimize" before export except  that  the  local
1884                     copy of the key is not modified. Defaults to no.
1885
1886
1887       --with-colons
1888              Print  key  listings  delimited  by colons. Note that the output
1889              will be encoded in UTF-8  regardless  of  any  --display-charset
1890              setting. This format is useful when GnuPG is called from scripts
1891              and other programs as it is easily machine parsed.  The  details
1892              of  this  format are documented in the file ‘doc/DETAILS’, which
1893              is included in the GnuPG source distribution.
1894
1895
1896       --fixed-list-mode
1897              Do not merge primary user ID and  primary  key  in  --with-colon
1898              listing   mode   and  print  all  timestamps  as  seconds  since
1899              1970-01-01.  Since GnuPG 2.0.10, this mode is  always  used  and
1900              thus this option is obsolete; it does not harm to use it though.
1901
1902
1903       --with-fingerprint
1904              Same as the command --fingerprint but changes only the format of
1905              the output and may be used together with another command.
1906
1907
1908
1909
1910
1911   OpenPGP protocol specific options.
1912
1913
1914
1915
1916       -t, --textmode
1917
1918       --no-textmode
1919              Treat input files as text and store them in the OpenPGP  canoni‐
1920              cal  text form with standard "CRLF" line endings. This also sets
1921              the necessary flags to inform the recipient that  the  encrypted
1922              or  signed  data is text and may need its line endings converted
1923              back to whatever the local system uses. This  option  is  useful
1924              when  communicating  between  two  platforms that have different
1925              line ending conventions (UNIX-like to Mac, Mac to Windows, etc).
1926              --no-textmode disables this option, and is the default.
1927
1928
1929
1930       --force-v3-sigs
1931
1932       --no-force-v3-sigs
1933              OpenPGP  states that an implementation should generate v4 signa‐
1934              tures but PGP versions 5 through 7 only recognize v4  signatures
1935              on key material. This option forces v3 signatures for signatures
1936              on data.  Note that this option implies --ask-sig-expire, --sig-
1937              policy-url,  --sig-notation,  and  --sig-keyserver-url, as these
1938              features cannot be used with v3 signatures.   --no-force-v3-sigs
1939              disables this option.
1940
1941
1942       --force-v4-certs
1943
1944       --no-force-v4-certs
1945              Always  use  v4 key signatures even on v3 keys. This option also
1946              changes the default hash algorithm for v3 RSA keys from  MD5  to
1947              SHA-1.  --no-force-v4-certs disables this option.
1948
1949
1950       --force-mdc
1951              Force  the use of encryption with a modification detection code.
1952              This is always used with the newer ciphers (those with a  block‐
1953              size  greater  than  64  bits),  or if all of the recipient keys
1954              indicate MDC support in their feature flags.
1955
1956
1957       --disable-mdc
1958              Disable the use of the modification detection code. Note that by
1959              using this option, the encrypted message becomes vulnerable to a
1960              message modification attack.
1961
1962
1963       --personal-cipher-preferences string
1964              Set the list of personal cipher preferences to string.  Use gpg2
1965              --version to get a list of available algorithms, and use none to
1966              set no preference at all.  This allows the user to safely  over‐
1967              ride  the  algorithm chosen by the recipient key preferences, as
1968              GPG will only select an algorithm that is usable by all  recipi‐
1969              ents.   The  most highly ranked cipher in this list is also used
1970              for the --symmetric encryption command.
1971
1972
1973       --personal-digest-preferences string
1974              Set the list of personal digest preferences to string.  Use gpg2
1975              --version to get a list of available algorithms, and use none to
1976              set no preference at all.  This allows the user to safely  over‐
1977              ride  the  algorithm chosen by the recipient key preferences, as
1978              GPG will only select an algorithm that is usable by all  recipi‐
1979              ents.   The  most highly ranked digest algorithm in this list is
1980              also used when signing without encryption (e.g.  --clearsign  or
1981              --sign). The default value is SHA-1.
1982
1983
1984       --personal-compress-preferences string
1985              Set the list of personal compression preferences to string.  Use
1986              gpg2 --version to get a list of available  algorithms,  and  use
1987              none  to  set  no  preference  at  all.  This allows the user to
1988              safely override the algorithm chosen by the recipient key  pref‐
1989              erences,  as GPG will only select an algorithm that is usable by
1990              all recipients.  The most highly ranked compression algorithm in
1991              this  list is also used when there are no recipient keys to con‐
1992              sider (e.g. --symmetric).
1993
1994
1995       --s2k-cipher-algo name
1996              Use name as the cipher algorithm used to  protect  secret  keys.
1997              The  default  cipher is CAST5. This cipher is also used for con‐
1998              ventional  encryption   if   --personal-cipher-preferences   and
1999              --cipher-algo is not given.
2000
2001
2002       --s2k-digest-algo name
2003              Use name as the digest algorithm used to mangle the passphrases.
2004              The default algorithm is SHA-1.
2005
2006
2007       --s2k-mode n
2008              Selects  how  passphrases  are  mangled.  If  n  is  0  a  plain
2009              passphrase  (which  is not recommended) will be used, a 1 adds a
2010              salt to the passphrase and a 3 (the default) iterates the  whole
2011              process  a  number of times (see --s2k-count).  Unless --rfc1991
2012              is used, this mode is also used for conventional encryption.
2013
2014
2015       --s2k-count n
2016              Specify how many times  the  passphrase  mangling  is  repeated.
2017              This  value  may  range between 1024 and 65011712 inclusive, and
2018              the  default  is  65536.   Note  that  not  all  values  in  the
2019              1024-65011712  range  are  legal  and  if  an  illegal  value is
2020              selected, GnuPG will round up to the nearest legal value.   This
2021              option is only meaningful if --s2k-mode is 3.
2022
2023
2024
2025
2026
2027   Compliance options
2028
2029
2030       These  options  control  what  GnuPG is compliant to. Only one of these
2031       options may be active at a time. Note that the default setting of  this
2032       is  nearly  always the correct one. See the INTEROPERABILITY WITH OTHER
2033       OPENPGP PROGRAMS section below before using one of these options.
2034
2035
2036
2037       --gnupg
2038              Use standard GnuPG behavior. This is essentially OpenPGP  behav‐
2039              ior  (see  --openpgp),  but with some additional workarounds for
2040              common compatibility problems in different versions of PGP. This
2041              is the default option, so it is not generally needed, but it may
2042              be useful to override  a  different  compliance  option  in  the
2043              gpg.conf file.
2044
2045
2046       --openpgp
2047              Reset  all  packet,  cipher and digest options to strict OpenPGP
2048              behavior. Use this option to reset  all  previous  options  like
2049              --s2k-*,  --cipher-algo,  --digest-algo  and  --compress-algo to
2050              OpenPGP compliant values. All PGP workarounds are disabled.
2051
2052
2053       --rfc4880
2054              Reset all packet, cipher and digest options to  strict  RFC-4880
2055              behavior.  Note  that  this  is  currently  the  same  thing  as
2056              --openpgp.
2057
2058
2059       --rfc2440
2060              Reset all packet, cipher and digest options to  strict  RFC-2440
2061              behavior.
2062
2063
2064       --rfc1991
2065              Try to be more RFC-1991 (PGP 2.x) compliant.
2066
2067
2068       --pgp2 Set  up  all options to be as PGP 2.x compliant as possible, and
2069              warn if an action is taken (e.g. encrypting to  a  non-RSA  key)
2070              that will create a message that PGP 2.x will not be able to han‐
2071              dle. Note that `PGP 2.x' here means `MIT PGP 2.6.2'.  There  are
2072              other  versions  of  PGP 2.x available, but the MIT release is a
2073              good common baseline.
2074
2075              This option implies --rfc1991 --disable-mdc  --no-force-v4-certs
2076              --escape-from-lines --force-v3-sigs --cipher-algo IDEA --digest-
2077              algo MD5 --compress-algo ZIP. It also disables  --textmode  when
2078              encrypting.
2079
2080
2081       --pgp6 Set  up  all  options to be as PGP 6 compliant as possible. This
2082              restricts you to  the  ciphers  IDEA  (if  the  IDEA  plugin  is
2083              installed), 3DES, and CAST5, the hashes MD5, SHA1 and RIPEMD160,
2084              and the compression algorithms none and ZIP. This also  disables
2085              --throw-keyids,  and  making  signatures with signing subkeys as
2086              PGP 6 does not understand signatures made by signing subkeys.
2087
2088              This option implies --disable-mdc  --escape-from-lines  --force-
2089              v3-sigs.
2090
2091
2092       --pgp7 Set up all options to be as PGP 7 compliant as possible. This is
2093              identical to --pgp6 except that MDCs are not disabled,  and  the
2094              list  of  allowable  ciphers  is expanded to add AES128, AES192,
2095              AES256, and TWOFISH.
2096
2097
2098       --pgp8 Set up all options to be as PGP 8 compliant as possible.  PGP  8
2099              is  a  lot closer to the OpenPGP standard than previous versions
2100              of PGP, so all this  does  is  disable  --throw-keyids  and  set
2101              --escape-from-lines.   All algorithms are allowed except for the
2102              SHA224, SHA384, and SHA512 digests.
2103
2104
2105
2106
2107
2108   Doing things one usually doesn't want to do.
2109
2110
2111
2112
2113       -n
2114
2115       --dry-run
2116              Don't make any changes (this is not completely implemented).
2117
2118
2119       --list-only
2120              Changes the behaviour of some commands. This is  like  --dry-run
2121              but different in some cases. The semantic of this command may be
2122              extended in the future.  Currently  it  only  skips  the  actual
2123              decryption  pass  and  therefore  enables  a fast listing of the
2124              encryption keys.
2125
2126
2127       -i
2128
2129       --interactive
2130              Prompt before overwriting any files.
2131
2132
2133       --debug-level level
2134              Select the debug level for investigating problems. level may  be
2135              a numeric value or by a keyword:
2136
2137
2138              none   No  debugging at all.  A value of less than 1 may be used
2139                     instead of the keyword.
2140
2141              basic  Some basic debug messages.  A value between 1 and  2  may
2142                     be used instead of the keyword.
2143
2144              advanced
2145                     More verbose debug messages.  A value between 3 and 5 may
2146                     be used instead of the keyword.
2147
2148              expert Even more detailed messages.  A value between 6 and 8 may
2149                     be used instead of the keyword.
2150
2151              guru   All  of  the  debug messages you can get. A value greater
2152                     than 8 may be used instead of the keyword.  The  creation
2153                     of  hash  tracing files is only enabled if the keyword is
2154                     used.
2155
2156       How these messages are mapped to the  actual  debugging  flags  is  not
2157       specified  and may change with newer releases of this program. They are
2158       however carefully selected to best aid in debugging.
2159
2160
2161       --debug flags
2162              Set debugging flags. All flags are or-ed and flags may be  given
2163              in C syntax (e.g. 0x0042).
2164
2165
2166       --debug-all
2167              Set all useful debugging flags.
2168
2169
2170
2171       --enable-progress-filter
2172              Enable certain PROGRESS status outputs. This option allows fron‐
2173              tends to display a progress indicator while  gpg  is  processing
2174              larger files.  There is a slight performance overhead using it.
2175
2176
2177       --status-fd n
2178              Write  special status strings to the file descriptor n.  See the
2179              file DETAILS in the documentation for a listing of them.
2180
2181
2182       --status-file file
2183              Same as --status-fd, except the status data is written  to  file
2184              file.
2185
2186
2187       --logger-fd n
2188              Write log output to file descriptor n and not to STDERR.
2189
2190
2191       --log-file file
2192
2193       --logger-file file
2194              Same  as  --logger-fd, except the logger data is written to file
2195              file.  Note that --log-file is only implemented for GnuPG-2.
2196
2197
2198       --attribute-fd n
2199              Write attribute subpackets to the file  descriptor  n.  This  is
2200              most  useful for use with --status-fd, since the status messages
2201              are needed to separate  out  the  various  subpackets  from  the
2202              stream delivered to the file descriptor.
2203
2204
2205       --attribute-file file
2206              Same  as --attribute-fd, except the attribute data is written to
2207              file file.
2208
2209
2210       --comment string
2211
2212       --no-comments
2213              Use string as a comment string  in  clear  text  signatures  and
2214              ASCII armored messages or keys (see --armor). The default behav‐
2215              ior is not to use a comment string. --comment  may  be  repeated
2216              multiple  times  to  get multiple comment strings. --no-comments
2217              removes all comments.  It is a good idea to keep the length of a
2218              single  comment  below 60 characters to avoid problems with mail
2219              programs wrapping such lines.  Note that comment lines, like all
2220              other header lines, are not protected by the signature.
2221
2222
2223       --emit-version
2224
2225       --no-emit-version
2226              Force  inclusion  of the version string in ASCII armored output.
2227              --no-emit-version disables this option.
2228
2229
2230       --sig-notation name=value
2231
2232       --cert-notation name=value
2233
2234       -N, --set-notation name=value
2235              Put the name value pair into the  signature  as  notation  data.
2236              name  must  consist  only of printable characters or spaces, and
2237              must contain a '@' character in  the  form  keyname@domain.exam‐
2238              ple.com  (substituting  the appropriate keyname and domain name,
2239              of course).  This is to  help  prevent  pollution  of  the  IETF
2240              reserved notation namespace. The --expert flag overrides the '@'
2241              check. value may be any printable string; it will be encoded  in
2242              UTF8,  so  you  should  check that your --display-charset is set
2243              correctly. If you prefix name with an exclamation mark (!),  the
2244              notation  data  will  be flagged as critical (rfc2440:5.2.3.15).
2245              --sig-notation sets a notation for data signatures. --cert-nota‐
2246              tion sets a notation for key signatures (certifications). --set-
2247              notation sets both.
2248
2249              There are special codes that may be used in notation names. "%k"
2250              will  be  expanded into the key ID of the key being signed, "%K"
2251              into the long key ID of the key being signed, "%f" into the fin‐
2252              gerprint  of  the  key being signed, "%s" into the key ID of the
2253              key making the signature, "%S" into the long key ID of  the  key
2254              making  the signature, "%g" into the fingerprint of the key mak‐
2255              ing the signature (which might be a subkey), "%p" into the  fin‐
2256              gerprint  of  the  primary  key of the key making the signature,
2257              "%c" into the signature count from the  OpenPGP  smartcard,  and
2258              "%%" results in a single "%". %k, %K, and %f are only meaningful
2259              when making a key signature  (certification),  and  %c  is  only
2260              meaningful when using the OpenPGP smartcard.
2261
2262
2263       --sig-policy-url string
2264
2265       --cert-policy-url string
2266
2267       --set-policy-url string
2268              Use  string  as  a Policy URL for signatures (rfc2440:5.2.3.19).
2269              If you prefix it with an exclamation mark (!),  the  policy  URL
2270              packet will be flagged as critical. --sig-policy-url sets a pol‐
2271              icy url for data signatures. --cert-policy-url sets a policy url
2272              for key signatures (certifications). --set-policy-url sets both.
2273
2274              The same %-expandos used for notation data are available here as
2275              well.
2276
2277
2278       --sig-keyserver-url string
2279              Use string as a preferred keyserver URL for data signatures.  If
2280              you  prefix  it  with an exclamation mark (!), the keyserver URL
2281              packet will be flagged as critical.
2282
2283              The same %-expandos used for notation data are available here as
2284              well.
2285
2286
2287       --set-filename string
2288              Use  string  as  the  filename  which is stored inside messages.
2289              This overrides the default, which is to use the actual  filename
2290              of the file being encrypted.
2291
2292
2293       --for-your-eyes-only
2294
2295       --no-for-your-eyes-only
2296              Set  the  `for  your eyes only' flag in the message. This causes
2297              GnuPG to refuse to save the file unless the --output  option  is
2298              given,  and PGP to use a "secure viewer" with a claimed Tempest-
2299              resistant font to display the  message.  This  option  overrides
2300              --set-filename.  --no-for-your-eyes-only disables this option.
2301
2302
2303       --use-embedded-filename
2304
2305       --no-use-embedded-filename
2306              Try  to  create a file with a name as embedded in the data. This
2307              can be a dangerous option  as  it  allows  to  overwrite  files.
2308              Defaults to no.
2309
2310
2311       --cipher-algo name
2312              Use  name as cipher algorithm. Running the program with the com‐
2313              mand --version yields a list of supported algorithms. If this is
2314              not  used  the cipher algorithm is selected from the preferences
2315              stored with the key. In general, you do not  want  to  use  this
2316              option as it allows you to violate the OpenPGP standard.  --per‐
2317              sonal-cipher-preferences is the safe way to accomplish the  same
2318              thing.
2319
2320
2321       --digest-algo name
2322              Use  name  as  the message digest algorithm. Running the program
2323              with the command --version yields  a  list  of  supported  algo‐
2324              rithms.  In  general,  you  do not want to use this option as it
2325              allows you to violate the OpenPGP  standard.  --personal-digest-
2326              preferences is the safe way to accomplish the same thing.
2327
2328
2329       --compress-algo name
2330              Use compression algorithm name. "zlib" is RFC-1950 ZLIB compres‐
2331              sion. "zip" is RFC-1951 ZIP compression which is  used  by  PGP.
2332              "bzip2"  is  a  more modern compression scheme that can compress
2333              some things better than zip or zlib, but at  the  cost  of  more
2334              memory used during compression and decompression. "uncompressed"
2335              or "none" disables compression. If this option is not used,  the
2336              default  behavior is to examine the recipient key preferences to
2337              see which algorithms the recipient supports. If all else  fails,
2338              ZIP is used for maximum compatibility.
2339
2340              ZLIB  may  give better compression results than ZIP, as the com‐
2341              pression window size is not limited to 8k. BZIP2 may  give  even
2342              better  compression  results  than that, but will use a signifi‐
2343              cantly larger amount of memory while compressing and decompress‐
2344              ing.  This  may  be  significant in low memory situations. Note,
2345              however, that PGP (all versions) only supports ZIP  compression.
2346              Using  any algorithm other than ZIP or "none" will make the mes‐
2347              sage unreadable with PGP. In general, you do  not  want  to  use
2348              this  option  as  it allows you to violate the OpenPGP standard.
2349              --personal-compress-preferences is the safe  way  to  accomplish
2350              the same thing.
2351
2352
2353       --cert-digest-algo name
2354              Use  name  as  the  message digest algorithm used when signing a
2355              key. Running the program with the  command  --version  yields  a
2356              list  of  supported  algorithms.  Be aware that if you choose an
2357              algorithm that GnuPG supports but other OpenPGP  implementations
2358              do  not,  then some users will not be able to use the key signa‐
2359              tures you make, or quite possibly your entire key.
2360
2361
2362       --disable-cipher-algo name
2363              Never allow the use of name as cipher algorithm.  The given name
2364              will  not be checked so that a later loaded algorithm will still
2365              get disabled.
2366
2367
2368       --disable-pubkey-algo name
2369              Never allow the use of name as public key algorithm.  The  given
2370              name  will  not be checked so that a later loaded algorithm will
2371              still get disabled.
2372
2373
2374       --throw-keyids
2375
2376       --no-throw-keyids
2377              Do not put the recipient key IDs into encrypted  messages.  This
2378              helps  to  hide  the  receivers  of the message and is a limited
2379              countermeasure against traffic analysis. ([Using a little social
2380              engineering  anyone who is able to decrypt the message can check
2381              whether one of the other recipients is the  one  he  suspects.])
2382              On  the  receiving side, it may slow down the decryption process
2383              because all available secret keys must  be  tried.   --no-throw-
2384              keyids disables this option. This option is essentially the same
2385              as using --hidden-recipient for all recipients.
2386
2387
2388       --not-dash-escaped
2389              This option changes the behavior of cleartext signatures so that
2390              they  can  be  used for patch files. You should not send such an
2391              armored file via email because all spaces and line  endings  are
2392              hashed  too.  You  can  not use this option for data which has 5
2393              dashes at the beginning of a line, patch files don't have  this.
2394              A  special  armor  header  line tells GnuPG about this cleartext
2395              signature option.
2396
2397
2398       --escape-from-lines
2399
2400       --no-escape-from-lines
2401              Because some mailers change  lines  starting  with  "From  "  to
2402              ">From  "  it is good to handle such lines in a special way when
2403              creating cleartext signatures to prevent the  mail  system  from
2404              breaking  the  signature. Note that all other PGP versions do it
2405              this way too.  Enabled by default.  --no-escape-from-lines  dis‐
2406              ables this option.
2407
2408
2409       --passphrase-repeat n
2410              Specify  how  many  times  gpg2 will request a new passphrase be
2411              repeated.  This is useful for  helping  memorize  a  passphrase.
2412              Defaults to 1 repetition.
2413
2414
2415       --passphrase-fd n
2416              Read  the passphrase from file descriptor n. Only the first line
2417              will be read from file descriptor n. If you use  0  for  n,  the
2418              passphrase  will  be  read  from STDIN. This can only be used if
2419              only one passphrase is supplied.  Note that this  passphrase  is
2420              only  used  if  the option --batch has also been given.  This is
2421              different from gpg.
2422
2423
2424       --passphrase-file file
2425              Read the passphrase from file file. Only the first line will  be
2426              read  from  file  file.  This  can  only  be  used  if  only one
2427              passphrase is supplied. Obviously, a passphrase stored in a file
2428              is  of  questionable security if other users can read this file.
2429              Don't use this option if you  can  avoid  it.   Note  that  this
2430              passphrase  is  only  used  if  the option --batch has also been
2431              given.  This is different from gpg.
2432
2433
2434       --passphrase string
2435              Use string as the passphrase. This can only be used if only  one
2436              passphrase  is supplied. Obviously, this is of very questionable
2437              security on a multi-user system. Don't use this  option  if  you
2438              can  avoid  it.   Note  that this passphrase is only used if the
2439              option --batch has also been given.  This is different from gpg.
2440
2441
2442       --command-fd n
2443              This is a replacement for the deprecated shared-memory IPC mode.
2444              If  this  option  is  enabled,  user  input  on questions is not
2445              expected from the TTY but from the  given  file  descriptor.  It
2446              should   be   used  together  with  --status-fd.  See  the  file
2447              doc/DETAILS in the source distribution for details on how to use
2448              it.
2449
2450
2451       --command-file file
2452              Same  as  --command-fd, except the commands are read out of file
2453              file
2454
2455
2456       --allow-non-selfsigned-uid
2457
2458       --no-allow-non-selfsigned-uid
2459              Allow the import and use of keys with user  IDs  which  are  not
2460              self-signed.  This is not recommended, as a non self-signed user
2461              ID is trivial to forge. --no-allow-non-selfsigned-uid disables.
2462
2463
2464       --allow-freeform-uid
2465              Disable all checks on the form of the user ID while generating a
2466              new  one.  This option should only be used in very special envi‐
2467              ronments as it does not ensure the de-facto standard  format  of
2468              user IDs.
2469
2470
2471       --ignore-time-conflict
2472              GnuPG  normally  checks that the timestamps associated with keys
2473              and signatures have plausible values. However, sometimes a  sig‐
2474              nature  seems  to  be  older than the key due to clock problems.
2475              This  option  makes  these  checks  just  a  warning.  See  also
2476              --ignore-valid-from for timestamp issues on subkeys.
2477
2478
2479       --ignore-valid-from
2480              GnuPG  normally  does  not select and use subkeys created in the
2481              future.  This option allows  the  use  of  such  keys  and  thus
2482              exhibits the pre-1.0.7 behaviour. You should not use this option
2483              unless you there is some clock problem. See also  --ignore-time-
2484              conflict for timestamp issues with signatures.
2485
2486
2487       --ignore-crc-error
2488              The  ASCII  armor used by OpenPGP is protected by a CRC checksum
2489              against transmission errors. Occasionally the CRC  gets  mangled
2490              somewhere  on  the  transmission  channel but the actual content
2491              (which is protected by the OpenPGP  protocol  anyway)  is  still
2492              okay. This option allows GnuPG to ignore CRC errors.
2493
2494
2495       --ignore-mdc-error
2496              This  option  changes  a MDC integrity protection failure into a
2497              warning.  This can be useful if a message is partially  corrupt,
2498              but  it  is necessary to get as much data as possible out of the
2499              corrupt message.  However, be aware that a MDC protection  fail‐
2500              ure  may also mean that the message was tampered with intention‐
2501              ally by an attacker.
2502
2503
2504       --no-default-keyring
2505              Do not add the default keyrings to the list  of  keyrings.  Note
2506              that  GnuPG will not operate without any keyrings, so if you use
2507              this option and do not provide alternate keyrings via  --keyring
2508              or  --secret-keyring, then GnuPG will still use the default pub‐
2509              lic or secret keyrings.
2510
2511
2512       --skip-verify
2513              Skip the signature verification step. This may be used  to  make
2514              the  decryption  faster  if  the  signature  verification is not
2515              needed.
2516
2517
2518       --with-key-data
2519              Print key listings delimited by colons (like --with-colons)  and
2520              print the public key data.
2521
2522
2523       --fast-list-mode
2524              Changes  the output of the list commands to work faster; this is
2525              achieved by leaving some parts empty.  Some  applications  don't
2526              need  the  user  ID and the trust information given in the list‐
2527              ings. By using this options they can get a faster  listing.  The
2528              exact  behaviour  of  this option may change in future versions.
2529              If you are missing some information, don't use this option.
2530
2531
2532       --no-literal
2533              This is not for normal use. Use the source to see  for  what  it
2534              might be useful.
2535
2536
2537       --set-filesize
2538              This  is  not  for normal use. Use the source to see for what it
2539              might be useful.
2540
2541
2542       --show-session-key
2543              Display the session key used for one  message.  See  --override-
2544              session-key for the counterpart of this option.
2545
2546              We think that Key Escrow is a Bad Thing; however the user should
2547              have the freedom to decide whether to go to prison or to  reveal
2548              the  content  of  one  specific message without compromising all
2549              messages ever encrypted for one secret key. DON'T USE IT  UNLESS
2550              YOU ARE REALLY FORCED TO DO SO.
2551
2552
2553       --override-session-key string
2554              Don't  use the public key but the session key string. The format
2555              of this string is the same as the one printed by --show-session-
2556              key.  This  option  is normally not used but comes handy in case
2557              someone forces you to reveal the content of  an  encrypted  mes‐
2558              sage;  using this option you can do this without handing out the
2559              secret key.
2560
2561
2562       --ask-sig-expire
2563
2564       --no-ask-sig-expire
2565              When making a data signature, prompt for an expiration time.  If
2566              this  option  is  not  specified,  the  expiration  time set via
2567              --default-sig-expire is used. --no-ask-sig-expire disables  this
2568              option.  Note that by default, --force-v3-sigs is set which also
2569              disables this option. If you want signature expiration, you must
2570              set --no-force-v3-sigs as well as turning --ask-sig-expire on.
2571
2572
2573       --default-sig-expire
2574              The  default  expiration  time  to use for signature expiration.
2575              Valid values are "0" for no expiration, a number followed by the
2576              letter  d  (for  days), w (for weeks), m (for months), or y (for
2577              years) (for example "2m"  for  two  months,  or  "5y"  for  five
2578              years),  or an absolute date in the form YYYY-MM-DD. Defaults to
2579              "0".
2580
2581
2582       --ask-cert-expire
2583
2584       --no-ask-cert-expire
2585              When making a key signature, prompt for an expiration  time.  If
2586              this  option  is  not  specified,  the  expiration  time set via
2587              --default-cert-expire  is  used.  --no-ask-cert-expire  disables
2588              this option.
2589
2590
2591       --default-cert-expire
2592              The default expiration time to use for key signature expiration.
2593              Valid values are "0" for no expiration, a number followed by the
2594              letter  d  (for  days), w (for weeks), m (for months), or y (for
2595              years) (for example "2m"  for  two  months,  or  "5y"  for  five
2596              years),  or an absolute date in the form YYYY-MM-DD. Defaults to
2597              "0".
2598
2599
2600       --allow-secret-key-import
2601              This is an obsolete option and is not used anywhere.
2602
2603
2604       --allow-multiple-messages
2605
2606       --no-allow-multiple-messages
2607              Allow processing of multiple OpenPGP  messages  contained  in  a
2608              single file or stream.  Some programs that call GPG are not pre‐
2609              pared to deal with multiple messages being  processed  together,
2610              so  this option defaults to no.  Note that versions of GPG prior
2611              to 1.4.7 always allowed multiple messages.
2612
2613              Warning: Do not use this option unless you need it as  a  tempo‐
2614              rary workaround!
2615
2616
2617
2618       --enable-special-filenames
2619              This  options  enables  a  mode  in  which filenames of the form
2620-&n’, where n is a non-negative decimal number,  refer  to  the
2621              file descriptor n and not to a file with that name.
2622
2623
2624       --no-expensive-trust-checks
2625              Experimental use only.
2626
2627
2628       --preserve-permissions
2629              Don't  change  the  permissions of a secret keyring back to user
2630              read/write only. Use this option only if you  really  know  what
2631              you are doing.
2632
2633
2634       --default-preference-list string
2635              Set  the  list of default preferences to string. This preference
2636              list is used for new keys and becomes the default for  "setpref"
2637              in the edit menu.
2638
2639
2640       --default-keyserver-url name
2641              Set  the  default  keyserver URL to name. This keyserver will be
2642              used as the keyserver URL when writing a new self-signature on a
2643              key, which includes key generation and changing preferences.
2644
2645
2646       --list-config
2647              Display various internal configuration parameters of GnuPG. This
2648              option is intended for external programs that call GnuPG to per‐
2649              form  tasks,  and  is  thus  not  generally useful. See the file
2650doc/DETAILS’ in the source  distribution  for  the  details  of
2651              which  configuration  items may be listed. --list-config is only
2652              usable with --with-colons set.
2653
2654
2655       --gpgconf-list
2656              This command is similar to --list-config  but  in  general  only
2657              internally used by the gpgconf tool.
2658
2659
2660       --gpgconf-test
2661              This  is  more or less dummy action.  However it parses the con‐
2662              figuration file and returns with failure  if  the  configuration
2663              file would prevent gpg from startup.  Thus it may be used to run
2664              a syntax check on the configuration file.
2665
2666
2667
2668
2669   Deprecated options
2670
2671
2672
2673
2674
2675       --show-photos
2676
2677       --no-show-photos
2678              Causes  --list-keys,  --list-sigs,  --list-public-keys,  --list-
2679              secret-keys, and verifying a signature to also display the photo
2680              ID attached to the key, if any. See also  --photo-viewer.  These
2681              options  are  deprecated.  Use  --list-options  [no-]show-photos
2682              and/or --verify-options [no-]show-photos instead.
2683
2684
2685       --show-keyring
2686              Display the keyring name at the head of  key  listings  to  show
2687              which keyring a given key resides on. This option is deprecated:
2688              use --list-options [no-]show-keyring instead.
2689
2690
2691
2692       --always-trust
2693              Identical to --trust-model always. This option is deprecated.
2694
2695
2696       --show-notation
2697
2698       --no-show-notation
2699              Show signature notations  in  the  --list-sigs  or  --check-sigs
2700              listings  as  well as when verifying a signature with a notation
2701              in  it.  These  options  are  deprecated.   Use   --list-options
2702              [no-]show-notation  and/or  --verify-options  [no-]show-notation
2703              instead.
2704
2705
2706       --show-policy-url
2707
2708       --no-show-policy-url
2709              Show policy URLs in the --list-sigs or --check-sigs listings  as
2710              well  as  when  verifying  a  signature with a policy URL in it.
2711              These options are deprecated. Use --list-options  [no-]show-pol‐
2712              icy-url and/or --verify-options [no-]show-policy-url instead.
2713
2714
2715
2716
2717
2718

EXAMPLES

2720       gpg -se -r Bob file
2721              sign and encrypt for user Bob
2722
2723
2724       gpg --clearsign file
2725              make a clear text signature
2726
2727
2728       gpg -sb file
2729              make a detached signature
2730
2731
2732       gpg -u 0x12345678 -sb file
2733              make a detached signature with the key 0x12345678
2734
2735
2736       gpg --list-keys user_ID
2737              show keys
2738
2739
2740       gpg --fingerprint user_ID
2741              show fingerprint
2742
2743
2744       gpg --verify pgpfile
2745
2746       gpg --verify sigfile
2747              Verify the signature of the file but do not output the data. The
2748              second form is used for detached signatures,  where  sigfile  is
2749              the  detached signature (either ASCII armored or binary) and are
2750              the signed data; if this is not given,  the  name  of  the  file
2751              holding the signed data is constructed by cutting off the exten‐
2752              sion (".asc" or ".sig") of sigfile or by asking the user for the
2753              filename.
2754
2755
2756
2757

HOW TO SPECIFY A USER ID

2759       There  are  different ways to specify a user ID to GnuPG.  Some of them
2760       are only valid for gpg others are only good for  gpgsm.   Here  is  the
2761       entire list of ways to specify a key:
2762
2763
2764
2765       By key Id.
2766              This  format  is  deduced  from the length of the string and its
2767              content or 0x prefix. The key Id of an X.509 certificate are the
2768              low  64  bits  of  its SHA-1 fingerprint.  The use of key Ids is
2769              just a shortcut, for all automated  processing  the  fingerprint
2770              should be used.
2771
2772              When  using gpg an exclamation mark (!) may be appended to force
2773              using the specified primary or secondary key and not to try  and
2774              calculate which primary or secondary key to use.
2775
2776              The last four lines of the example give the key ID in their long
2777              form as internally used by the OpenPGP protocol. You can see the
2778              long key ID using the option --with-colons.
2779
2780         234567C4
2781         0F34E556E
2782         01347A56A
2783         0xAB123456
2784
2785         234AABBCC34567C4
2786         0F323456784E56EAB
2787         01AB3FED1347A5612
2788         0x234AABBCC34567C4
2789
2790
2791
2792
2793       By fingerprint.
2794              This  format  is  deduced  from the length of the string and its
2795              content or the 0x prefix.  Note, that only the 20  byte  version
2796              fingerprint  is available with gpgsm (i.e. the SHA-1 hash of the
2797              certificate).
2798
2799              When using gpg an exclamation mark (!) may be appended to  force
2800              using  the specified primary or secondary key and not to try and
2801              calculate which primary or secondary key to use.
2802
2803              The best way to specify a key Id is by  using  the  fingerprint.
2804              This  avoids  any  ambiguities in case that there are duplicated
2805              key IDs.
2806
2807         1234343434343434C434343434343434
2808         123434343434343C3434343434343734349A3434
2809         0E12343434343434343434EAB3484343434343434
2810         0xE12343434343434343434EAB3484343434343434
2811
2812
2813       (gpgsm also accepts colons between  each  pair  of  hexadecimal  digits
2814       because  this  is the de-facto standard on how to present X.509 finger‐
2815       prints.)
2816
2817
2818       By exact match on OpenPGP user ID.
2819              This is denoted by a leading equal sign. It does not make  sense
2820              for X.509 certificates.
2821
2822         =Heinrich Heine <heinrichh@uni-duesseldorf.de>
2823
2824
2825       By exact match on an email address.
2826              This  is  indicated  by enclosing the email address in the usual
2827              way with left and right angles.
2828
2829         <heinrichh@uni-duesseldorf.de>
2830
2831
2832
2833       By word match.
2834              All words must match exactly (not case sensitive) but can appear
2835              in  any  order in the user ID or a subjects name.  Words are any
2836              sequences of letters, digits, the underscore and all  characters
2837              with bit 7 set.
2838
2839         +Heinrich Heine duesseldorf
2840
2841
2842       By exact match on the subject's DN.
2843              This  is  indicated by a leading slash, directly followed by the
2844              RFC-2253 encoded DN of the subject.  Note that you can't use the
2845              string  printed  by "gpgsm --list-keys" because that one as been
2846              reordered and modified for better readability; use --with-colons
2847              to print the raw (but standard escaped) RFC-2253 string
2848
2849         /CN=Heinrich Heine,O=Poets,L=Paris,C=FR
2850
2851
2852       By exact match on the issuer's DN.
2853              This is indicated by a leading hash mark, directly followed by a
2854              slash and then directly followed by the rfc2253  encoded  DN  of
2855              the  issuer.   This  should  return the Root cert of the issuer.
2856              See note above.
2857
2858         #/CN=Root Cert,O=Poets,L=Paris,C=FR
2859
2860
2861
2862       By exact match on serial number and issuer's DN.
2863              This is indicated by a hash mark, followed  by  the  hexadecimal
2864              representation  of  the  serial number, then followed by a slash
2865              and the RFC-2253 encoded DN of the issuer. See note above.
2866
2867         #4F03/CN=Root Cert,O=Poets,L=Paris,C=FR
2868
2869
2870       By keygrip
2871              This is indicated by an ampersand followed by the 40 hex  digits
2872              of  a  keygrip.  gpgsm prints the keygrip when using the command
2873              --dump-cert.  It does not yet work for OpenPGP keys.
2874
2875         &D75F22C3F86E355877348498CDC92BD21010A480
2876
2877
2878
2879       By substring match.
2880              This is the default mode but applications may want to explicitly
2881              indicate  this  by  putting the asterisk in front.  Match is not
2882              case sensitive.
2883
2884         Heine
2885         *Heine
2886
2887
2888
2889       Please note that we have reused the hash mark identifier which was used
2890       in  old  GnuPG  versions to indicate the so called local-id.  It is not
2891       anymore used and there should be  no  conflict  when  used  with  X.509
2892       stuff.
2893
2894       Using the RFC-2253 format of DNs has the drawback that it is not possi‐
2895       ble to map them back to the original encoding, however we don't have to
2896       do this because our key database stores this encoding as meta data.
2897
2898
2899
2900
2901

FILES

2903       There  are  a  few  configuration  files  to control certain aspects of
2904       gpg2's operation. Unless noted, they are expected in the  current  home
2905       directory (see: [option --homedir]).
2906
2907
2908
2909       gpg.conf
2910              This is the standard configuration file read by gpg2 on startup.
2911              It may contain any valid long option; the leading two dashes may
2912              not  be  entered  and  the  option may not be abbreviated.  This
2913              default name may be changed on the command  line  (see:  [option
2914              --options]).  You should backup this file.
2915
2916
2917       Note that on larger installations, it is useful to put predefined files
2918       into the directory ‘/etc/skel/.gnupg/’  so  that  newly  created  users
2919       start  up with a working configuration.  For existing users the a small
2920       helper script is provided to create these files (see: [addgnupghome]).
2921
2922       For internal purposes gpg2 creates and maintains  a  few  other  files;
2923       They  all  live  in in the current home directory (see: [option --home‐
2924       dir]).  Only the gpg2 may modify these files.
2925
2926
2927
2928       ~/.gnupg/secring.gpg
2929              The secret keyring.  You should backup this file.
2930
2931
2932       ~/.gnupg/secring.gpg.lock
2933              The lock file for the secret keyring.
2934
2935
2936       ~/.gnupg/pubring.gpg
2937              The public keyring.  You should backup this file.
2938
2939
2940       ~/.gnupg/pubring.gpg.lock
2941              The lock file for the public keyring.
2942
2943
2944       ~/.gnupg/trustdb.gpg
2945              The trust database.  There is no need to backup this file; it is
2946              better  to  backup the ownertrust values (see: [option --export-
2947              ownertrust]).
2948
2949
2950       ~/.gnupg/trustdb.gpg.lock
2951              The lock file for the trust database.
2952
2953
2954       ~/.gnupg/random_seed
2955              A file used to preserve the state of the internal random pool.
2956
2957
2958       /usr[/local]/share/gnupg/options.skel
2959              The skeleton options file.
2960
2961
2962       /usr[/local]/lib/gnupg/
2963              Default location for extensions.
2964
2965
2966       Operation is further controlled by a few environment variables:
2967
2968
2969
2970       HOME   Used to locate the default home directory.
2971
2972
2973       GNUPGHOME
2974              If set directory used instead of "~/.gnupg".
2975
2976
2977       GPG_AGENT_INFO
2978              Used to locate the gpg-agent.  The value  consists  of  3  colon
2979              delimited  fields:  The  first  is  the  path to the Unix Domain
2980              Socket, the second the PID of the  gpg-agent  and  the  protocol
2981              version which should be set to 1. When starting the gpg-agent as
2982              described in its documentation, this variable is set to the cor‐
2983              rect  value. The option --gpg-agent-info can be used to override
2984              it.
2985
2986
2987       PINENTRY_USER_DATA
2988              This value is passed via gpg-agent to pinentry.  It is useful to
2989              convey extra information to a custom pinentry.
2990
2991
2992       COLUMNS
2993
2994       LINES  Used to size some displays to the full size of the screen.
2995
2996
2997
2998       LANGUAGE
2999              Apart  from  its  use  by  GNU, it is used in the W32 version to
3000              override the language selection done through the  Registry.   If
3001              used  and  set  to a valid and available language name (langid),
3002              the   file    with    the    translation    is    loaded    from
3003              gpgdir/gnupg.nls/langid.mo.  Here gpgdir is the directory out of
3004              which the gpg binary has been loaded.  If it can't be loaded the
3005              Registry  is  tried and as last resort the native Windows locale
3006              system is used.
3007
3008
3009
3010
3011

BUGS

3013       On many systems this program should be installed as setuid(root).  This
3014       is  necessary  to  lock memory pages. Locking memory pages prevents the
3015       operating  system  from  writing  memory  pages  (which   may   contain
3016       passphrases or other sensitive material) to disk. If you get no warning
3017       message about insecure memory your operating  system  supports  locking
3018       without being root. The program drops root privileges as soon as locked
3019       memory is allocated.
3020
3021       Note also that some systems (especially laptops) have  the  ability  to
3022       ``suspend  to  disk''  (also known as ``safe sleep'' or ``hibernate'').
3023       This writes all memory to disk before going into a low  power  or  even
3024       powered off mode.  Unless measures are taken in the operating system to
3025       protect the saved memory, passphrases or other sensitive  material  may
3026       be recoverable from it later.
3027
3028

SEE ALSO

3030       gpgv(1), gpgsm(1), gpg-agent(1)
3031
3032       The full documentation for this tool is maintained as a Texinfo manual.
3033       If GnuPG and the info program are properly installed at your site,  the
3034       command
3035
3036         info gnupg
3037
3038       should  give  you access to the complete manual including a menu struc‐
3039       ture and an index.
3040
3041
3042
3043GnuPG 2.0.14                      2018-07-13                           GPG2(1)
Impressum