1GPG(1) GNU Privacy Guard 1.4 GPG(1)
2
3
4
6 gpg - OpenPGP encryption and signing tool
7
9 gpg [--homedir dir] [--options file] [options] command [args]
10
11
13 gpg is the OpenPGP only version of the GNU Privacy Guard (GnuPG). It is
14 a tool to provide digital encryption and signing services using the
15 OpenPGP standard. gpg features complete key management and all bells
16 and whistles you can expect from a decent OpenPGP implementation.
17
18 This is the standalone version of gpg. For desktop use you should con‐
19 sider using gpg2 from the GnuPG-2 package
20 ([On some platforms gpg2 is installed under the name gpg]).
21
22
23
24
25
26
27
29 The program returns 0 if everything was fine, 1 if at least a signature
30 was bad, and other error codes for fatal errors.
31
32
34 Use a *good* password for your user account and a *good* passphrase to
35 protect your secret key. This passphrase is the weakest part of the
36 whole system. Programs to do dictionary attacks on your secret keyring
37 are very easy to write and so you should protect your "~/.gnupg/" di‐
38 rectory very well.
39
40 Keep in mind that, if this program is used over a network (telnet), it
41 is *very* easy to spy out your passphrase!
42
43 If you are going to verify detached signatures, make sure that the pro‐
44 gram knows about it; either give both filenames on the command line or
45 use '-' to specify STDIN.
46
47
49 GnuPG tries to be a very flexible implementation of the OpenPGP stan‐
50 dard. In particular, GnuPG implements many of the optional parts of the
51 standard, such as the SHA-512 hash, and the ZLIB and BZIP2 compression
52 algorithms. It is important to be aware that not all OpenPGP programs
53 implement these optional algorithms and that by forcing their use via
54 the --cipher-algo, --digest-algo, --cert-digest-algo, or --compress-
55 algo options in GnuPG, it is possible to create a perfectly valid
56 OpenPGP message, but one that cannot be read by the intended recipient.
57
58 There are dozens of variations of OpenPGP programs available, and each
59 supports a slightly different subset of these optional algorithms. For
60 example, until recently, no (unhacked) version of PGP supported the
61 BLOWFISH cipher algorithm. A message using BLOWFISH simply could not be
62 read by a PGP user. By default, GnuPG uses the standard OpenPGP prefer‐
63 ences system that will always do the right thing and create messages
64 that are usable by all recipients, regardless of which OpenPGP program
65 they use. Only override this safe default if you really know what you
66 are doing.
67
68 If you absolutely must override the safe default, or if the preferences
69 on a given key are invalid for some reason, you are far better off us‐
70 ing the --pgp6, --pgp7, or --pgp8 options. These options are safe as
71 they do not force any particular algorithms in violation of OpenPGP,
72 but rather reduce the available algorithms to a "PGP-safe" list.
73
74
76 Commands are not distinguished from options except for the fact that
77 only one command is allowed.
78
79 gpg may be run with no commands, in which case it will perform a rea‐
80 sonable action depending on the type of file it is given as input (an
81 encrypted message is decrypted, a signature is verified, a file con‐
82 taining keys is listed).
83
84 Please remember that option as well as command parsing stops as soon as
85 a non-option is encountered, you can explicitly stop parsing by using
86 the special option --.
87
88
89
90
91
92
93 Commands not specific to the function
94
95
96
97 --version
98 Print the program version and licensing information. Note that
99 you cannot abbreviate this command.
100
101
102 --help
103
104 -h Print a usage message summarizing the most useful command line
105 options. Note that you cannot abbreviate this command.
106
107
108 --warranty
109 Print warranty information.
110
111
112 --dump-options
113 Print a list of all available options and commands. Note that
114 you cannot abbreviate this command.
115
116
117
118
119 Commands to select the type of operation
120
121
122
123
124
125 --sign
126
127 -s Make a signature. This command may be combined with --encrypt
128 (for a signed and encrypted message), --symmetric (for a signed
129 and symmetrically encrypted message), or --encrypt and --symmet‐
130 ric together (for a signed message that may be decrypted via a
131 secret key or a passphrase). The key to be used for signing is
132 chosen by default or can be set with the --local-user and --de‐
133 fault-key options.
134
135
136 --clearsign
137 Make a clear text signature. The content in a clear text signa‐
138 ture is readable without any special software. OpenPGP software
139 is only needed to verify the signature. Clear text signatures
140 may modify end-of-line whitespace for platform independence and
141 are not intended to be reversible. The key to be used for sign‐
142 ing is chosen by default or can be set with the --local-user and
143 --default-key options.
144
145
146
147 --detach-sign
148
149 -b Make a detached signature.
150
151
152 --encrypt
153
154 -e Encrypt data. This option may be combined with --sign (for a
155 signed and encrypted message), --symmetric (for a message that
156 may be decrypted via a secret key or a passphrase), or --sign
157 and --symmetric together (for a signed message that may be de‐
158 crypted via a secret key or a passphrase).
159
160
161 --symmetric
162
163 -c Encrypt with a symmetric cipher using a passphrase. The default
164 symmetric cipher used is AES128, but may be chosen with the
165 --cipher-algo option. This option may be combined with --sign
166 (for a signed and symmetrically encrypted message), --encrypt
167 (for a message that may be decrypted via a secret key or a
168 passphrase), or --sign and --encrypt together (for a signed mes‐
169 sage that may be decrypted via a secret key or a passphrase).
170
171
172 --store
173 Store only (make a simple RFC1991 literal data packet).
174
175
176 --decrypt
177
178 -d Decrypt the file given on the command line (or STDIN if no file
179 is specified) and write it to STDOUT (or the file specified with
180 --output). If the decrypted file is signed, the signature is
181 also verified. This command differs from the default operation,
182 as it never writes to the filename which is included in the file
183 and it rejects files which don't begin with an encrypted mes‐
184 sage.
185
186
187 --verify
188 Assume that the first argument is a signed file and verify it
189 without generating any output. With no arguments, the signature
190 packet is read from STDIN. If only a one argument is given, it
191 is expected to be a complete signature.
192
193 With more than 1 argument, the first should be a detached signa‐
194 ture and the remaining files make up the the signed data. To
195 read the signed data from STDIN, use '-' as the second filename.
196 For security reasons a detached signature cannot read the signed
197 material from STDIN without denoting it in the above way.
198
199 Note: If the option --batch is not used, gpg may assume that a
200 single argument is a file with a detached signature and it will
201 try to find a matching data file by stripping certain suffixes.
202 Using this historical feature to verify a detached signature is
203 strongly discouraged; always specify the data file too.
204
205 Note: When verifying a cleartext signature, gpg verifies only
206 what makes up the cleartext signed data and not any extra data
207 outside of the cleartext signature or header lines following di‐
208 rectly the dash marker line. The option --output may be used to
209 write out the actual signed data; but there are other pitfalls
210 with this format as well. It is suggested to avoid cleartext
211 signatures in favor of detached signatures.
212
213
214
215 --multifile
216 This modifies certain other commands to accept multiple files
217 for processing on the command line or read from STDIN with each
218 filename on a separate line. This allows for many files to be
219 processed at once. --multifile may currently be used along with
220 --verify, --encrypt, and --decrypt. Note that --multifile --ver‐
221 ify may not be used with detached signatures.
222
223
224 --verify-files
225 Identical to --multifile --verify.
226
227
228 --encrypt-files
229 Identical to --multifile --encrypt.
230
231
232 --decrypt-files
233 Identical to --multifile --decrypt.
234
235
236 --list-keys
237
238 -k
239
240 --list-public-keys
241 List all keys from the public keyrings, or just the keys given
242 on the command line.
243
244 -k is slightly different from --list-keys in that it allows only
245 for one argument and takes the second argument as the keyring to
246 search. This is for command line compatibility with PGP 2 and
247 has been removed in gpg2.
248
249 Avoid using the output of this command in scripts or other pro‐
250 grams as it is likely to change as GnuPG changes. See --with-
251 colons for a machine-parseable key listing command that is ap‐
252 propriate for use in scripts and other programs.
253
254
255 --list-secret-keys
256
257 -K List all keys from the secret keyrings, or just the ones given
258 on the command line. A # after the letters sec means that the
259 secret key is not usable (for example, if it was created via
260 --export-secret-subkeys).
261
262
263 --list-sigs
264 Same as --list-keys, but the signatures are listed too.
265
266 For each signature listed, there are several flags in between
267 the "sig" tag and keyid. These flags give additional information
268 about each signature. From left to right, they are the numbers
269 1-3 for certificate check level (see --ask-cert-level), "L" for
270 a local or non-exportable signature (see --lsign-key), "R" for a
271 nonRevocable signature (see the --edit-key command "nrsign"),
272 "P" for a signature that contains a policy URL (see --cert-pol‐
273 icy-url), "N" for a signature that contains a notation (see
274 --cert-notation), "X" for an eXpired signature (see --ask-cert-
275 expire), and the numbers 1-9 or "T" for 10 and above to indicate
276 trust signature levels (see the --edit-key command "tsign").
277
278
279 --check-sigs
280 Same as --list-sigs, but the signatures are verified. Note that
281 for performance reasons the revocation status of a signing key
282 is not shown.
283
284 The status of the verification is indicated by a flag directly
285 following the "sig" tag (and thus before the flags described
286 above for --list-sigs). A "!" indicates that the signature has
287 been successfully verified, a "-" denotes a bad signature and a
288 "%" is used if an error occurred while checking the signature
289 (e.g. a non supported algorithm).
290
291
292
293 --fingerprint
294 List all keys (or the specified ones) along with their finger‐
295 prints. This is the same output as --list-keys but with the ad‐
296 ditional output of a line with the fingerprint. May also be com‐
297 bined with --list-sigs or --check-sigs. If this command is
298 given twice, the fingerprints of all secondary keys are listed
299 too.
300
301
302 --list-packets
303 List only the sequence of packets. This is mainly useful for de‐
304 bugging.
305
306
307
308 --card-edit
309 Present a menu to work with a smartcard. The subcommand "help"
310 provides an overview on available commands. For a detailed de‐
311 scription, please see the Card HOWTO at https://gnupg.org/docu‐
312 mentation/howtos.html#GnuPG-cardHOWTO .
313
314
315 --card-status
316 Show the content of the smart card.
317
318
319 --change-pin
320 Present a menu to allow changing the PIN of a smartcard. This
321 functionality is also available as the subcommand "passwd" with
322 the --card-edit command.
323
324
325 --delete-key name
326 Remove key from the public keyring. In batch mode either --yes
327 is required or the key must be specified by fingerprint. This is
328 a safeguard against accidental deletion of multiple keys.
329
330
331 --delete-secret-key name
332 Remove key from the secret keyring. In batch mode the key must
333 be specified by fingerprint.
334
335
336 --delete-secret-and-public-key name
337 Same as --delete-key, but if a secret key exists, it will be re‐
338 moved first. In batch mode the key must be specified by finger‐
339 print.
340
341
342 --export
343 Either export all keys from all keyrings (default keyrings and
344 those registered via option --keyring), or if at least one name
345 is given, those of the given name. The exported keys are written
346 to STDOUT or to the file given with option --output. Use to‐
347 gether with --armor to mail those keys.
348
349
350 --send-keys key IDs
351 Similar to --export but sends the keys to a keyserver. Finger‐
352 prints may be used instead of key IDs. Option --keyserver must
353 be used to give the name of this keyserver. Don't send your com‐
354 plete keyring to a keyserver --- select only those keys which
355 are new or changed by you. If no key IDs are given, gpg does
356 nothing.
357
358
359 --export-secret-keys
360
361 --export-secret-subkeys
362 Same as --export, but exports the secret keys instead. The ex‐
363 ported keys are written to STDOUT or to the file given with op‐
364 tion --output. This command is often used along with the option
365 --armor to allow easy printing of the key for paper backup; how‐
366 ever the external tool paperkey does a better job for creating
367 backups on paper. Note that exporting a secret key can be a se‐
368 curity risk if the exported keys are send over an insecure chan‐
369 nel.
370
371 The second form of the command has the special property to ren‐
372 der the secret part of the primary key useless; this is a GNU
373 extension to OpenPGP and other implementations can not be ex‐
374 pected to successfully import such a key. Its intended use is
375 to generated a full key with an additional signing subkey on a
376 dedicated machine and then using this command to export the key
377 without the primary key to the main machine.
378
379 See the option --simple-sk-checksum if you want to import an ex‐
380 ported secret key into ancient OpenPGP implementations.
381
382
383 --import
384
385 --fast-import
386 Import/merge keys. This adds the given keys to the keyring. The
387 fast version is currently just a synonym.
388
389 There are a few other options which control how this command
390 works. Most notable here is the --import-options merge-only op‐
391 tion which does not insert new keys but does only the merging of
392 new signatures, user-IDs and subkeys.
393
394
395 --recv-keys key IDs
396 Import the keys with the given key IDs from a keyserver. Option
397 --keyserver must be used to give the name of this keyserver.
398
399
400 --refresh-keys
401 Request updates from a keyserver for keys that already exist on
402 the local keyring. This is useful for updating a key with the
403 latest signatures, user IDs, etc. Calling this with no arguments
404 will refresh the entire keyring. Option --keyserver must be used
405 to give the name of the keyserver for all keys that do not have
406 preferred keyservers set (see --keyserver-options honor-key‐
407 server-url).
408
409
410 --search-keys names
411 Search the keyserver for the given names. Multiple names given
412 here will be joined together to create the search string for the
413 keyserver. Option --keyserver must be used to give the name of
414 this keyserver. Keyservers that support different search meth‐
415 ods allow using the syntax specified in "How to specify a user
416 ID" below. Note that different keyserver types support different
417 search methods. Currently only LDAP supports them all.
418
419
420 --fetch-keys URIs
421 Retrieve keys located at the specified URIs. Note that different
422 installations of GnuPG may support different protocols (HTTP,
423 FTP, LDAP, etc.)
424
425
426 --update-trustdb
427 Do trust database maintenance. This command iterates over all
428 keys and builds the Web of Trust. This is an interactive command
429 because it may have to ask for the "ownertrust" values for keys.
430 The user has to give an estimation of how far she trusts the
431 owner of the displayed key to correctly certify (sign) other
432 keys. GnuPG only asks for the ownertrust value if it has not yet
433 been assigned to a key. Using the --edit-key menu, the assigned
434 value can be changed at any time.
435
436
437 --check-trustdb
438 Do trust database maintenance without user interaction. From
439 time to time the trust database must be updated so that expired
440 keys or signatures and the resulting changes in the Web of Trust
441 can be tracked. Normally, GnuPG will calculate when this is re‐
442 quired and do it automatically unless --no-auto-check-trustdb is
443 set. This command can be used to force a trust database check at
444 any time. The processing is identical to that of --update-
445 trustdb but it skips keys with a not yet defined "ownertrust".
446
447 For use with cron jobs, this command can be used together with
448 --batch in which case the trust database check is done only if a
449 check is needed. To force a run even in batch mode add the op‐
450 tion --yes.
451
452
453
454 --export-ownertrust
455 Send the ownertrust values to STDOUT. This is useful for backup
456 purposes as these values are the only ones which can't be re-
457 created from a corrupted trustdb. Example:
458 gpg --export-ownertrust > otrust.txt
459
460
461
462 --import-ownertrust
463 Update the trustdb with the ownertrust values stored in files
464 (or STDIN if not given); existing values will be overwritten.
465 In case of a severely damaged trustdb and if you have a recent
466 backup of the ownertrust values (e.g. in the file ‘otrust.txt’,
467 you may re-create the trustdb using these commands:
468 cd ~/.gnupg
469 rm trustdb.gpg
470 gpg --import-ownertrust < otrust.txt
471
472
473
474 --rebuild-keydb-caches
475 When updating from version 1.0.6 to 1.0.7 this command should be
476 used to create signature caches in the keyring. It might be
477 handy in other situations too.
478
479
480 --print-md algo
481
482 --print-mds
483 Print message digest of algorithm ALGO for all given files or
484 STDIN. With the second form (or a deprecated "*" as algo) di‐
485 gests for all available algorithms are printed.
486
487
488 --gen-random 0|1|2 count
489 Emit count random bytes of the given quality level 0, 1 or 2. If
490 count is not given or zero, an endless sequence of random bytes
491 will be emitted. If used with --armor the output will be base64
492 encoded. PLEASE, don't use this command unless you know what
493 you are doing; it may remove precious entropy from the system!
494
495
496 --gen-prime mode bits
497 Use the source, Luke :-). The output format is still subject to
498 change.
499
500
501
502 --enarmor
503
504 --dearmor
505 Pack or unpack an arbitrary input into/from an OpenPGP ASCII ar‐
506 mor. This is a GnuPG extension to OpenPGP and in general not
507 very useful.
508
509
510
511
512
513 How to manage your keys
514
515
516 This section explains the main commands for key management
517
518
519
520 --gen-key
521 Generate a new key pair using the current default parameters.
522 This is the standard command to create a new key.
523
524 There is also a feature which allows you to create keys in batch
525 mode. See the the manual section ``Unattended key generation''
526 on how to use this.
527
528
529 --gen-revoke name
530 Generate a revocation certificate for the complete key. To re‐
531 voke a subkey or a signature, use the --edit command.
532
533
534 --desig-revoke name
535 Generate a designated revocation certificate for a key. This al‐
536 lows a user (with the permission of the keyholder) to revoke
537 someone else's key.
538
539
540
541 --edit-key
542 Present a menu which enables you to do most of the key manage‐
543 ment related tasks. It expects the specification of a key on
544 the command line.
545
546
547
548 uid n Toggle selection of user ID or photographic user ID with
549 index n. Use * to select all and 0 to deselect all.
550
551
552 key n Toggle selection of subkey with index n. Use * to select
553 all and 0 to deselect all.
554
555
556 sign Make a signature on key of user name If the key is not
557 yet signed by the default user (or the users given with
558 -u), the program displays the information of the key
559 again, together with its fingerprint and asks whether it
560 should be signed. This question is repeated for all users
561 specified with -u.
562
563
564 lsign Same as "sign" but the signature is marked as non-ex‐
565 portable and will therefore never be used by others. This
566 may be used to make keys valid only in the local environ‐
567 ment.
568
569
570 nrsign Same as "sign" but the signature is marked as non-revoca‐
571 ble and can therefore never be revoked.
572
573
574 tsign Make a trust signature. This is a signature that combines
575 the notions of certification (like a regular signature),
576 and trust (like the "trust" command). It is generally
577 only useful in distinct communities or groups.
578
579 Note that "l" (for local / non-exportable), "nr" (for non-revo‐
580 cable, and "t" (for trust) may be freely mixed and prefixed to
581 "sign" to create a signature of any type desired.
582
583
584
585 delsig Delete a signature. Note that it is not possible to re‐
586 tract a signature, once it has been send to the public
587 (i.e. to a keyserver). In that case you better use
588 revsig.
589
590
591 revsig Revoke a signature. For every signature which has been
592 generated by one of the secret keys, GnuPG asks whether a
593 revocation certificate should be generated.
594
595
596 check Check the signatures on all selected user IDs.
597
598
599 adduid Create an additional user ID.
600
601
602 addphoto
603 Create a photographic user ID. This will prompt for a
604 JPEG file that will be embedded into the user ID. Note
605 that a very large JPEG will make for a very large key.
606 Also note that some programs will display your JPEG un‐
607 changed (GnuPG), and some programs will scale it to fit
608 in a dialog box (PGP).
609
610
611 showphoto
612 Display the selected photographic user ID.
613
614
615 deluid Delete a user ID or photographic user ID. Note that it
616 is not possible to retract a user id, once it has been
617 send to the public (i.e. to a keyserver). In that case
618 you better use revuid.
619
620
621 revuid Revoke a user ID or photographic user ID.
622
623
624 primary
625 Flag the current user id as the primary one, removes the
626 primary user id flag from all other user ids and sets the
627 timestamp of all affected self-signatures one second
628 ahead. Note that setting a photo user ID as primary makes
629 it primary over other photo user IDs, and setting a regu‐
630 lar user ID as primary makes it primary over other regu‐
631 lar user IDs.
632
633
634 keyserver
635 Set a preferred keyserver for the specified user ID(s).
636 This allows other users to know where you prefer they get
637 your key from. See --keyserver-options honor-keyserver-
638 url for more on how this works. Setting a value of
639 "none" removes an existing preferred keyserver.
640
641
642 notation
643 Set a name=value notation for the specified user ID(s).
644 See --cert-notation for more on how this works. Setting a
645 value of "none" removes all notations, setting a notation
646 prefixed with a minus sign (-) removes that notation, and
647 setting a notation name (without the =value) prefixed
648 with a minus sign removes all notations with that name.
649
650
651 pref List preferences from the selected user ID. This shows
652 the actual preferences, without including any implied
653 preferences.
654
655
656 showpref
657 More verbose preferences listing for the selected user
658 ID. This shows the preferences in effect by including the
659 implied preferences of 3DES (cipher), SHA-1 (digest), and
660 Uncompressed (compression) if they are not already in‐
661 cluded in the preference list. In addition, the preferred
662 keyserver and signature notations (if any) are shown.
663
664
665 setpref string
666 Set the list of user ID preferences to string for all (or
667 just the selected) user IDs. Calling setpref with no ar‐
668 guments sets the preference list to the default (either
669 built-in or set via --default-preference-list), and call‐
670 ing setpref with "none" as the argument sets an empty
671 preference list. Use gpg --version to get a list of
672 available algorithms. Note that while you can change the
673 preferences on an attribute user ID (aka "photo ID"),
674 GnuPG does not select keys via attribute user IDs so
675 these preferences will not be used by GnuPG.
676
677 When setting preferences, you should list the algorithms
678 in the order which you'd like to see them used by someone
679 else when encrypting a message to your key. If you don't
680 include 3DES, it will be automatically added at the end.
681 Note that there are many factors that go into choosing an
682 algorithm (for example, your key may not be the only re‐
683 cipient), and so the remote OpenPGP application being
684 used to send to you may or may not follow your exact cho‐
685 sen order for a given message. It will, however, only
686 choose an algorithm that is present on the preference
687 list of every recipient key. See also the INTEROPERABIL‐
688 ITY WITH OTHER OPENPGP PROGRAMS section below.
689
690
691 addkey Add a subkey to this key.
692
693
694 addcardkey
695 Generate a subkey on a card and add it to this key.
696
697
698 keytocard
699 Transfer the selected secret subkey (or the primary key
700 if no subkey has been selected) to a smartcard. The se‐
701 cret key in the keyring will be replaced by a stub if the
702 key could be stored successfully on the card and you use
703 the save command later. Only certain key types may be
704 transferred to the card. A sub menu allows you to select
705 on what card to store the key. Note that it is not possi‐
706 ble to get that key back from the card - if the card gets
707 broken your secret key will be lost unless you have a
708 backup somewhere.
709
710
711 bkuptocard file
712 Restore the given file to a card. This command may be
713 used to restore a backup key (as generated during card
714 initialization) to a new card. In almost all cases this
715 will be the encryption key. You should use this command
716 only with the corresponding public key and make sure that
717 the file given as argument is indeed the backup to re‐
718 store. You should then select 2 to restore as encryption
719 key. You will first be asked to enter the passphrase of
720 the backup key and then for the Admin PIN of the card.
721
722
723 delkey Remove a subkey (secondart key). Note that it is not pos‐
724 sible to retract a subkey, once it has been send to the
725 public (i.e. to a keyserver). In that case you better
726 use revkey.
727
728
729 revkey Revoke a subkey.
730
731
732 expire Change the key or subkey expiration time. If a subkey is
733 selected, the expiration time of this subkey will be
734 changed. With no selection, the key expiration of the
735 primary key is changed.
736
737
738 trust Change the owner trust value for the key. This updates
739 the trust-db immediately and no save is required.
740
741
742 disable
743
744 enable Disable or enable an entire key. A disabled key can not
745 normally be used for encryption.
746
747
748 addrevoker
749 Add a designated revoker to the key. This takes one op‐
750 tional argument: "sensitive". If a designated revoker is
751 marked as sensitive, it will not be exported by default
752 (see export-options).
753
754
755 passwd Change the passphrase of the secret key.
756
757
758 toggle Toggle between public and secret key listing.
759
760
761 clean Compact (by removing all signatures except the selfsig)
762 any user ID that is no longer usable (e.g. revoked, or
763 expired). Then, remove any signatures that are not usable
764 by the trust calculations. Specifically, this removes
765 any signature that does not validate, any signature that
766 is superseded by a later signature, revoked signatures,
767 and signatures issued by keys that are not present on the
768 keyring.
769
770
771 minimize
772 Make the key as small as possible. This removes all sig‐
773 natures from each user ID except for the most recent
774 self-signature.
775
776
777 cross-certify
778 Add cross-certification signatures to signing subkeys
779 that may not currently have them. Cross-certification
780 signatures protect against a subtle attack against sign‐
781 ing subkeys. See --require-cross-certification. All new
782 keys generated have this signature by default, so this
783 option is only useful to bring older keys up to date.
784
785
786 save Save all changes to the key rings and quit.
787
788
789 quit Quit the program without updating the key rings.
790
791 The listing shows you the key with its secondary keys and all
792 user ids. The primary user id is indicated by a dot, and se‐
793 lected keys or user ids are indicated by an asterisk. The trust
794 value is displayed with the primary key: the first is the as‐
795 signed owner trust and the second is the calculated trust value.
796 Letters are used for the values:
797
798
799
800 - No ownertrust assigned / not yet calculated.
801
802
803 e Trust calculation has failed; probably due to an expired
804 key.
805
806
807 q Not enough information for calculation.
808
809
810 n Never trust this key.
811
812
813 m Marginally trusted.
814
815
816 f Fully trusted.
817
818
819 u Ultimately trusted.
820
821
822
823 --sign-key name
824 Signs a public key with your secret key. This is a shortcut ver‐
825 sion of the subcommand "sign" from --edit.
826
827
828 --lsign-key name
829 Signs a public key with your secret key but marks it as non-ex‐
830 portable. This is a shortcut version of the subcommand "lsign"
831 from --edit-key.
832
833
834
835
836
838 gpg features a bunch of options to control the exact behaviour and to
839 change the default configuration.
840
841
842 Long options can be put in an options file (default
843 "~/.gnupg/gpg.conf"). Short option names will not work - for example,
844 "armor" is a valid option for the options file, while "a" is not. Do
845 not write the 2 dashes, but simply the name of the option and any re‐
846 quired arguments. Lines with a hash ('#') as the first non-white-space
847 character are ignored. Commands may be put in this file too, but that
848 is not generally useful as the command will execute automatically with
849 every execution of gpg.
850
851 Please remember that option parsing stops as soon as a non-option is
852 encountered, you can explicitly stop parsing by using the special op‐
853 tion --.
854
855
856
857 How to change the configuration
858
859
860 These options are used to change the configuration and are usually
861 found in the option file.
862
863
864
865 --default-key name
866 Use name as the default key to sign with. If this option is not
867 used, the default key is the first key found in the secret
868 keyring. Note that -u or --local-user overrides this option.
869
870
871 --default-recipient name
872 Use name as default recipient if option --recipient is not used
873 and don't ask if this is a valid one. name must be non-empty.
874
875
876 --default-recipient-self
877 Use the default key as default recipient if option --recipient
878 is not used and don't ask if this is a valid one. The default
879 key is the first one from the secret keyring or the one set with
880 --default-key.
881
882
883 --no-default-recipient
884 Reset --default-recipient and --default-recipient-self.
885
886
887 -v, --verbose
888 Give more information during processing. If used twice, the in‐
889 put data is listed in detail.
890
891
892 --no-verbose
893 Reset verbose level to 0.
894
895
896 -q, --quiet
897 Try to be as quiet as possible.
898
899
900 --batch
901
902 --no-batch
903 Use batch mode. Never ask, do not allow interactive commands.
904 --no-batch disables this option. This option is commonly used
905 for unattended operations.
906
907 WARNING: Unattended operation bears a higher risk of being ex‐
908 posed to security attacks. In particular any unattended use of
909 GnuPG which involves the use of secret keys should take care not
910 to provide an decryption oracle. There are several standard
911 pre-cautions against being used as an oracle. For example never
912 return detailed error messages or any diagnostics printed by
913 your software to the remote site. Consult with an expert in
914 case of doubt.
915
916 Note that even with a filename given on the command line, gpg
917 might still need to read from STDIN (in particular if gpg fig‐
918 ures that the input is a detached signature and no data file has
919 been specified). Thus if you do not want to feed data via
920 STDIN, you should connect STDIN to ‘/dev/null’.
921
922
923
924 --no-tty
925 Make sure that the TTY (terminal) is never used for any output.
926 This option is needed in some cases because GnuPG sometimes
927 prints warnings to the TTY even if --batch is used.
928
929
930 --yes Assume "yes" on most questions.
931
932
933 --no Assume "no" on most questions.
934
935
936
937 --list-options parameters
938 This is a space or comma delimited string that gives options
939 used when listing keys and signatures (that is, --list-keys,
940 --list-sigs, --list-public-keys, --list-secret-keys, and the
941 --edit-key functions). Options can be prepended with a no- (af‐
942 ter the two dashes) to give the opposite meaning. The options
943 are:
944
945
946
947 show-photos
948 Causes --list-keys, --list-sigs, --list-public-keys, and
949 --list-secret-keys to display any photo IDs attached to
950 the key. Defaults to no. See also --photo-viewer. Does
951 not work with --with-colons: see --attribute-fd for the
952 appropriate way to get photo data for scripts and other
953 frontends.
954
955
956 show-usage
957 Show usage information for keys and subkeys in the stan‐
958 dard key listing. This is a list of letters indicating
959 the allowed usage for a key (E=encryption, S=signing,
960 C=certification, A=authentication). Defaults to no.
961
962
963 show-policy-urls
964 Show policy URLs in the --list-sigs or --check-sigs list‐
965 ings. Defaults to no.
966
967
968 show-notations
969
970 show-std-notations
971
972 show-user-notations
973 Show all, IETF standard, or user-defined signature nota‐
974 tions in the --list-sigs or --check-sigs listings. De‐
975 faults to no.
976
977
978 show-keyserver-urls
979 Show any preferred keyserver URL in the --list-sigs or
980 --check-sigs listings. Defaults to no.
981
982
983 show-uid-validity
984 Display the calculated validity of user IDs during key
985 listings. Defaults to no.
986
987
988 show-unusable-uids
989 Show revoked and expired user IDs in key listings. De‐
990 faults to no.
991
992
993 show-unusable-subkeys
994 Show revoked and expired subkeys in key listings. De‐
995 faults to no.
996
997
998 show-keyring
999 Display the keyring name at the head of key listings to
1000 show which keyring a given key resides on. Defaults to
1001 no.
1002
1003
1004 show-sig-expire
1005 Show signature expiration dates (if any) during --list-
1006 sigs or --check-sigs listings. Defaults to no.
1007
1008
1009 show-sig-subpackets
1010 Include signature subpackets in the key listing. This op‐
1011 tion can take an optional argument list of the subpackets
1012 to list. If no argument is passed, list all subpackets.
1013 Defaults to no. This option is only meaningful when using
1014 --with-colons along with --list-sigs or --check-sigs.
1015
1016
1017
1018 --verify-options parameters
1019 This is a space or comma delimited string that gives options
1020 used when verifying signatures. Options can be prepended with a
1021 `no-' to give the opposite meaning. The options are:
1022
1023
1024
1025 show-photos
1026 Display any photo IDs present on the key that issued the
1027 signature. Defaults to no. See also --photo-viewer.
1028
1029
1030 show-policy-urls
1031 Show policy URLs in the signature being verified. De‐
1032 faults to no.
1033
1034
1035 show-notations
1036
1037 show-std-notations
1038
1039 show-user-notations
1040 Show all, IETF standard, or user-defined signature nota‐
1041 tions in the signature being verified. Defaults to IETF
1042 standard.
1043
1044
1045 show-keyserver-urls
1046 Show any preferred keyserver URL in the signature being
1047 verified. Defaults to no.
1048
1049
1050 show-uid-validity
1051 Display the calculated validity of the user IDs on the
1052 key that issued the signature. Defaults to no.
1053
1054
1055 show-unusable-uids
1056 Show revoked and expired user IDs during signature veri‐
1057 fication. Defaults to no.
1058
1059
1060 show-primary-uid-only
1061 Show only the primary user ID during signature verifica‐
1062 tion. That is all the AKA lines as well as photo Ids are
1063 not shown with the signature verification status.
1064
1065
1066 pka-lookups
1067 Enable PKA lookups to verify sender addresses. Note that
1068 PKA is based on DNS, and so enabling this option may dis‐
1069 close information on when and what signatures are veri‐
1070 fied or to whom data is encrypted. This is similar to the
1071 "web bug" described for the auto-key-retrieve feature.
1072
1073
1074 pka-trust-increase
1075 Raise the trust in a signature to full if the signature
1076 passes PKA validation. This option is only meaningful if
1077 pka-lookups is set.
1078
1079
1080 --enable-large-rsa
1081
1082 --disable-large-rsa
1083 With --gen-key and --batch, enable the creation of larger RSA
1084 secret keys than is generally recommended (up to 8192 bits).
1085 These large keys are more expensive to use, and their signatures
1086 and certifications are also larger.
1087
1088
1089 --enable-dsa2
1090
1091 --disable-dsa2
1092 Enable hash truncation for all DSA keys even for old DSA Keys up
1093 to 1024 bit. This is also the default with --openpgp. Note
1094 that older versions of GnuPG also required this flag to allow
1095 the generation of DSA larger than 1024 bit.
1096
1097
1098 --photo-viewer string
1099 This is the command line that should be run to view a photo ID.
1100 "%i" will be expanded to a filename containing the photo. "%I"
1101 does the same, except the file will not be deleted once the
1102 viewer exits. Other flags are "%k" for the key ID, "%K" for the
1103 long key ID, "%f" for the key fingerprint, "%t" for the exten‐
1104 sion of the image type (e.g. "jpg"), "%T" for the MIME type of
1105 the image (e.g. "image/jpeg"), "%v" for the single-character
1106 calculated validity of the image being viewed (e.g. "f"), "%V"
1107 for the calculated validity as a string (e.g. "full"), "%U" for
1108 a base32 encoded hash of the user ID, and "%%" for an actual
1109 percent sign. If neither %i or %I are present, then the photo
1110 will be supplied to the viewer on standard input.
1111
1112 The default viewer is "xloadimage -fork -quiet -title 'KeyID
1113 0x%k' STDIN". Note that if your image viewer program is not se‐
1114 cure, then executing it from GnuPG does not make it secure.
1115
1116
1117 --exec-path string
1118 Sets a list of directories to search for photo viewers and key‐
1119 server helpers. If not provided, keyserver helpers use the com‐
1120 piled-in default directory, and photo viewers use the $PATH en‐
1121 vironment variable. Note, that on W32 system this value is ig‐
1122 nored when searching for keyserver helpers.
1123
1124
1125 --keyring file
1126 Add file to the current list of keyrings. If file begins with a
1127 tilde and a slash, these are replaced by the $HOME directory. If
1128 the filename does not contain a slash, it is assumed to be in
1129 the GnuPG home directory ("~/.gnupg" if --homedir or $GNUPGHOME
1130 is not used).
1131
1132 Note that this adds a keyring to the current list. If the intent
1133 is to use the specified keyring alone, use --keyring along with
1134 --no-default-keyring.
1135
1136
1137 --secret-keyring file
1138 Same as --keyring but for the secret keyrings.
1139
1140
1141 --primary-keyring file
1142 Designate file as the primary public keyring. This means that
1143 newly imported keys (via --import or keyserver --recv-from) will
1144 go to this keyring.
1145
1146
1147 --trustdb-name file
1148 Use file instead of the default trustdb. If file begins with a
1149 tilde and a slash, these are replaced by the $HOME directory. If
1150 the filename does not contain a slash, it is assumed to be in
1151 the GnuPG home directory (‘~/.gnupg’ if --homedir or $GNUPGHOME
1152 is not used).
1153
1154
1155
1156 --homedir dir
1157 Set the name of the home directory to dir. If this option is not
1158 used, the home directory defaults to ‘~/.gnupg’. It is only
1159 recognized when given on the command line. It also overrides
1160 any home directory stated through the environment variable
1161 ‘GNUPGHOME’ or (on Windows systems) by means of the Registry en‐
1162 try HKCU\Software\GNU\GnuPG:HomeDir.
1163
1164 On Windows systems it is possible to install GnuPG as a portable
1165 application. In this case only this command line option is con‐
1166 sidered, all other ways to set a home directory are ignored.
1167
1168 To install GnuPG as a portable application under Windows, create
1169 an empty file name ‘gpgconf.ctl’ in the same directory as the
1170 tool ‘gpgconf.exe’. The root of the installation is than that
1171 directory; or, if ‘gpgconf.exe’ has been installed directly be‐
1172 low a directory named ‘bin’, its parent directory. You also
1173 need to make sure that the following directories exist and are
1174 writable: ‘ROOT/home’ for the GnuPG home and
1175 ‘ROOT/var/cache/gnupg’ for internal cache files.
1176
1177
1178
1179 --pcsc-driver file
1180 Use file to access the smartcard reader. The current default is
1181 `libpcsclite.so.1' for GLIBC based systems, `/System/Li‐
1182 brary/Frameworks/PCSC.framework/PCSC' for MAC OS X, `win‐
1183 scard.dll' for Windows and `libpcsclite.so' for other systems.
1184
1185
1186 --disable-ccid
1187 Disable the integrated support for CCID compliant readers. This
1188 allows falling back to one of the other drivers even if the in‐
1189 ternal CCID driver can handle the reader. Note, that CCID sup‐
1190 port is only available if libusb was available at build time.
1191
1192
1193 --reader-port number_or_string
1194 This option may be used to specify the port of the card termi‐
1195 nal. A value of 0 refers to the first serial device; add 32768
1196 to access USB devices. The default is 32768 (first USB device).
1197 PC/SC or CCID readers might need a string here; run the program
1198 in verbose mode to get a list of available readers. The default
1199 is then the first reader found.
1200
1201
1202 --display-charset name
1203 Set the name of the native character set. This is used to con‐
1204 vert some informational strings like user IDs to the proper
1205 UTF-8 encoding. Note that this has nothing to do with the char‐
1206 acter set of data to be encrypted or signed; GnuPG does not re‐
1207 code user-supplied data. If this option is not used, the default
1208 character set is determined from the current locale. A verbosity
1209 level of 3 shows the chosen set. Valid values for name are:
1210
1211
1212
1213 iso-8859-1
1214 This is the Latin 1 set.
1215
1216
1217 iso-8859-2
1218 The Latin 2 set.
1219
1220
1221 iso-8859-15
1222 This is currently an alias for the Latin 1 set.
1223
1224
1225 koi8-r The usual Russian set (rfc1489).
1226
1227
1228 utf-8 Bypass all translations and assume that the OS uses na‐
1229 tive UTF-8 encoding.
1230
1231
1232 --utf8-strings
1233
1234 --no-utf8-strings
1235 Assume that command line arguments are given as UTF8 strings.
1236 The default (--no-utf8-strings) is to assume that arguments are
1237 encoded in the character set as specified by --display-charset.
1238 These options affect all following arguments. Both options may
1239 be used multiple times.
1240
1241
1242
1243 --options file
1244 Read options from file and do not try to read them from the de‐
1245 fault options file in the homedir (see --homedir). This option
1246 is ignored if used in an options file.
1247
1248
1249 --no-options
1250 Shortcut for --options /dev/null. This option is detected before
1251 an attempt to open an option file. Using this option will also
1252 prevent the creation of a ‘~/.gnupg’ homedir.
1253
1254
1255 -z n
1256
1257 --compress-level n
1258
1259 --bzip2-compress-level n
1260 Set compression level to n for the ZIP and ZLIB compression al‐
1261 gorithms. The default is to use the default compression level of
1262 zlib (normally 6). --bzip2-compress-level sets the compression
1263 level for the BZIP2 compression algorithm (defaulting to 6 as
1264 well). This is a different option from --compress-level since
1265 BZIP2 uses a significant amount of memory for each additional
1266 compression level. -z sets both. A value of 0 for n disables
1267 compression.
1268
1269
1270 --bzip2-decompress-lowmem
1271 Use a different decompression method for BZIP2 compressed files.
1272 This alternate method uses a bit more than half the memory, but
1273 also runs at half the speed. This is useful under extreme low
1274 memory circumstances when the file was originally compressed at
1275 a high --bzip2-compress-level.
1276
1277
1278
1279 --mangle-dos-filenames
1280
1281 --no-mangle-dos-filenames
1282 Older version of Windows cannot handle filenames with more than
1283 one dot. --mangle-dos-filenames causes GnuPG to replace (rather
1284 than add to) the extension of an output filename to avoid this
1285 problem. This option is off by default and has no effect on non-
1286 Windows platforms.
1287
1288
1289 --ask-cert-level
1290
1291 --no-ask-cert-level
1292 When making a key signature, prompt for a certification level.
1293 If this option is not specified, the certification level used is
1294 set via --default-cert-level. See --default-cert-level for in‐
1295 formation on the specific levels and how they are used. --no-
1296 ask-cert-level disables this option. This option defaults to no.
1297
1298
1299 --default-cert-level n
1300 The default to use for the check level when signing a key.
1301
1302 0 means you make no particular claim as to how carefully you
1303 verified the key.
1304
1305 1 means you believe the key is owned by the person who claims to
1306 own it but you could not, or did not verify the key at all. This
1307 is useful for a "persona" verification, where you sign the key
1308 of a pseudonymous user.
1309
1310 2 means you did casual verification of the key. For example,
1311 this could mean that you verified the key fingerprint and
1312 checked the user ID on the key against a photo ID.
1313
1314 3 means you did extensive verification of the key. For example,
1315 this could mean that you verified the key fingerprint with the
1316 owner of the key in person, and that you checked, by means of a
1317 hard to forge document with a photo ID (such as a passport) that
1318 the name of the key owner matches the name in the user ID on the
1319 key, and finally that you verified (by exchange of email) that
1320 the email address on the key belongs to the key owner.
1321
1322 Note that the examples given above for levels 2 and 3 are just
1323 that: examples. In the end, it is up to you to decide just what
1324 "casual" and "extensive" mean to you.
1325
1326 This option defaults to 0 (no particular claim).
1327
1328
1329 --min-cert-level
1330 When building the trust database, treat any signatures with a
1331 certification level below this as invalid. Defaults to 2, which
1332 disregards level 1 signatures. Note that level 0 "no particular
1333 claim" signatures are always accepted.
1334
1335
1336 --trusted-key long key ID
1337 Assume that the specified key (which must be given as a full 8
1338 byte key ID) is as trustworthy as one of your own secret keys.
1339 This option is useful if you don't want to keep your secret keys
1340 (or one of them) online but still want to be able to check the
1341 validity of a given recipient's or signator's key.
1342
1343
1344 --trust-model pgp|classic|direct|always|auto
1345 Set what trust model GnuPG should follow. The models are:
1346
1347
1348
1349 pgp This is the Web of Trust combined with trust signatures
1350 as used in PGP 5.x and later. This is the default trust
1351 model when creating a new trust database.
1352
1353
1354 classic
1355 This is the standard Web of Trust as introduced by PGP 2.
1356
1357
1358 direct Key validity is set directly by the user and not calcu‐
1359 lated via the Web of Trust.
1360
1361
1362 always Skip key validation and assume that used keys are always
1363 fully valid. You generally won't use this unless you are
1364 using some external validation scheme. This option also
1365 suppresses the "[uncertain]" tag printed with signature
1366 checks when there is no evidence that the user ID is
1367 bound to the key. Note that this trust model still does
1368 not allow the use of expired, revoked, or disabled keys.
1369
1370
1371 auto Select the trust model depending on whatever the internal
1372 trust database says. This is the default model if such a
1373 database already exists.
1374
1375
1376 --auto-key-locate parameters
1377
1378 --no-auto-key-locate
1379 GnuPG can automatically locate and retrieve keys as needed using
1380 this option. This happens when encrypting to an email address
1381 (in the "user@example.com" form), and there are no user@exam‐
1382 ple.com keys on the local keyring. This option takes any number
1383 of the following mechanisms, in the order they are to be tried:
1384
1385
1386
1387 cert Locate a key using DNS CERT, as specified in rfc4398.
1388
1389
1390 pka Locate a key using DNS PKA.
1391
1392
1393 ldap Using DNS Service Discovery, check the domain in question
1394 for any LDAP keyservers to use. If this fails, attempt
1395 to locate the key using the PGP Universal method of
1396 checking 'ldap://keys.(thedomain)'.
1397
1398
1399 keyserver
1400 Locate a key using whatever keyserver is defined using
1401 the --keyserver option.
1402
1403
1404 keyserver-URL
1405 In addition, a keyserver URL as used in the --keyserver
1406 option may be used here to query that particular key‐
1407 server.
1408
1409
1410 local Locate the key using the local keyrings. This mechanism
1411 allows the user to select the order a local key lookup is
1412 done. Thus using '--auto-key-locate local' is identical
1413 to --no-auto-key-locate.
1414
1415
1416 nodefault
1417 This flag disables the standard local key lookup, done
1418 before any of the mechanisms defined by the --auto-key-
1419 locate are tried. The position of this mechanism in the
1420 list does not matter. It is not required if local is
1421 also used.
1422
1423
1424 clear Clear all defined mechanisms. This is useful to override
1425 mechanisms given in a config file.
1426
1427
1428
1429 --keyid-format short|0xshort|long|0xlong
1430 Select how to display key IDs. "short" is the traditional
1431 8-character key ID. "long" is the more accurate (but less conve‐
1432 nient) 16-character key ID. Add an "0x" to either to include an
1433 "0x" at the beginning of the key ID, as in 0x99242560. Note
1434 that this option is ignored if the option --with-colons is used.
1435
1436
1437 --keyserver name
1438 Use name as your keyserver. This is the server that --recv-keys,
1439 --send-keys, and --search-keys will communicate with to receive
1440 keys from, send keys to, and search for keys on. The format of
1441 the name is a URI: `scheme:[//]keyservername[:port]' The scheme
1442 is the type of keyserver: "hkp" for the HTTP (or compatible)
1443 keyservers, "ldap" for the LDAP keyservers, or "mailto" for the
1444 Graff email keyserver. Note that your particular installation of
1445 GnuPG may have other keyserver types available as well. Key‐
1446 server schemes are case-insensitive. After the keyserver name,
1447 optional keyserver configuration options may be provided. These
1448 are the same as the global --keyserver-options from below, but
1449 apply only to this particular keyserver.
1450
1451 Most keyservers synchronize with each other, so there is gener‐
1452 ally no need to send keys to more than one server. The keyserver
1453 hkp://keys.gnupg.net uses round robin DNS to give a different
1454 keyserver each time you use it.
1455
1456
1457 --keyserver-options name=value1
1458 This is a space or comma delimited string that gives options for
1459 the keyserver. Options can be prefixed with a `no-' to give the
1460 opposite meaning. Valid import-options or export-options may be
1461 used here as well to apply to importing (--recv-key) or export‐
1462 ing (--send-key) a key from a keyserver. While not all options
1463 are available for all keyserver types, some common options are:
1464
1465
1466
1467 include-revoked
1468 When searching for a key with --search-keys, include keys
1469 that are marked on the keyserver as revoked. Note that
1470 not all keyservers differentiate between revoked and un‐
1471 revoked keys, and for such keyservers this option is
1472 meaningless. Note also that most keyservers do not have
1473 cryptographic verification of key revocations, and so
1474 turning this option off may result in skipping keys that
1475 are incorrectly marked as revoked.
1476
1477
1478 include-disabled
1479 When searching for a key with --search-keys, include keys
1480 that are marked on the keyserver as disabled. Note that
1481 this option is not used with HKP keyservers.
1482
1483
1484 auto-key-retrieve
1485 This option enables the automatic retrieving of keys from
1486 a keyserver when verifying signatures made by keys that
1487 are not on the local keyring.
1488
1489 Note that this option makes a "web bug" like behavior
1490 possible. Keyserver operators can see which keys you re‐
1491 quest, so by sending you a message signed by a brand new
1492 key (which you naturally will not have on your local
1493 keyring), the operator can tell both your IP address and
1494 the time when you verified the signature.
1495
1496
1497 honor-keyserver-url
1498 When using --refresh-keys, if the key in question has a
1499 preferred keyserver URL, then use that preferred key‐
1500 server to refresh the key from. In addition, if auto-key-
1501 retrieve is set, and the signature being verified has a
1502 preferred keyserver URL, then use that preferred key‐
1503 server to fetch the key from. Defaults to yes.
1504
1505
1506 honor-pka-record
1507 If auto-key-retrieve is set, and the signature being ver‐
1508 ified has a PKA record, then use the PKA information to
1509 fetch the key. Defaults to yes.
1510
1511
1512 include-subkeys
1513 When receiving a key, include subkeys as potential tar‐
1514 gets. Note that this option is not used with HKP key‐
1515 servers, as they do not support retrieving keys by subkey
1516 id.
1517
1518
1519 use-temp-files
1520 On most Unix-like platforms, GnuPG communicates with the
1521 keyserver helper program via pipes, which is the most ef‐
1522 ficient method. This option forces GnuPG to use temporary
1523 files to communicate. On some platforms (such as Win32
1524 and RISC OS), this option is always enabled.
1525
1526
1527 keep-temp-files
1528 If using `use-temp-files', do not delete the temp files
1529 after using them. This option is useful to learn the key‐
1530 server communication protocol by reading the temporary
1531 files.
1532
1533
1534 verbose
1535 Tell the keyserver helper program to be more verbose.
1536 This option can be repeated multiple times to increase
1537 the verbosity level.
1538
1539
1540 timeout
1541 Tell the keyserver helper program how long (in seconds)
1542 to try and perform a keyserver action before giving up.
1543 Note that performing multiple actions at the same time
1544 uses this timeout value per action. For example, when
1545 retrieving multiple keys via --recv-keys, the timeout ap‐
1546 plies separately to each key retrieval, and not to the
1547 --recv-keys command as a whole. Defaults to 30 seconds.
1548
1549
1550 http-proxy=value
1551 Set the proxy to use for HTTP and HKP keyservers. This
1552 overrides the "http_proxy" environment variable, if any.
1553
1554
1555
1556 max-cert-size
1557 When retrieving a key via DNS CERT, only accept keys up
1558 to this size. Defaults to 16384 bytes.
1559
1560
1561 debug Turn on debug output in the keyserver helper program.
1562 Note that the details of debug output depends on which
1563 keyserver helper program is being used, and in turn, on
1564 any libraries that the keyserver helper program uses in‐
1565 ternally (libcurl, openldap, etc).
1566
1567
1568 check-cert
1569 Enable certificate checking if the keyserver presents one
1570 (for hkps or ldaps). Defaults to on.
1571
1572
1573 ca-cert-file
1574 Provide a certificate store to override the system de‐
1575 fault. Only necessary if check-cert is enabled, and the
1576 keyserver is using a certificate that is not present in a
1577 system default certificate list.
1578
1579 Note that depending on the SSL library that the keyserver
1580 helper is built with, this may actually be a directory or
1581 a file.
1582
1583
1584
1585 --completes-needed n
1586 Number of completely trusted users to introduce a new key signer
1587 (defaults to 1).
1588
1589
1590 --marginals-needed n
1591 Number of marginally trusted users to introduce a new key signer
1592 (defaults to 3)
1593
1594
1595 --max-cert-depth n
1596 Maximum depth of a certification chain (default is 5).
1597
1598
1599 --simple-sk-checksum
1600 Secret keys are integrity protected by using a SHA-1 checksum.
1601 This method is part of the upcoming enhanced OpenPGP specifica‐
1602 tion but GnuPG already uses it as a countermeasure against cer‐
1603 tain attacks. Old applications don't understand this new for‐
1604 mat, so this option may be used to switch back to the old behav‐
1605 iour. Using this option bears a security risk. Note that using
1606 this option only takes effect when the secret key is encrypted -
1607 the simplest way to make this happen is to change the passphrase
1608 on the key (even changing it to the same value is acceptable).
1609
1610
1611 --no-sig-cache
1612 Do not cache the verification status of key signatures. Caching
1613 gives a much better performance in key listings. However, if you
1614 suspect that your public keyring is not save against write modi‐
1615 fications, you can use this option to disable the caching. It
1616 probably does not make sense to disable it because all kind of
1617 damage can be done if someone else has write access to your pub‐
1618 lic keyring.
1619
1620
1621 --no-sig-create-check
1622 This options is obsolete. It has no function.
1623
1624
1625 --auto-check-trustdb
1626
1627 --no-auto-check-trustdb
1628 If GnuPG feels that its information about the Web of Trust has
1629 to be updated, it automatically runs the --check-trustdb command
1630 internally. This may be a time consuming process. --no-auto-
1631 check-trustdb disables this option.
1632
1633
1634 --use-agent
1635
1636 --no-use-agent
1637 Try to use the GnuPG-Agent. With this option, GnuPG first tries
1638 to connect to the agent before it asks for a passphrase. --no-
1639 use-agent disables this option. Note, that the tool gpg-preset-
1640 passphrase, which comes with GnuPG-2, cannot be used to preset a
1641 passphrase for this version of GnuPG.
1642
1643
1644 --gpg-agent-info
1645 Override the value of the environment variable 'GPG_AGENT_INFO'.
1646 This is only used when --use-agent has been given. Given that
1647 this option is not anymore used by gpg2, it should be avoided if
1648 possible.
1649
1650
1651
1652 --lock-once
1653 Lock the databases the first time a lock is requested and do not
1654 release the lock until the process terminates.
1655
1656
1657 --lock-multiple
1658 Release the locks every time a lock is no longer needed. Use
1659 this to override a previous --lock-once from a config file.
1660
1661
1662 --lock-never
1663 Disable locking entirely. This option should be used only in
1664 very special environments, where it can be assured that only one
1665 process is accessing those files. A bootable floppy with a
1666 stand-alone encryption system will probably use this. Improper
1667 usage of this option may lead to data and key corruption.
1668
1669
1670 --exit-on-status-write-error
1671 This option will cause write errors on the status FD to immedi‐
1672 ately terminate the process. That should in fact be the default
1673 but it never worked this way and thus we need an option to en‐
1674 able this, so that the change won't break applications which
1675 close their end of a status fd connected pipe too early. Using
1676 this option along with --enable-progress-filter may be used to
1677 cleanly cancel long running gpg operations.
1678
1679
1680 --limit-card-insert-tries n
1681 With n greater than 0 the number of prompts asking to insert a
1682 smartcard gets limited to N-1. Thus with a value of 1 gpg won't
1683 at all ask to insert a card if none has been inserted at
1684 startup. This option is useful in the configuration file in case
1685 an application does not know about the smartcard support and
1686 waits ad infinitum for an inserted card.
1687
1688
1689 --no-random-seed-file
1690 GnuPG uses a file to store its internal random pool over invoca‐
1691 tions. This makes random generation faster; however sometimes
1692 write operations are not desired. This option can be used to
1693 achieve that with the cost of slower random generation.
1694
1695
1696 --no-greeting
1697 Suppress the initial copyright message.
1698
1699
1700 --no-secmem-warning
1701 Suppress the warning about "using insecure memory".
1702
1703
1704 --no-permission-warning
1705 Suppress the warning about unsafe file and home directory
1706 (--homedir) permissions. Note that the permission checks that
1707 GnuPG performs are not intended to be authoritative, but rather
1708 they simply warn about certain common permission problems. Do
1709 not assume that the lack of a warning means that your system is
1710 secure.
1711
1712 Note that the warning for unsafe --homedir permissions cannot be
1713 suppressed in the gpg.conf file, as this would allow an attacker
1714 to place an unsafe gpg.conf file in place, and use this file to
1715 suppress warnings about itself. The --homedir permissions warn‐
1716 ing may only be suppressed on the command line.
1717
1718
1719 --no-mdc-warning
1720 Suppress the warning about missing MDC integrity protection.
1721
1722
1723 --require-secmem
1724
1725 --no-require-secmem
1726 Refuse to run if GnuPG cannot get secure memory. Defaults to no
1727 (i.e. run, but give a warning).
1728
1729
1730
1731 --require-cross-certification
1732
1733 --no-require-cross-certification
1734 When verifying a signature made from a subkey, ensure that the
1735 cross certification "back signature" on the subkey is present
1736 and valid. This protects against a subtle attack against sub‐
1737 keys that can sign. Defaults to --require-cross-certification
1738 for gpg.
1739
1740
1741 --expert
1742
1743 --no-expert
1744 Allow the user to do certain nonsensical or "silly" things like
1745 signing an expired or revoked key, or certain potentially incom‐
1746 patible things like generating unusual key types. This also dis‐
1747 ables certain warning messages about potentially incompatible
1748 actions. As the name implies, this option is for experts only.
1749 If you don't fully understand the implications of what it allows
1750 you to do, leave this off. --no-expert disables this option.
1751
1752
1753
1754
1755
1756 Key related options
1757
1758
1759
1760
1761 --recipient name
1762
1763 -r Encrypt for user id name. If this option or --hidden-recipient
1764 is not specified, GnuPG asks for the user-id unless --default-
1765 recipient is given.
1766
1767
1768 --hidden-recipient name
1769
1770 -R Encrypt for user ID name, but hide the key ID of this user's
1771 key. This option helps to hide the receiver of the message and
1772 is a limited countermeasure against traffic analysis. If this
1773 option or --recipient is not specified, GnuPG asks for the user
1774 ID unless --default-recipient is given.
1775
1776
1777 --encrypt-to name
1778 Same as --recipient but this one is intended for use in the op‐
1779 tions file and may be used with your own user-id as an "encrypt-
1780 to-self". These keys are only used when there are other recipi‐
1781 ents given either by use of --recipient or by the asked user id.
1782 No trust checking is performed for these user ids and even dis‐
1783 abled keys can be used.
1784
1785
1786 --hidden-encrypt-to name
1787 Same as --hidden-recipient but this one is intended for use in
1788 the options file and may be used with your own user-id as a hid‐
1789 den "encrypt-to-self". These keys are only used when there are
1790 other recipients given either by use of --recipient or by the
1791 asked user id. No trust checking is performed for these user
1792 ids and even disabled keys can be used.
1793
1794
1795 --no-encrypt-to
1796 Disable the use of all --encrypt-to and --hidden-encrypt-to
1797 keys.
1798
1799
1800 --group name=value1
1801 Sets up a named group, which is similar to aliases in email pro‐
1802 grams. Any time the group name is a recipient (-r or --recipi‐
1803 ent), it will be expanded to the values specified. Multiple
1804 groups with the same name are automatically merged into a single
1805 group.
1806
1807 The values are key IDs or fingerprints, but any key description
1808 is accepted. Note that a value with spaces in it will be treated
1809 as two different values. Note also there is only one level of
1810 expansion --- you cannot make an group that points to another
1811 group. When used from the command line, it may be necessary to
1812 quote the argument to this option to prevent the shell from
1813 treating it as multiple arguments.
1814
1815
1816 --ungroup name
1817 Remove a given entry from the --group list.
1818
1819
1820 --no-groups
1821 Remove all entries from the --group list.
1822
1823
1824 --local-user name
1825
1826 -u Use name as the key to sign with. Note that this option over‐
1827 rides --default-key.
1828
1829
1830 --try-all-secrets
1831 Don't look at the key ID as stored in the message but try all
1832 secret keys in turn to find the right decryption key. This op‐
1833 tion forces the behaviour as used by anonymous recipients (cre‐
1834 ated by using --throw-keyids or --hidden-recipient) and might
1835 come handy in case where an encrypted message contains a bogus
1836 key ID.
1837
1838
1839
1840
1841
1842 Input and Output
1843
1844
1845
1846
1847 --armor
1848
1849 -a Create ASCII armored output. The default is to create the bi‐
1850 nary OpenPGP format.
1851
1852
1853 --no-armor
1854 Assume the input data is not in ASCII armored format.
1855
1856
1857 --output file
1858
1859 -o file
1860 Write output to file.
1861
1862
1863 --max-output n
1864 This option sets a limit on the number of bytes that will be
1865 generated when processing a file. Since OpenPGP supports various
1866 levels of compression, it is possible that the plaintext of a
1867 given message may be significantly larger than the original
1868 OpenPGP message. While GnuPG works properly with such messages,
1869 there is often a desire to set a maximum file size that will be
1870 generated before processing is forced to stop by the OS limits.
1871 Defaults to 0, which means "no limit".
1872
1873
1874 --import-options parameters
1875 This is a space or comma delimited string that gives options for
1876 importing keys. Options can be prepended with a `no-' to give
1877 the opposite meaning. The options are:
1878
1879
1880
1881 import-local-sigs
1882 Allow importing key signatures marked as "local". This is
1883 not generally useful unless a shared keyring scheme is
1884 being used. Defaults to no.
1885
1886
1887 keep-ownertrust
1888 Normally possible still existing ownertrust values of a
1889 key are cleared if a key is imported. This is in general
1890 desirable so that a formerly deleted key does not auto‐
1891 matically gain an ownertrust values merely due to import.
1892 On the other hand it is sometimes necessary to re-import
1893 a trusted set of keys again but keeping already assigned
1894 ownertrust values. This can be achieved by using this
1895 option.
1896
1897
1898 repair-pks-subkey-bug
1899 During import, attempt to repair the damage caused by the
1900 PKS keyserver bug (pre version 0.9.6) that mangles keys
1901 with multiple subkeys. Note that this cannot completely
1902 repair the damaged key as some crucial data is removed by
1903 the keyserver, but it does at least give you back one
1904 subkey. Defaults to no for regular --import and to yes
1905 for keyserver --recv-keys.
1906
1907
1908 merge-only
1909 During import, allow key updates to existing keys, but do
1910 not allow any new keys to be imported. Defaults to no.
1911
1912
1913 import-clean
1914 After import, compact (remove all signatures except the
1915 self-signature) any user IDs from the new key that are
1916 not usable. Then, remove any signatures from the new key
1917 that are not usable. This includes signatures that were
1918 issued by keys that are not present on the keyring. This
1919 option is the same as running the --edit-key command
1920 "clean" after import. Defaults to no.
1921
1922
1923 import-minimal
1924 Import the smallest key possible. This removes all signa‐
1925 tures except the most recent self-signature on each user
1926 ID. This option is the same as running the --edit-key
1927 command "minimize" after import. Defaults to no.
1928
1929
1930 --export-options parameters
1931 This is a space or comma delimited string that gives options for
1932 exporting keys. Options can be prepended with a `no-' to give
1933 the opposite meaning. The options are:
1934
1935
1936
1937 export-local-sigs
1938 Allow exporting key signatures marked as "local". This is
1939 not generally useful unless a shared keyring scheme is
1940 being used. Defaults to no.
1941
1942
1943 export-attributes
1944 Include attribute user IDs (photo IDs) while exporting.
1945 This is useful to export keys if they are going to be
1946 used by an OpenPGP program that does not accept attribute
1947 user IDs. Defaults to yes.
1948
1949
1950 export-sensitive-revkeys
1951 Include designated revoker information that was marked as
1952 "sensitive". Defaults to no.
1953
1954
1955 export-reset-subkey-passwd
1956 When using the --export-secret-subkeys command, this op‐
1957 tion resets the passphrases for all exported subkeys to
1958 empty. This is useful when the exported subkey is to be
1959 used on an unattended machine where a passphrase doesn't
1960 necessarily make sense. Defaults to no.
1961
1962
1963 export-clean
1964 Compact (remove all signatures from) user IDs on the key
1965 being exported if the user IDs are not usable. Also, do
1966 not export any signatures that are not usable. This in‐
1967 cludes signatures that were issued by keys that are not
1968 present on the keyring. This option is the same as run‐
1969 ning the --edit-key command "clean" before export except
1970 that the local copy of the key is not modified. Defaults
1971 to no.
1972
1973
1974 export-minimal
1975 Export the smallest key possible. This removes all signa‐
1976 tures except the most recent self-signature on each user
1977 ID. This option is the same as running the --edit-key
1978 command "minimize" before export except that the local
1979 copy of the key is not modified. Defaults to no.
1980
1981
1982 --with-colons
1983 Print key listings delimited by colons. Note that the output
1984 will be encoded in UTF-8 regardless of any --display-charset
1985 setting. This format is useful when GnuPG is called from scripts
1986 and other programs as it is easily machine parsed. The details
1987 of this format are documented in the file ‘doc/DETAILS’, which
1988 is included in the GnuPG source distribution.
1989
1990
1991 --fixed-list-mode
1992 Do not merge primary user ID and primary key in --with-colon
1993 listing mode and print all timestamps as seconds since
1994 1970-01-01.
1995
1996
1997 --with-fingerprint
1998 Same as the command --fingerprint but changes only the format of
1999 the output and may be used together with another command.
2000
2001
2002
2003
2004 OpenPGP protocol specific options.
2005
2006
2007
2008
2009 -t, --textmode
2010
2011 --no-textmode
2012 Treat input files as text and store them in the OpenPGP canoni‐
2013 cal text form with standard "CRLF" line endings. This also sets
2014 the necessary flags to inform the recipient that the encrypted
2015 or signed data is text and may need its line endings converted
2016 back to whatever the local system uses. This option is useful
2017 when communicating between two platforms that have different
2018 line ending conventions (UNIX-like to Mac, Mac to Windows, etc).
2019 --no-textmode disables this option, and is the default.
2020
2021 If -t (but not --textmode) is used together with armoring and
2022 signing, this enables clearsigned messages. This kludge is
2023 needed for command-line compatibility with command-line versions
2024 of PGP; normally you would use --sign or --clearsign to select
2025 the type of the signature.
2026
2027
2028 --force-v3-sigs
2029
2030 --no-force-v3-sigs
2031 OpenPGP states that an implementation should generate v4 signa‐
2032 tures but PGP versions 5 through 7 only recognize v4 signatures
2033 on key material. This option forces v3 signatures for signatures
2034 on data. Note that this option implies --no-ask-sig-expire, and
2035 unsets --sig-policy-url, --sig-notation, and --sig-keyserver-
2036 url, as these features cannot be used with v3 signatures. --no-
2037 force-v3-sigs disables this option. Defaults to no.
2038
2039
2040 --force-v4-certs
2041
2042 --no-force-v4-certs
2043 Always use v4 key signatures even on v3 keys. This option also
2044 changes the default hash algorithm for v3 RSA keys from MD5 to
2045 SHA-1. --no-force-v4-certs disables this option.
2046
2047
2048 --force-mdc
2049 Force the use of encryption with a modification detection code.
2050 This is always used with the newer ciphers (those with a block‐
2051 size greater than 64 bits), or if all of the recipient keys in‐
2052 dicate MDC support in their feature flags.
2053
2054
2055 --disable-mdc
2056 Disable the use of the modification detection code. Note that by
2057 using this option, the encrypted message becomes vulnerable to a
2058 message modification attack.
2059
2060
2061 --personal-cipher-preferences string
2062 Set the list of personal cipher preferences to string. Use gpg
2063 --version to get a list of available algorithms, and use none to
2064 set no preference at all. This allows the user to safely over‐
2065 ride the algorithm chosen by the recipient key preferences, as
2066 GPG will only select an algorithm that is usable by all recipi‐
2067 ents. The most highly ranked cipher in this list is also used
2068 for the --symmetric encryption command.
2069
2070
2071 --personal-digest-preferences string
2072 Set the list of personal digest preferences to string. Use gpg
2073 --version to get a list of available algorithms, and use none to
2074 set no preference at all. This allows the user to safely over‐
2075 ride the algorithm chosen by the recipient key preferences, as
2076 GPG will only select an algorithm that is usable by all recipi‐
2077 ents. The most highly ranked digest algorithm in this list is
2078 also used when signing without encryption (e.g. --clearsign or
2079 --sign).
2080
2081
2082 --personal-compress-preferences string
2083 Set the list of personal compression preferences to string. Use
2084 gpg --version to get a list of available algorithms, and use
2085 none to set no preference at all. This allows the user to
2086 safely override the algorithm chosen by the recipient key pref‐
2087 erences, as GPG will only select an algorithm that is usable by
2088 all recipients. The most highly ranked compression algorithm in
2089 this list is also used when there are no recipient keys to con‐
2090 sider (e.g. --symmetric).
2091
2092
2093 --s2k-cipher-algo name
2094 Use name as the cipher algorithm used to protect secret keys.
2095 The default cipher is AES128. This cipher is also used for con‐
2096 ventional encryption if --personal-cipher-preferences and --ci‐
2097 pher-algo is not given.
2098
2099
2100 --s2k-digest-algo name
2101 Use name as the digest algorithm used to mangle the passphrases.
2102 The default algorithm is SHA-1.
2103
2104
2105 --s2k-mode n
2106 Selects how passphrases are mangled. If n is 0 a plain
2107 passphrase (which is not recommended) will be used, a 1 adds a
2108 salt to the passphrase and a 3 (the default) iterates the whole
2109 process a number of times (see --s2k-count). Unless --rfc1991
2110 is used, this mode is also used for conventional encryption.
2111
2112
2113 --s2k-count n
2114 Specify how many times the passphrase mangling is repeated.
2115 This value may range between 1024 and 65011712 inclusive. The
2116 default is inquired from gpg-agent. Note that not all values in
2117 the 1024-65011712 range are legal and if an illegal value is se‐
2118 lected, GnuPG will round up to the nearest legal value. This
2119 option is only meaningful if --s2k-mode is 3.
2120
2121
2122
2123
2124
2125 Compliance options
2126
2127
2128 These options control what GnuPG is compliant to. Only one of these op‐
2129 tions may be active at a time. Note that the default setting of this is
2130 nearly always the correct one. See the INTEROPERABILITY WITH OTHER
2131 OPENPGP PROGRAMS section below before using one of these options.
2132
2133
2134
2135 --gnupg
2136 Use standard GnuPG behavior. This is essentially OpenPGP behav‐
2137 ior (see --openpgp), but with some additional workarounds for
2138 common compatibility problems in different versions of PGP. This
2139 is the default option, so it is not generally needed, but it may
2140 be useful to override a different compliance option in the
2141 gpg.conf file.
2142
2143
2144 --openpgp
2145 Reset all packet, cipher and digest options to strict OpenPGP
2146 behavior. Use this option to reset all previous options like
2147 --s2k-*, --cipher-algo, --digest-algo and --compress-algo to
2148 OpenPGP compliant values. All PGP workarounds are disabled.
2149
2150
2151 --rfc4880
2152 Reset all packet, cipher and digest options to strict RFC-4880
2153 behavior. Note that this is currently the same thing as
2154 --openpgp.
2155
2156
2157 --rfc2440
2158 Reset all packet, cipher and digest options to strict RFC-2440
2159 behavior.
2160
2161
2162 --rfc1991
2163 Try to be more RFC-1991 (PGP 2.x) compliant. This option is
2164 deprecated will be removed in GnuPG 2.1.
2165
2166
2167 --pgp2 Set up all options to be as PGP 2.x compliant as possible, and
2168 warn if an action is taken (e.g. encrypting to a non-RSA key)
2169 that will create a message that PGP 2.x will not be able to han‐
2170 dle. Note that `PGP 2.x' here means `MIT PGP 2.6.2'. There are
2171 other versions of PGP 2.x available, but the MIT release is a
2172 good common baseline.
2173
2174 This option implies --rfc1991 --disable-mdc --no-force-v4-certs
2175 --escape-from-lines --force-v3-sigs --allow-weak-digest-algos
2176 --cipher-algo IDEA --digest-algo MD5 --compress-algo ZIP. It
2177 also disables --textmode when encrypting.
2178
2179 This option is deprecated will be removed in GnuPG 2.1. The
2180 reason for dropping PGP-2 support is that the PGP 2 format is
2181 not anymore considered safe (for example due to the use of the
2182 broken MD5 algorithm). Note that the decryption of PGP-2 cre‐
2183 ated messages will continue to work.
2184
2185
2186 --pgp6 Set up all options to be as PGP 6 compliant as possible. This
2187 restricts you to the ciphers IDEA (if the IDEA plugin is in‐
2188 stalled), 3DES, and CAST5, the hashes MD5, SHA1 and RIPEMD160,
2189 and the compression algorithms none and ZIP. This also disables
2190 --throw-keyids, and making signatures with signing subkeys as
2191 PGP 6 does not understand signatures made by signing subkeys.
2192
2193 This option implies --disable-mdc --escape-from-lines --force-
2194 v3-sigs.
2195
2196
2197 --pgp7 Set up all options to be as PGP 7 compliant as possible. This is
2198 identical to --pgp6 except that MDCs are not disabled, and the
2199 list of allowable ciphers is expanded to add AES128, AES192,
2200 AES256, and TWOFISH.
2201
2202
2203 --pgp8 Set up all options to be as PGP 8 compliant as possible. PGP 8
2204 is a lot closer to the OpenPGP standard than previous versions
2205 of PGP, so all this does is disable --throw-keyids and set --es‐
2206 cape-from-lines. All algorithms are allowed except for the
2207 SHA224, SHA384, and SHA512 digests.
2208
2209
2210
2211
2212
2213 Doing things one usually doesn't want to do.
2214
2215
2216
2217
2218 -n
2219
2220 --dry-run
2221 Don't make any changes (this is not completely implemented).
2222
2223
2224 --list-only
2225 Changes the behaviour of some commands. This is like --dry-run
2226 but different in some cases. The semantic of this command may be
2227 extended in the future. Currently it only skips the actual de‐
2228 cryption pass and therefore enables a fast listing of the en‐
2229 cryption keys.
2230
2231
2232 -i
2233
2234 --interactive
2235 Prompt before overwriting any files.
2236
2237
2238 --debug-level level
2239 Select the debug level for investigating problems. level may be
2240 a numeric value or by a keyword:
2241
2242
2243 none No debugging at all. A value of less than 1 may be used
2244 instead of the keyword.
2245
2246 basic Some basic debug messages. A value between 1 and 2 may
2247 be used instead of the keyword.
2248
2249 advanced
2250 More verbose debug messages. A value between 3 and 5 may
2251 be used instead of the keyword.
2252
2253 expert Even more detailed messages. A value between 6 and 8 may
2254 be used instead of the keyword.
2255
2256 guru All of the debug messages you can get. A value greater
2257 than 8 may be used instead of the keyword. The creation
2258 of hash tracing files is only enabled if the keyword is
2259 used.
2260
2261 How these messages are mapped to the actual debugging flags is not
2262 specified and may change with newer releases of this program. They are
2263 however carefully selected to best aid in debugging.
2264
2265
2266 --debug flags
2267 Set debugging flags. All flags are or-ed and flags may be given
2268 in C syntax (e.g. 0x0042).
2269
2270
2271 --debug-all
2272 Set all useful debugging flags.
2273
2274
2275 --debug-ccid-driver
2276 Enable debug output from the included CCID driver for smart‐
2277 cards. Note that this option is only available on some system.
2278
2279
2280 --enable-progress-filter
2281 Enable certain PROGRESS status outputs. This option allows
2282 frontends to display a progress indicator while gpg is process‐
2283 ing larger files. There is a slight performance overhead using
2284 it.
2285
2286
2287 --status-fd n
2288 Write special status strings to the file descriptor n. See the
2289 file DETAILS in the documentation for a listing of them.
2290
2291
2292 --status-file file
2293 Same as --status-fd, except the status data is written to file
2294 file.
2295
2296
2297 --logger-fd n
2298 Write log output to file descriptor n and not to STDERR.
2299
2300
2301 --log-file file
2302
2303 --logger-file file
2304 Same as --logger-fd, except the logger data is written to file
2305 file. Note that --log-file is only implemented for GnuPG-2.
2306
2307
2308 --attribute-fd n
2309 Write attribute subpackets to the file descriptor n. This is
2310 most useful for use with --status-fd, since the status messages
2311 are needed to separate out the various subpackets from the
2312 stream delivered to the file descriptor.
2313
2314
2315 --attribute-file file
2316 Same as --attribute-fd, except the attribute data is written to
2317 file file.
2318
2319
2320 --comment string
2321
2322 --no-comments
2323 Use string as a comment string in clear text signatures and
2324 ASCII armored messages or keys (see --armor). The default behav‐
2325 ior is not to use a comment string. --comment may be repeated
2326 multiple times to get multiple comment strings. --no-comments
2327 removes all comments. It is a good idea to keep the length of a
2328 single comment below 60 characters to avoid problems with mail
2329 programs wrapping such lines. Note that comment lines, like all
2330 other header lines, are not protected by the signature.
2331
2332
2333 --emit-version
2334
2335 --no-emit-version
2336 Force inclusion of the version string in ASCII armored output.
2337 If given once only the name of the program and the major number
2338 is emitted, given twice the minor is also emitted, given triple
2339 the micro is added, and given quad an operating system identifi‐
2340 cation is also emitted. --no-emit-version (default) disables
2341 the version line.
2342
2343
2344 --sig-notation name=value
2345
2346 --cert-notation name=value
2347
2348 -N, --set-notation name=value
2349 Put the name value pair into the signature as notation data.
2350 name must consist only of printable characters or spaces, and
2351 must contain a '@' character in the form keyname@domain.exam‐
2352 ple.com (substituting the appropriate keyname and domain name,
2353 of course). This is to help prevent pollution of the IETF re‐
2354 served notation namespace. The --expert flag overrides the '@'
2355 check. value may be any printable string; it will be encoded in
2356 UTF8, so you should check that your --display-charset is set
2357 correctly. If you prefix name with an exclamation mark (!), the
2358 notation data will be flagged as critical (rfc4880:5.2.3.16).
2359 --sig-notation sets a notation for data signatures. --cert-nota‐
2360 tion sets a notation for key signatures (certifications). --set-
2361 notation sets both.
2362
2363 There are special codes that may be used in notation names. "%k"
2364 will be expanded into the key ID of the key being signed, "%K"
2365 into the long key ID of the key being signed, "%f" into the fin‐
2366 gerprint of the key being signed, "%s" into the key ID of the
2367 key making the signature, "%S" into the long key ID of the key
2368 making the signature, "%g" into the fingerprint of the key mak‐
2369 ing the signature (which might be a subkey), "%p" into the fin‐
2370 gerprint of the primary key of the key making the signature,
2371 "%c" into the signature count from the OpenPGP smartcard, and
2372 "%%" results in a single "%". %k, %K, and %f are only meaningful
2373 when making a key signature (certification), and %c is only
2374 meaningful when using the OpenPGP smartcard.
2375
2376
2377 --sig-policy-url string
2378
2379 --cert-policy-url string
2380
2381 --set-policy-url string
2382 Use string as a Policy URL for signatures (rfc4880:5.2.3.20).
2383 If you prefix it with an exclamation mark (!), the policy URL
2384 packet will be flagged as critical. --sig-policy-url sets a pol‐
2385 icy url for data signatures. --cert-policy-url sets a policy url
2386 for key signatures (certifications). --set-policy-url sets both.
2387
2388 The same %-expandos used for notation data are available here as
2389 well.
2390
2391
2392 --sig-keyserver-url string
2393 Use string as a preferred keyserver URL for data signatures. If
2394 you prefix it with an exclamation mark (!), the keyserver URL
2395 packet will be flagged as critical.
2396
2397 The same %-expandos used for notation data are available here as
2398 well.
2399
2400
2401 --set-filename string
2402 Use string as the filename which is stored inside messages.
2403 This overrides the default, which is to use the actual filename
2404 of the file being encrypted.
2405
2406
2407 --for-your-eyes-only
2408
2409 --no-for-your-eyes-only
2410 Set the `for your eyes only' flag in the message. This causes
2411 GnuPG to refuse to save the file unless the --output option is
2412 given, and PGP to use a "secure viewer" with a claimed Tempest-
2413 resistant font to display the message. This option overrides
2414 --set-filename. --no-for-your-eyes-only disables this option.
2415
2416
2417 --use-embedded-filename
2418
2419 --no-use-embedded-filename
2420 Try to create a file with a name as embedded in the data. This
2421 can be a dangerous option as it enables overwriting files. De‐
2422 faults to no.
2423
2424
2425 --cipher-algo name
2426 Use name as cipher algorithm. Running the program with the com‐
2427 mand --version yields a list of supported algorithms. If this is
2428 not used the cipher algorithm is selected from the preferences
2429 stored with the key. In general, you do not want to use this op‐
2430 tion as it allows you to violate the OpenPGP standard. --per‐
2431 sonal-cipher-preferences is the safe way to accomplish the same
2432 thing.
2433
2434
2435 --digest-algo name
2436 Use name as the message digest algorithm. Running the program
2437 with the command --version yields a list of supported algo‐
2438 rithms. In general, you do not want to use this option as it al‐
2439 lows you to violate the OpenPGP standard. --personal-digest-
2440 preferences is the safe way to accomplish the same thing.
2441
2442
2443 --compress-algo name
2444 Use compression algorithm name. "zlib" is RFC-1950 ZLIB compres‐
2445 sion. "zip" is RFC-1951 ZIP compression which is used by PGP.
2446 "bzip2" is a more modern compression scheme that can compress
2447 some things better than zip or zlib, but at the cost of more
2448 memory used during compression and decompression. "uncompressed"
2449 or "none" disables compression. If this option is not used, the
2450 default behavior is to examine the recipient key preferences to
2451 see which algorithms the recipient supports. If all else fails,
2452 ZIP is used for maximum compatibility.
2453
2454 ZLIB may give better compression results than ZIP, as the com‐
2455 pression window size is not limited to 8k. BZIP2 may give even
2456 better compression results than that, but will use a signifi‐
2457 cantly larger amount of memory while compressing and decompress‐
2458 ing. This may be significant in low memory situations. Note,
2459 however, that PGP (all versions) only supports ZIP compression.
2460 Using any algorithm other than ZIP or "none" will make the mes‐
2461 sage unreadable with PGP. In general, you do not want to use
2462 this option as it allows you to violate the OpenPGP standard.
2463 --personal-compress-preferences is the safe way to accomplish
2464 the same thing.
2465
2466
2467 --cert-digest-algo name
2468 Use name as the message digest algorithm used when signing a
2469 key. Running the program with the command --version yields a
2470 list of supported algorithms. Be aware that if you choose an al‐
2471 gorithm that GnuPG supports but other OpenPGP implementations do
2472 not, then some users will not be able to use the key signatures
2473 you make, or quite possibly your entire key.
2474
2475
2476 --disable-cipher-algo name
2477 Never allow the use of name as cipher algorithm. The given name
2478 will not be checked so that a later loaded algorithm will still
2479 get disabled.
2480
2481
2482 --disable-pubkey-algo name
2483 Never allow the use of name as public key algorithm. The given
2484 name will not be checked so that a later loaded algorithm will
2485 still get disabled.
2486
2487
2488 --throw-keyids
2489
2490 --no-throw-keyids
2491 Do not put the recipient key IDs into encrypted messages. This
2492 helps to hide the receivers of the message and is a limited
2493 countermeasure against traffic analysis. ([Using a little social
2494 engineering anyone who is able to decrypt the message can check
2495 whether one of the other recipients is the one he suspects.])
2496 On the receiving side, it may slow down the decryption process
2497 because all available secret keys must be tried. --no-throw-
2498 keyids disables this option. This option is essentially the same
2499 as using --hidden-recipient for all recipients.
2500
2501
2502 --not-dash-escaped
2503 This option changes the behavior of cleartext signatures so that
2504 they can be used for patch files. You should not send such an
2505 armored file via email because all spaces and line endings are
2506 hashed too. You can not use this option for data which has 5
2507 dashes at the beginning of a line, patch files don't have this.
2508 A special armor header line tells GnuPG about this cleartext
2509 signature option.
2510
2511
2512 --escape-from-lines
2513
2514 --no-escape-from-lines
2515 Because some mailers change lines starting with "From " to
2516 ">From " it is good to handle such lines in a special way when
2517 creating cleartext signatures to prevent the mail system from
2518 breaking the signature. Note that all other PGP versions do it
2519 this way too. Enabled by default. --no-escape-from-lines dis‐
2520 ables this option.
2521
2522
2523 --passphrase-repeat n
2524 Specify how many times gpg will request a new passphrase be re‐
2525 peated. This is useful for helping memorize a passphrase. De‐
2526 faults to 1 repetition.
2527
2528
2529 --passphrase-fd n
2530 Read the passphrase from file descriptor n. Only the first line
2531 will be read from file descriptor n. If you use 0 for n, the
2532 passphrase will be read from STDIN. This can only be used if
2533 only one passphrase is supplied.
2534
2535
2536 --passphrase-file file
2537 Read the passphrase from file file. Only the first line will be
2538 read from file file. This can only be used if only one
2539 passphrase is supplied. Obviously, a passphrase stored in a file
2540 is of questionable security if other users can read this file.
2541 Don't use this option if you can avoid it.
2542
2543
2544 --passphrase string
2545 Use string as the passphrase. This can only be used if only one
2546 passphrase is supplied. Obviously, this is of very questionable
2547 security on a multi-user system. Don't use this option if you
2548 can avoid it.
2549
2550
2551 --command-fd n
2552 This is a replacement for the deprecated shared-memory IPC mode.
2553 If this option is enabled, user input on questions is not ex‐
2554 pected from the TTY but from the given file descriptor. It
2555 should be used together with --status-fd. See the file doc/DE‐
2556 TAILS in the source distribution for details on how to use it.
2557
2558
2559 --command-file file
2560 Same as --command-fd, except the commands are read out of file
2561 file
2562
2563
2564 --allow-non-selfsigned-uid
2565
2566 --no-allow-non-selfsigned-uid
2567 Allow the import and use of keys with user IDs which are not
2568 self-signed. This is not recommended, as a non self-signed user
2569 ID is trivial to forge. --no-allow-non-selfsigned-uid disables.
2570
2571
2572 --allow-freeform-uid
2573 Disable all checks on the form of the user ID while generating a
2574 new one. This option should only be used in very special envi‐
2575 ronments as it does not ensure the de-facto standard format of
2576 user IDs.
2577
2578
2579 --ignore-time-conflict
2580 GnuPG normally checks that the timestamps associated with keys
2581 and signatures have plausible values. However, sometimes a sig‐
2582 nature seems to be older than the key due to clock problems.
2583 This option makes these checks just a warning. See also --ig‐
2584 nore-valid-from for timestamp issues on subkeys.
2585
2586
2587 --ignore-valid-from
2588 GnuPG normally does not select and use subkeys created in the
2589 future. This option allows the use of such keys and thus ex‐
2590 hibits the pre-1.0.7 behaviour. You should not use this option
2591 unless there is some clock problem. See also --ignore-time-con‐
2592 flict for timestamp issues with signatures.
2593
2594
2595 --ignore-crc-error
2596 The ASCII armor used by OpenPGP is protected by a CRC checksum
2597 against transmission errors. Occasionally the CRC gets mangled
2598 somewhere on the transmission channel but the actual content
2599 (which is protected by the OpenPGP protocol anyway) is still
2600 okay. This option allows GnuPG to ignore CRC errors.
2601
2602
2603 --ignore-mdc-error
2604 This option changes a MDC integrity protection failure into a
2605 warning. This can be useful if a message is partially corrupt,
2606 but it is necessary to get as much data as possible out of the
2607 corrupt message. However, be aware that a MDC protection fail‐
2608 ure may also mean that the message was tampered with intention‐
2609 ally by an attacker.
2610
2611
2612 --allow-weak-digest-algos
2613 Signatures made with known-weak digest algorithms are normally
2614 rejected with an ``invalid digest algorithm'' message. This op‐
2615 tion allows the verification of signatures made with such weak
2616 algorithms. MD5 is the only digest algorithm considered weak by
2617 default. See also --weak-digest to reject other digest algo‐
2618 rithms.
2619
2620
2621 --weak-digest name
2622 Treat the specified digest algorithm as weak. Signatures made
2623 over weak digests algorithms are normally rejected. This option
2624 can be supplied multiple times if multiple algorithms should be
2625 considered weak. See also --allow-weak-digest-algos to disable
2626 rejection of weak digests. MD5 is always considered weak, and
2627 does not need to be listed explicitly.
2628
2629
2630
2631 --no-default-keyring
2632 Do not add the default keyrings to the list of keyrings. Note
2633 that GnuPG will not operate without any keyrings, so if you use
2634 this option and do not provide alternate keyrings via --keyring
2635 or --secret-keyring, then GnuPG will still use the default pub‐
2636 lic or secret keyrings.
2637
2638
2639 --skip-verify
2640 Skip the signature verification step. This may be used to make
2641 the decryption faster if the signature verification is not
2642 needed.
2643
2644
2645 --with-key-data
2646 Print key listings delimited by colons (like --with-colons) and
2647 print the public key data.
2648
2649
2650 --fast-list-mode
2651 Changes the output of the list commands to work faster; this is
2652 achieved by leaving some parts empty. Some applications don't
2653 need the user ID and the trust information given in the list‐
2654 ings. By using this options they can get a faster listing. The
2655 exact behaviour of this option may change in future versions.
2656 If you are missing some information, don't use this option.
2657
2658
2659 --no-literal
2660 This is not for normal use. Use the source to see for what it
2661 might be useful.
2662
2663
2664 --set-filesize
2665 This is not for normal use. Use the source to see for what it
2666 might be useful.
2667
2668
2669 --show-session-key
2670 Display the session key used for one message. See --override-
2671 session-key for the counterpart of this option.
2672
2673 We think that Key Escrow is a Bad Thing; however the user should
2674 have the freedom to decide whether to go to prison or to reveal
2675 the content of one specific message without compromising all
2676 messages ever encrypted for one secret key. DON'T USE IT UNLESS
2677 YOU ARE REALLY FORCED TO DO SO.
2678
2679
2680 --override-session-key string
2681 Don't use the public key but the session key string. The format
2682 of this string is the same as the one printed by --show-session-
2683 key. This option is normally not used but comes handy in case
2684 someone forces you to reveal the content of an encrypted mes‐
2685 sage; using this option you can do this without handing out the
2686 secret key.
2687
2688
2689 --ask-sig-expire
2690
2691 --no-ask-sig-expire
2692 When making a data signature, prompt for an expiration time. If
2693 this option is not specified, the expiration time set via --de‐
2694 fault-sig-expire is used. --no-ask-sig-expire disables this op‐
2695 tion.
2696
2697
2698 --default-sig-expire
2699 The default expiration time to use for signature expiration.
2700 Valid values are "0" for no expiration, a number followed by the
2701 letter d (for days), w (for weeks), m (for months), or y (for
2702 years) (for example "2m" for two months, or "5y" for five
2703 years), or an absolute date in the form YYYY-MM-DD. Defaults to
2704 "0".
2705
2706
2707 --ask-cert-expire
2708
2709 --no-ask-cert-expire
2710 When making a key signature, prompt for an expiration time. If
2711 this option is not specified, the expiration time set via --de‐
2712 fault-cert-expire is used. --no-ask-cert-expire disables this
2713 option.
2714
2715
2716 --default-cert-expire
2717 The default expiration time to use for key signature expiration.
2718 Valid values are "0" for no expiration, a number followed by the
2719 letter d (for days), w (for weeks), m (for months), or y (for
2720 years) (for example "2m" for two months, or "5y" for five
2721 years), or an absolute date in the form YYYY-MM-DD. Defaults to
2722 "0".
2723
2724
2725 --allow-secret-key-import
2726 This is an obsolete option and is not used anywhere.
2727
2728
2729 --allow-multiple-messages
2730
2731 --no-allow-multiple-messages
2732 Allow processing of multiple OpenPGP messages contained in a
2733 single file or stream. Some programs that call GPG are not pre‐
2734 pared to deal with multiple messages being processed together,
2735 so this option defaults to no. Note that versions of GPG prior
2736 to 1.4.7 always allowed multiple messages.
2737
2738 Warning: Do not use this option unless you need it as a tempo‐
2739 rary workaround!
2740
2741
2742
2743 --enable-special-filenames
2744 This options enables a mode in which filenames of the form
2745 ‘-&n’, where n is a non-negative decimal number, refer to the
2746 file descriptor n and not to a file with that name.
2747
2748
2749 --no-expensive-trust-checks
2750 Experimental use only.
2751
2752
2753 --preserve-permissions
2754 Don't change the permissions of a secret keyring back to user
2755 read/write only. Use this option only if you really know what
2756 you are doing.
2757
2758
2759 --default-preference-list string
2760 Set the list of default preferences to string. This preference
2761 list is used for new keys and becomes the default for "setpref"
2762 in the edit menu.
2763
2764
2765 --default-keyserver-url name
2766 Set the default keyserver URL to name. This keyserver will be
2767 used as the keyserver URL when writing a new self-signature on a
2768 key, which includes key generation and changing preferences.
2769
2770
2771 --list-config
2772 Display various internal configuration parameters of GnuPG. This
2773 option is intended for external programs that call GnuPG to per‐
2774 form tasks, and is thus not generally useful. See the file
2775 ‘doc/DETAILS’ in the source distribution for the details of
2776 which configuration items may be listed. --list-config is only
2777 usable with --with-colons set.
2778
2779
2780 --gpgconf-list
2781 This command is similar to --list-config but in general only in‐
2782 ternally used by the gpgconf tool.
2783
2784
2785 --gpgconf-test
2786 This is more or less dummy action. However it parses the con‐
2787 figuration file and returns with failure if the configuration
2788 file would prevent gpg from startup. Thus it may be used to run
2789 a syntax check on the configuration file.
2790
2791
2792
2793
2794 Deprecated options
2795
2796
2797
2798
2799 --load-extension name
2800 Load an extension module. If name does not contain a slash it is
2801 searched for in the directory configured when GnuPG was built
2802 (generally "/usr/local/lib/gnupg"). Extensions are not generally
2803 useful anymore, and the use of this option is deprecated.
2804
2805
2806 --show-photos
2807
2808 --no-show-photos
2809 Causes --list-keys, --list-sigs, --list-public-keys, --list-se‐
2810 cret-keys, and verifying a signature to also display the photo
2811 ID attached to the key, if any. See also --photo-viewer. These
2812 options are deprecated. Use --list-options [no-]show-photos
2813 and/or --verify-options [no-]show-photos instead.
2814
2815
2816 --show-keyring
2817 Display the keyring name at the head of key listings to show
2818 which keyring a given key resides on. This option is deprecated:
2819 use --list-options [no-]show-keyring instead.
2820
2821
2822 --ctapi-driver file
2823 Use file to access the smartcard reader. The current default is
2824 `libtowitoko.so'. Note that the use of this interface is depre‐
2825 cated; it may be removed in future releases.
2826
2827
2828 --always-trust
2829 Identical to --trust-model always. This option is deprecated.
2830
2831
2832 --show-notation
2833
2834 --no-show-notation
2835 Show signature notations in the --list-sigs or --check-sigs
2836 listings as well as when verifying a signature with a notation
2837 in it. These options are deprecated. Use --list-options
2838 [no-]show-notation and/or --verify-options [no-]show-notation
2839 instead.
2840
2841
2842 --show-policy-url
2843
2844 --no-show-policy-url
2845 Show policy URLs in the --list-sigs or --check-sigs listings as
2846 well as when verifying a signature with a policy URL in it.
2847 These options are deprecated. Use --list-options [no-]show-pol‐
2848 icy-url and/or --verify-options [no-]show-policy-url instead.
2849
2850
2851
2852
2853
2854
2856 gpg -se -r Bob file
2857 sign and encrypt for user Bob
2858
2859
2860 gpg --clearsign file
2861 make a clear text signature
2862
2863
2864 gpg -sb file
2865 make a detached signature
2866
2867
2868 gpg -u 0x12345678 -sb file
2869 make a detached signature with the key 0x12345678
2870
2871
2872 gpg --list-keys user_ID
2873 show keys
2874
2875
2876 gpg --fingerprint user_ID
2877 show fingerprint
2878
2879
2880 gpg --verify pgpfile
2881
2882 gpg --verify sigfile
2883 Verify the signature of the file but do not output the data. The
2884 second form is used for detached signatures, where sigfile is
2885 the detached signature (either ASCII armored or binary) and are
2886 the signed data; if this is not given, the name of the file
2887 holding the signed data is constructed by cutting off the exten‐
2888 sion (".asc" or ".sig") of sigfile or by asking the user for the
2889 filename.
2890
2891
2892
2893
2895 There are different ways to specify a user ID to GnuPG. Some of them
2896 are only valid for gpg others are only good for gpgsm. Here is the en‐
2897 tire list of ways to specify a key:
2898
2899
2900
2901 By key Id.
2902 This format is deduced from the length of the string and its
2903 content or 0x prefix. The key Id of an X.509 certificate are the
2904 low 64 bits of its SHA-1 fingerprint. The use of key Ids is
2905 just a shortcut, for all automated processing the fingerprint
2906 should be used.
2907
2908 When using gpg an exclamation mark (!) may be appended to force
2909 using the specified primary or secondary key and not to try and
2910 calculate which primary or secondary key to use.
2911
2912 The last four lines of the example give the key ID in their long
2913 form as internally used by the OpenPGP protocol. You can see the
2914 long key ID using the option --with-colons.
2915
2916 234567C4
2917 0F34E556E
2918 01347A56A
2919 0xAB123456
2920
2921 234AABBCC34567C4
2922 0F323456784E56EAB
2923 01AB3FED1347A5612
2924 0x234AABBCC34567C4
2925
2926
2927
2928
2929 By fingerprint.
2930 This format is deduced from the length of the string and its
2931 content or the 0x prefix. Note, that only the 20 byte version
2932 fingerprint is available with gpgsm (i.e. the SHA-1 hash of the
2933 certificate).
2934
2935 When using gpg an exclamation mark (!) may be appended to force
2936 using the specified primary or secondary key and not to try and
2937 calculate which primary or secondary key to use.
2938
2939 The best way to specify a key Id is by using the fingerprint.
2940 This avoids any ambiguities in case that there are duplicated
2941 key IDs.
2942
2943 1234343434343434C434343434343434
2944 123434343434343C3434343434343734349A3434
2945 0E12343434343434343434EAB3484343434343434
2946 0xE12343434343434343434EAB3484343434343434
2947
2948
2949 gpgsm also accepts colons between each pair of hexadecimal digits be‐
2950 cause this is the de-facto standard on how to present X.509 finger‐
2951 prints. gpg also allows the use of the space separated SHA-1 finger‐
2952 print as printed by the key listing commands.
2953
2954
2955 By exact match on OpenPGP user ID.
2956 This is denoted by a leading equal sign. It does not make sense
2957 for X.509 certificates.
2958
2959 =Heinrich Heine <heinrichh@uni-duesseldorf.de>
2960
2961
2962 By exact match on an email address.
2963 This is indicated by enclosing the email address in the usual
2964 way with left and right angles.
2965
2966 <heinrichh@uni-duesseldorf.de>
2967
2968
2969
2970 By word match.
2971 All words must match exactly (not case sensitive) but can appear
2972 in any order in the user ID or a subjects name. Words are any
2973 sequences of letters, digits, the underscore and all characters
2974 with bit 7 set.
2975
2976 +Heinrich Heine duesseldorf
2977
2978
2979 By exact match on the subject's DN.
2980 This is indicated by a leading slash, directly followed by the
2981 RFC-2253 encoded DN of the subject. Note that you can't use the
2982 string printed by "gpgsm --list-keys" because that one as been
2983 reordered and modified for better readability; use --with-colons
2984 to print the raw (but standard escaped) RFC-2253 string
2985
2986 /CN=Heinrich Heine,O=Poets,L=Paris,C=FR
2987
2988
2989 By exact match on the issuer's DN.
2990 This is indicated by a leading hash mark, directly followed by a
2991 slash and then directly followed by the rfc2253 encoded DN of
2992 the issuer. This should return the Root cert of the issuer.
2993 See note above.
2994
2995 #/CN=Root Cert,O=Poets,L=Paris,C=FR
2996
2997
2998
2999 By exact match on serial number and issuer's DN.
3000 This is indicated by a hash mark, followed by the hexadecimal
3001 representation of the serial number, then followed by a slash
3002 and the RFC-2253 encoded DN of the issuer. See note above.
3003
3004 #4F03/CN=Root Cert,O=Poets,L=Paris,C=FR
3005
3006
3007 By keygrip
3008 This is indicated by an ampersand followed by the 40 hex digits
3009 of a keygrip. gpgsm prints the keygrip when using the command
3010 --dump-cert. It does not yet work for OpenPGP keys.
3011
3012 &D75F22C3F86E355877348498CDC92BD21010A480
3013
3014
3015
3016 By substring match.
3017 This is the default mode but applications may want to explicitly
3018 indicate this by putting the asterisk in front. Match is not
3019 case sensitive.
3020
3021 Heine
3022 *Heine
3023
3024
3025
3026 Please note that we have reused the hash mark identifier which was used
3027 in old GnuPG versions to indicate the so called local-id. It is not
3028 anymore used and there should be no conflict when used with X.509
3029 stuff.
3030
3031 Using the RFC-2253 format of DNs has the drawback that it is not possi‐
3032 ble to map them back to the original encoding, however we don't have to
3033 do this because our key database stores this encoding as meta data.
3034
3035
3036
3037
3038
3040 There are a few configuration files to control certain aspects of gpg's
3041 operation. Unless noted, they are expected in the current home direc‐
3042 tory (see: [option --homedir]).
3043
3044
3045
3046 gpg.conf
3047 This is the standard configuration file read by gpg on startup.
3048 It may contain any valid long option; the leading two dashes may
3049 not be entered and the option may not be abbreviated. This de‐
3050 fault name may be changed on the command line (see: [gpg-option
3051 --options]). You should backup this file.
3052
3053
3054 Note that on larger installations, it is useful to put predefined files
3055 into the directory ‘/etc/skel/.gnupg/’ so that newly created users
3056 start up with a working configuration.
3057
3058 For internal purposes gpg creates and maintains a few other files; They
3059 all live in in the current home directory (see: [option --homedir]).
3060 Only the gpg may modify these files.
3061
3062
3063
3064 ~/.gnupg/pubring.gpg
3065 The public keyring. You should backup this file.
3066
3067
3068 ~/.gnupg/pubring.gpg.lock
3069 The lock file for the public keyring.
3070
3071
3072 ~/.gnupg/pubring.kbx
3073
3074 ~/.gnupg/pubring.kbx.lock
3075 A public keyring and its lock file used by GnuPG versions >= 2.
3076 It is ignored by GnuPG 1.x
3077
3078
3079 ~/.gnupg/secring.gpg
3080 The secret keyring. You should backup this file.
3081
3082
3083 ~/.gnupg/trustdb.gpg
3084 The trust database. There is no need to backup this file; it is
3085 better to backup the ownertrust values (see: [option --export-
3086 ownertrust]).
3087
3088
3089 ~/.gnupg/trustdb.gpg.lock
3090 The lock file for the trust database.
3091
3092
3093 ~/.gnupg/random_seed
3094 A file used to preserve the state of the internal random pool.
3095
3096
3097 ~/.gnupg/secring.gpg.lock
3098 The lock file for the secret keyring.
3099
3100
3101 ~/.gnupg/openpgp-revocs.d/
3102 This is the directory where gpg stores pre-generated revocation
3103 certificates. The file name corresponds to the OpenPGP finger‐
3104 print of the respective key. It is suggested to backup those
3105 certificates and if the primary private key is not stored on the
3106 disk to move them to an external storage device. Anyone who can
3107 access theses files is able to revoke the corresponding key.
3108 You may want to print them out. You should backup all files in
3109 this directory and take care to keep this backup closed away.
3110
3111
3112 /usr[/local]/share/gnupg/options.skel
3113 The skeleton options file.
3114
3115
3116 /usr[/local]/lib/gnupg/
3117 Default location for extensions.
3118
3119
3120 Operation is further controlled by a few environment variables:
3121
3122
3123
3124 HOME Used to locate the default home directory.
3125
3126
3127 GNUPGHOME
3128 If set directory used instead of "~/.gnupg".
3129
3130
3131 GPG_AGENT_INFO
3132 Used to locate the gpg-agent. This is only honored when --use-
3133 agent is set.
3134
3135 The value consists of 3 colon delimited fields: The first is the
3136 path to the Unix Domain Socket, the second the PID of the gpg-
3137 agent and the protocol version which should be set to 1. When
3138 starting the gpg-agent as described in its documentation, this
3139 variable is set to the correct value. The option --gpg-agent-
3140 info can be used to override it.
3141
3142
3143 PINENTRY_USER_DATA
3144 This value is passed via gpg-agent to pinentry. It is useful to
3145 convey extra information to a custom pinentry.
3146
3147
3148 COLUMNS
3149
3150 LINES Used to size some displays to the full size of the screen.
3151
3152
3153
3154 LANGUAGE
3155 Apart from its use by GNU, it is used in the W32 version to
3156 override the language selection done through the Registry. If
3157 used and set to a valid and available language name (langid),
3158 the file with the translation is loaded from
3159
3160 gpgdir/gnupg.nls/langid.mo. Here gpgdir is the directory out of
3161 which the gpg binary has been loaded. If it can't be loaded the
3162 Registry is tried and as last resort the native Windows locale
3163 system is used.
3164
3165
3166
3167
3168
3170 On older systems this program should be installed as setuid(root). This
3171 is necessary to lock memory pages. Locking memory pages prevents the
3172 operating system from writing memory pages (which may contain
3173 passphrases or other sensitive material) to disk. If you get no warning
3174 message about insecure memory your operating system supports locking
3175 without being root. The program drops root privileges as soon as locked
3176 memory is allocated.
3177
3178 Note also that some systems (especially laptops) have the ability to
3179 ``suspend to disk'' (also known as ``safe sleep'' or ``hibernate'').
3180 This writes all memory to disk before going into a low power or even
3181 powered off mode. Unless measures are taken in the operating system to
3182 protect the saved memory, passphrases or other sensitive material may
3183 be recoverable from it later.
3184
3185 Before you report a bug you should first search the mailing list ar‐
3186 chives for similar problems and second check whether such a bug has al‐
3187 ready been reported to our bug tracker at http://bugs.gnupg.org .
3188
3189
3190
3192 gpgv(1),
3193
3194 The full documentation for this tool is maintained as a Texinfo manual.
3195 If GnuPG and the info program are properly installed at your site, the
3196 command
3197
3198 info gnupg
3199
3200 should give you access to the complete manual including a menu struc‐
3201 ture and an index.
3202
3203
3204
3205GnuPG 1.4.23 2023-07-20 GPG(1)