gpg can sign and encrypt a file, outputting a text file with the original file compressed, encrypted and the output armoured. This is useful for sending encrypted files.

To sign and encrypt a file called archive.zip, issue:

gpg --output archive.zip.sig --sign archive.zip

To decrypt and verify, issue:

gpg --output archive.zip --decrypt archive.zip.sig

A detached signature, just creates a text-signature file that can be used to check the validity of the original file.

To use gpg to detach-sign a file, issue:

gpg --output MD5SUM.sig --detach-sig MD5SUM

to verify the signature, issue:

gpg --verify MD5SUM.sig MD5SUM

Clear-signing a document will modify that document to include the message along with the signature for that message.

gpg --clearsign list.txt

Issue on the command-line:

gpg --version

which should state all the available cyphers, for example:

Cipher: 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH, CAMELLIA128, CAMELLIA192, CAMELLIA256

To encrypt a file using symmetric encryption, issue:

gpg --symmetric --cipher-algo CIPHER SOURCE -o DESTINATION

where:

• SOURCE is a file to encyrpt in the current path and
• CIPHER is a cipher.
• DESTINATION is the destination file.

To decrypt the resulting file DESTINATION, reverse the process:

gpg -o DESTINATION -d SOURCE

In order to get printable output, use the armor option when encrypting a file:

gpg --armor --symmetric --cipher-algo CIPHER SOURCE -o DESTINATION

The default algorithm used by GPG is CAST5 with a blocksize of 64 bits. In order to change the default algorithm, edit ~/.gnupg/gpg.conf and add the line:

cipher-algo CIPHER

where CIPHER can be obtained by previously issuing:

gpg --version

You will notice this problem when GPG issues a warning:

gpg: WARNING: message was not integrity protected

For 64 bit block-size ciphers such as the default CAST5 and 3DES, the --force-mdc option should be used while encrypting. This is the default for other ciphers with larger block sizes. force-mdc can also be added to ~/.gnupg/gpg.conf as a default.

In order to encrypt a message that cannot be checked to see who it is encrypted to, add the --throw-keyid parameter when encrypting:

gpg -v -e -a --throw-keyid -r 887245BA message.txt

where:

• -v means verbose output.
• -e to encrypt.
• -a to created ASCII armoured output.
• --throw-keyid means to not pu the recipient's key IDs into the encrypted messages.
• -r 887245BA means to encrypt to the the recipient 887245BA

and message.txt is a file that contains the message to encrypt.

In the event that:

gpg: signing failed: Inappropriate ioctl for device

appears when attempting an operation with gpg, the most likely cause is that gpg is trying to prompt for the password to unlock the keychain but the terminal is not properly set.

To resolve the issue, run:

export GPG_TTY=$(tty)

Issue:

gpg --list-keys

to obtain the fingerprint of the keys to be exported.

For public keys issue:

gpg --armor --export FINGERPRINT

and for secret keys, issue:

gpg --armor --export-secret-key FINGERPRINT

which will create an ASCII armored export for both public and secret keys.

Alternatively to export both at the same time in order to create a backup, issue:

gpg --armor --export-secret-keys --export-options export-backup FINGERPRINT

In order to export the photo ID for a key with fingerprint FINGERPRINT, the following command:

gpg --list-options show-photos --photo-viewer "cat > ./0x%k.%t" --list-key FINGERPRINT

will set cat as the photo viewer and export the key to the current directory.

One of the most common problems when exporting PGP keys from batch script is that the home directory for PGP is not known. The command line can be changed in order to include the home directory and other switches that will ensure that the PGP command can be run from batch scripts.

For example, the Wizardry and Steamworks PGP key is exported daily via a cron script using the following command:

/usr/bin/gpg --batch --homedir /home/was/.gnupg/ --armor --quiet --export EFA3B2C5B8DEA6BF824C82543DE933083623DDF1