Table of Contents

Sign, Encrypt and Decrypt a File

gpg can sign and encrypt a file, outputting a text file with the original file compressed, encrypted and the output armoured. This is useful for sending encrypted files.

To sign and encrypt a file called archive.zip, issue:

gpg --output archive.zip.sig --sign archive.zip

To decrypt and verify, issue:

gpg --output archive.zip --decrypt archive.zip.sig

Detach-Sign and Verify a File

A detached signature, just creates a text-signature file that can be used to check the validity of the original file.

To use gpg to detach-sign a file, issue:

gpg --output MD5SUM.sig --detach-sig MD5SUM

to verify the signature, issue:

gpg --verify MD5SUM.sig MD5SUM

Clear-Sign a Document

Clear-signing a document will modify that document to include the message along with the signature for that message.

gpg --clearsign list.txt

Getting a List of Available Ciphers

Issue on the command-line:

gpg --version

which should state all the available cyphers, for example:

Cipher: 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH, CAMELLIA128, CAMELLIA192, CAMELLIA256

Encrypting and Decrypting a File using Symmetric Encryption

To encrypt a file using symmetric encryption, issue:

gpg --symmetric --cipher-algo CIPHER SOURCE -o DESTINATION

where:

To decrypt the resulting file DESTINATION, reverse the process:

gpg -o DESTINATION -d SOURCE

In order to get printable output, use the armor option when encrypting a file:

gpg --armor --symmetric --cipher-algo CIPHER SOURCE -o DESTINATION

Changing the Default Cipher

The default algorithm used by GPG is CAST5 with a blocksize of 64 bits. In order to change the default algorithm, edit ~/.gnupg/gpg.conf and add the line:

cipher-algo CIPHER

where CIPHER can be obtained by previously issuing:

gpg --version

Preventing Message Modification Attacks

You will notice this problem when GPG issues a warning:

gpg: WARNING: message was not integrity protected

For 64 bit block-size ciphers such as the default CAST5 and 3DES, the –force-mdc option should be used while encrypting. This is the default for other ciphers with larger block sizes. force-mdc can also be added to ~/.gnupg/gpg.conf as a default.

Conceal Message Destination

In order to encrypt a message that cannot be checked to see who it is encrypted to, add the –throw-keyid parameter when encrypting:

gpg -v -e -a --throw-keyid -r 887245BA message.txt

where:

and message.txt is a file that contains the message to encrypt.

Fixing Issues Related to Broken Terminals

In the event that:

gpg: signing failed: Inappropriate ioctl for device

appears when attempting an operation with gpg, the most likely cause is that gpg is trying to prompt for the password to unlock the keychain but the terminal is not properly set.

To resolve the issue, run:

export GPG_TTY=$(tty)

Export and Backup Keys

Issue:

gpg --list-keys

to obtain the fingerprint of the keys to be exported.

For public keys issue:

gpg --armor --export FINGERPRINT

and for secret keys, issue:

gpg --armor --export-secret-key FINGERPRINT

which will create an ASCII armored export for both public and secret keys.

Alternatively to export both at the same time in order to create a backup, issue:

gpg --armor --export-secret-keys --export-options export-backup FINGERPRINT

Export Photo ID to File

In order to export the photo ID for a key with fingerprint FINGERPRINT, the following command:

gpg --list-options show-photos --photo-viewer "cat > ./0x%k.%t" --list-key FINGERPRINT

will set cat as the photo viewer and export the key to the current directory.

Exporting from Batch Scripts

One of the most common problems when exporting PGP keys from batch script is that the home directory for PGP is not known. The command line can be changed in order to include the home directory and other switches that will ensure that the PGP command can be run from batch scripts.

For example, the Wizardry and Steamworks PGP key is exported daily via a cron script using the following command:

/usr/bin/gpg --batch --homedir /home/was/.gnupg/ --armor --quiet --export EFA3B2C5B8DEA6BF824C82543DE933083623DDF1