gpg - GNU Privacy Guard


gpg [--homedir name] [--options file] [options] command [args]

gpgm [--homedir name] [--options file] [options] command [args]


gpg is the main program for the GNUPG system. gpgm is a maintenance tool which has some commands gpgm does not have; it is there because it does not handle sensitive data ans therefore has no need to allocate secure memory.


gpg recognizes these commands:

-s, --sign Make a signature. This option may be combined with --encrypt.

--clearsign Make a clear text signature.

-b, --detach-sign Make a detached signature.

-e, --encrypt Encrypt data. This option may be combined with --sign.

-c, --symmetric Encrypt with symmetric cipher only This command asks for a passphrase.

--store store only (make a simple RFC1991 packet).

--decrypt [file] Decrypt file (or stdin if no file is specified) and write it to stdout (or the file specified with --output). If the decrypted file is signed, the signature is also verified. This command differs from the default operation, as it never writes to the filename which is included in the file and it rejects files which don't begin with an encrypted message.

--verify [[sigfile] {signed-files}] Assume that filename is a signature and verify it without generating any output. With no arguments, the signature packet is read from stdin (it may be a detached signature when not used in batch mode). If only a sigfile is given, it may be a complete signature or a detached signature, in which case the signed stuff is expected in a file without the .sig or .asc extension (if such a file does not exist it is expected at stdin - use - as filename to force a read from stdin). With more than 1 argument, the first should be a detached signature and the remaining files are the signed stuff.

-k [username] [keyring] Kludge to be somewhat compatible with PGP. Without arguments, all public keyrings are listed. With one argument, only keyring is listed. Special combinations are also allowed, but it may give strange results when combined with more options.

--list-keys [names] List all keys from the public keyrings, or just the ones given on the command line.

--list-secret-keys [names] List all keys from the secret keyrings, or just the ones given on the command line.

--list-sigs [names] Same as --list-keys, but the signatures are listed too.

--check-sigs [names] Same as --list-sigs, but the signatures are verified.

--fingerprint [names] List all keys with their fingerprints. This is the same output as list-keys but with the additonal output of a line with the fingerprint. May also be combined with --list-sigs or --check-sigs.

--list-packets List only the sequence of packets. This is mainly useful for debugging.

--gen-key Generate a new key pair. This command can only be used interactive.

--edit-key name Present a menu which enables you to do all key related tasks:

The listing shows you the key with its secondary keys and all user ids. Selected keys or user ids indicated by an asterisk. The trust value is displayed with the primary key: The first one is the assigned owner trust and the second the calculated trust value; letters are used for the values:

--delete-key Remove key from the public keyring

--delete-secret-key Remove key from the secret and public keyring

--gen-revoke Generate a revocation certificate.

--export [names] Either export all keys from all keyrings (default keyrings and those registered via option --keyring), or if at least one name is given, those of the given name. The new keyring is written to stdout or to the file given with option ``output''. Use together with -a to mail those keys.

--export-secret-keys [names Same as --export, but does export the secret keys. This is normally not very useful.

--import import/merge keys

--export-ownertrust List the assigned ownertrust values in ascii format for backup purposes [gpgm only].

--import-ownertrust [filename] Update the trustdb with the ownertrust values stored in filename (or stdin if not given); existing values will be overwritten. [gpgm only].


Long options can be put in an options file (default ~/.gnupg/options); do not write the 2 dashes, but simply the name of the option and any arguments if required. Lines with a hash as the first non-white-space character are ignored. Commands may be put in this file too, but that does not make sense.

gpg recognizes these options:

-a, --armor Create ASCII armored output.

-o file, --output file Write output to file.

-u name, --local-user name Use name as the user-id to sign. This option is silently ignored for the list commands, so that it can be used in an options file.

--default-key name Use name as default user-id for signatures. If this is not used the default user-id is the first user-id from the secret keyring.

-r name, --remote-user name Use name as the user-id for encryption. This option is silently ignored for the list commands, so that it can be used in an options file.

-v, --verbose Give more information during processing. If used twice, the input data is listed in detail.

-z n Set compress level to n. A value of 0 for n disables compression. Default is to use the default compression level of zlib (which is 6).

-t, --textmode Use canonical text mode. Used to make clear-text signatures.

-n, --dry-run Don't make any changes (not yet implemented).

--batch Batch mode; never ask, do not allow interactive commands.

--no-batch Disable batch mode; this may be used if batch is used in the options file.

--yes Assume yes on most questions.

--no Assume no on most questions.

--keyring file Add file to the list of keyrings. If file begins with a tilde and a slash, these are replaced by the HOME directory. If the filename does not contain a slash, it is assumed to be in the home-directory (~/.gnupg if --homedir) is not used.

--secret-keyring file Same as --keyring but for secret keyrings.

--homedir dir Set the name of the home directory to dir. If this option is not used it defaults to ~/.gnupg. It does not make sense to use this in a options file. This also overrides the environment variable GNUPGHOME.

--options file Read options from file and do not try to read them from the default options file in the homedir (see --homedir). This option is ignored when used in an options file.

--no-options Shortcut for --options /dev/null. This option is detected before an attempt to open an option file.

--load-extension modulename Load an extension module. If modulename does not contain a slash it is searched in /usr/local/lib/gnupg See the manual for more information about extensions.

--debug flags Set debugging flags. All flags are or-ed and flags may be given in C syntax (e.g. 0x0042).

--debug-all Set all useful debugging flags.

--status-fd n Write special status strings to the file descriptor n.

--no-comment Do not write comment packets.

--completes-needed n Number of completely trusted users to introduce a new key signator (defaults to 1).

--marginals-needed n Number of marginally trusted users to introduce a new key signator (defaults to 3)

--cipher-algo name Use name as cipher algorithm. Running the program with the option --verbose yields a list of supported algorithms. If this is not used the cipher algorithm is selected from the preferences stored with the key.

--digest-algo name Use name as message digest algorithm. Running the program with the option --verbose yields a list of supported algorithms.

--compress-algo number Use compress algorithm number. Default is 2 which is RFC1950 compression; you may use 1 to use the old zlib version which is used by PGP. This is only used for new messages. The default algorithm may give better results because the window size is not limited to 8K. If this is not used the OpenPGP behaviour is used; i.e. the compression algorith is selected from the preferences.

--passphrase-fd n Read the passphrase from file descriptor n. If you use 0 for n, the passphrase will be read from stdin. This can only be used if only one passphrase is supplied. Don't use this option if you can avoid it

--no-verbose Reset verbose level to 0.

--no-greeting Suppress the initial copyright message but do not enter batch mode.

--no-armor Assume the input data is not in ASCCI armored format.

--no-default-keyring Do not add the default keyrings to the list of keyrings.

--skip-verify Skip the signature verification step. This may be used to make the encryption faster if the signature verification is not needed.

--version Print version information along with a list of supported algorithms.

--with-colons Print key listings delimited by colons.

--warranty Print warranty information.

-h, --help Print usage information.


The Program returns 0 if everything was fine, 1 if at least a signature was bad and other errorcode for fatal errors.


-se -r Bob [file] sign and encrypt for user Bob -sat [file] make a clear text signature -sb [file] make a detached signature -k [userid] show keys -kc [userid] show fingerprint


HOME Used to locate the default home directory. GNUPGHOME If set, direcory used instead of ~/.gnupg.


~/.gnupg/secring.gpg The secret keyring

~/.gnupg/pubring.gpg The public keyring

~/.gnupg/trustdb.gpg The trust database

~/.gnupg/options May contain options

/usr[/local]/lib/gnupg/ Default location for extensions


gpgm(1) gpgd(1)


Use a good password for your user account and a good passphrase to protect your secret key. This passphrase is the weakest part of the whole system. Programs to do dictionary attacks on your secret keyring are very easy to write and so you should protect your ~/.gnupg/ directory very good.

Keep in mind that, if this program is used over a network (telnet), it is very easy to spy out your passphrase!


On many systems this program should be installed as setuid(root); this is necessary to lock some pages of memory. If you get no warning message about insecure memory your OS kernel supports locking without being root; setuid is dropped as soon as this memory is allocated.

Return to GNU's home page.

Please send FSF & GNU inquiries & questions to There are also other ways to contact the FSF.

Please send comments on these web pages to, send other questions to

Copyright (C) 1998, 1999 Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111, USA

Verbatim copying and distribution of this entire article is permitted in any medium, provided this notice is preserved.

Updated: 1999-09-30 wkoch