What is your favorite key signature

GPG (Gnu Privacy Guard)

Software download

The software can be obtained from the: GnuPG homepage

The German-language documentation can be found at: GPGMiniHowto.pdf

A Windows version with graphical access to GnuPG and the portable version is available from the: GnuPT homepage

Generate, export, import, revoke keys ...

Generate key

Generation of a new key pair.
gpg --gen-key
The first thing you will be asked is which algorithm to use. More details on the algorithms can be found in the PGP DH vs. RSA FAQ or in Schneier (1996). You can (and should) simply take the default value (DSA / ElGamal). When choosing the key length, you have to weigh up between security and computing time. The longer a key, the more secure it is, but the longer operations with it take. In terms of computing time, however, one must take into account that the key may still need to be used in a few years, when the average computing power will have increased significantly. GnuPG asks for a key length of more than 1536 bits whether such a large key is really necessary, other people recommend at least 2048 bits. For DSA, 1024 bits is standard.
Then you will be asked for your name, comment and email address. This information is used to identify the key. You can change or add to the information later. You should choose a longer valid email address, as the complete user ID is signed. If something is then changed, the signatures under the changed information no longer apply.
Finally, you will be asked for the password (or pass phrase (in the German translation: mantra) because there may be spaces) with which the private key is to be secured. Use a good mantra.
A good mantra is:
  • Not too short,
  • contains special characters,
  • is not a name and cannot be easily guessed with the knowledge of the user (such as telephone number, bank code, name and number of children, ...)
You can get more security by randomly interspersing large / small letters and spaces.

You also have to be able to remember it, since the secret key is worthless without a mantra.

In this context, it can be a good idea to create a recall certificate right away.

Exporting a key (with the User ID UID.)

gpg --export [UID]
If no UID is given, the entire key ring is exported. The output is preset to stdout, but you can use the option -o file output to a file. We still recommend using the option -a (- marble) to work, otherwise I had problems. With this option, the keys are not output in binary format, but as ASCII (7-bit) files.

The exported key can then be distributed around the world, either on the homepage, via finger, via keyserver, ....

Importing Keys

If you got a public key from somewhere, you should include it in your key ring.
gpg --import [file]
If you omit the file name, stdin is read.

Revoke key

There are several reasons to revoke an old key:
  • It could have gotten into someone else's hands
  • the UID is no longer correct
  • he just got too small
  • ...
In all of these cases, the command of choice is the one
gpg --gen-revoke
This creates a key revocation certificate. For this you need the private key, because otherwise such certificates could also be generated by strangers. But this has one disadvantage: a key whose mantra I don't know is obviously useless. But because I don't know the mantra, I can't revoke it. It is therefore a good idea to generate a revocation certificate when generating the key. This should then be kept in a safe place, preferably on diskette and on paper, so that it does not fall into the wrong hands.

Manage your keychain

The keyring is a file in which all keys with the associated information (except for the owner trust values, which is in Sign the key get saved.

Public keyring lists.

gpg --list-keys
shows all keys of the public keyring.
gpg --list-sigs
also shows the signatures (see Sign the key).

Lists of keys with their "fingerprints"

gpg - fingerprint
lists the keys with their "fingerprints". These are (relatively) short sequences of numbers that can be used to identify the key. This can be useful to make sure over the phone that a public key comes from the person you are talking to. Sending fingerprints in the credits of email or Usenet articles does not make sense, by the way.

Lists of keys in the private keyring

gpg --list-secret-keys
lists the keys of the private keyring. Signatures and fingerprints of private keys have no informative value.

Delete key

gpg --delete-key UID
gpg --delete-secret-key
deletes keys from the corresponding keyring.

Edit key

gpg --edit-key UID
In the menu you can change the mantra and the expiry date, display fingerprints and sign keys, among other things.

Sign the key

After having:
gpg --edit-key UID
has selected the key to be signed, it can be signed with the sign command.

Use keyserver

Keyservers are large databases with public keys. GnuPG can import keys from keyservers and export them to keyservers. GnuPG communicates with the keyserver via HTTP, but uses port 11371. You have to make sure that a possibly existing firewall does not block this port.
The address of the keyserver is passed with the option --keyserver when called on the command line, but you can also change the entry in the configuration file of the ~ / .gnupg / options invest:
# Enter your favorite server here (e.g.):
keyserver search.keyserver.net

By the way, the server really does exist. If you have now made sure that GnuPG knows where the keys can be found, you can import using
gpg --recv-keys UID
and exported using
gpg --send-key UID

Encrypt and decrypt

If you have several private keys, you can use the option -u UID or --local-user UID
select one (or more) keys according to their UID. This selection replaces the one in the configuration file with the command:
gpg --default-key KeyID
key selected by default.
With -r UID or --recipient UID you can select the recipient in the command line.


The command to encrypt is
gpg -e recipient [file]
gpg --encrypt recipient [file]
It makes sense to also sign the files, see for more details Sign and verify signatures.


The command to decrypt is
gpg [-d] [file]
gpg [--decrypt] [file]
The following also applies here: Output is preset to stdout, but you can use the option -o file output to a file.

Sign and verify signatures

With the command
gpg -s (or --sign) [file]
you sign a file with your private key. It is compressed at the same time, so it is no longer easily readable.

gpg --clearsign [file]
leave the file readable.

gpg -b (or --detach-sign) [file]
a signature is created in a separate file. The latter is particularly recommended for signing binary files such as archives. The option - marble to be useful.

Usually it is signed as well as encrypted, the command is then complete
gpg [-u sender] [-r receiver] [--armor] --sign --encrypt [file]
The options -u ( and -r (recipient) work as explained above.
If an encrypted file is signed, the signature is also checked when it is decrypted. The signature of an unencrypted file is checked with:
gpg [--verify] [file]
always assuming, of course, that you are in possession of the corresponding public key.