CyberCheatsheets

GPG Cheat Sheet

GnuPG commands for encrypting files, signing, and managing keys — symmetric and public-key workflows.

Utilities & ShellsencryptiongnupggpgpgpsigningUpdated 2026-06-17

Overview

GnuPG (gpg) is the standard tool for OpenPGP encryption and signing. Use symmetric mode (a passphrase) for quick file encryption, or public-key mode (recipient's key) for sending data only they can read. It also verifies signatures on downloaded software and decrypts files recovered during forensics/CTFs.

Authorized use only. Handle keys and recovered secrets only with permission.

Symmetric (passphrase) encryption

Encrypt with a passphrase → secret.txt.gpg

gpg -c secret.txt

Decrypt to stdout

gpg -d secret.txt.gpg

Decrypt to a file

gpg -o secret.txt -d secret.txt.gpg

Force AES-256

gpg --cipher-algo AES256 -c secret.txt

Key management

Generate a new key pair (interactive)

gpg --full-generate-key

List public keys in your keyring

gpg --list-keys

List private keys with long key IDs

gpg --list-secret-keys --keyid-format LONG

Export your public key (ASCII armor)

gpg --export -a "you@example.com" > public.asc

Import someone's public key

gpg --import public.asc

Remove a private key

gpg --delete-secret-keys <keyid>

Public-key encryption

Encrypt for a recipient → msg.txt.gpg

gpg -e -r "alice@example.com" msg.txt

Encrypt + ASCII armor (.asc, email-safe)

gpg -e -a -r "alice@example.com" msg.txt

Decrypt with your private key

gpg -d msg.txt.gpg

Signing & verification

Create a detached signature (file.iso.asc)

gpg --detach-sign -a file.iso

Verify a detached signature

gpg --verify file.iso.asc file.iso

Sign keeping the text readable

gpg --clearsign message.txt

Quick one-liners

Decrypt a file recovered in a CTF/forensics case

gpg --batch --passphrase 'P@ss' -d loot.gpg

Encrypt a whole folder (tar then gpg)

tar czf - mydir | gpg -c -o mydir.tar.gz.gpg

Fetch a public key from a keyserver

gpg --keyserver hkps://keys.openpgp.org --recv-keys <keyid>

Show a key's fingerprint

gpg --fingerprint you@example.com

Tips

  • Use -a (ASCII armor) whenever the output must travel through email or text.
  • --batch --passphrase lets you script decryption (handy for brute-forcing CTF passphrases with a wordlist).
  • Always verify software signatures against a fingerprint you trust, not just 'Good signature'.
  • Back up your secret key and revocation certificate somewhere offline — losing them is unrecoverable.

References

Related cheat sheets