Welcome to Linux Knowledge Base and Tutorial
"The place where you learn linux"
The ONE Campaign to make poverty history

 Create an AccountHome | Submit News | Your Account  

Tutorial Menu
Linux Tutorial Home
Table of Contents

· Introduction to Operating Systems
· Linux Basics
· Working with the System
· Shells and Utilities
· Editing Files
· Basic Administration
· The Operating System
· The X Windowing System
· The Computer Itself
· Networking
· System Monitoring
· Solving Problems
· Security
· Installing and Upgrading
· Linux and Windows

Man Pages
Linux Topics
Test Your Knowledge

Site Menu
Site Map
Copyright Info
Terms of Use
Privacy Info
Masthead / Impressum
Your Account

Private Messages

News Archive
Submit News
User Articles
Web Links


The Web

Who's Online
There are currently, 58 guest(s) and 0 member(s) that are online.

You are an Anonymous user. You can register for free by clicking here




       gpg  [--homedir name]  [--options file]  [options]  command  [args]


       gpg is the main program for the GnuPG system.

       This  man  page only lists the commands and options avail­
       able.  For more verbose documentation get the GNU  Privacy
       Handbook   (GPH)   or   one  of  the  other  documents  at
       http://www.gnupg.org/docs.html .

       Please remember that option parsing stops as soon as a non
       option  is  encountered,  you  can  explicitly stop option
       parsing by using the special option "--".


       gpg recognizes these commands:

       -s, --sign
                 Make a signature. This command may  be  combined
                 with --encrypt.

                 Make a clear text signature.

       -b, --detach-sign
                 Make a detached signature.

       -e, --encrypt
                 Encrypt  data.  This option may be combined with

       -c, --symmetric
                 Encrypt  with  a  symmetric   cipher   using   a
                 passphrase.   The  default symmetric cipher used
                 is CAST5, but may be chosen with  the  --cipher-
                 algo option.

       --store   Store only (make a simple RFC1991 packet).

       --decrypt [file]
                 Decrypt  file (or stdin if no file is specified)
                 and write it to stdout (or  the  file  specified
                 with --output). If the decrypted file is signed,
                 the signature is  also  verified.  This  command
                 differs  from the default operation, as it never
                 writes to the filename which is included in  the
                 file and it rejects files which don't begin with
                 an encrypted message.

       --verify [[sigfile]  [signed-files]]

       --verify-files [files]
                 This  is  a special version of the --verify com­
                 mand which does not work  with  detached  signa­
                 tures.  The command expects the files to be ver­
                 ified either on the command line  or  reads  the
                 filenames from stdin;  each name must be on sep­
                 arate line. The command is  intended  for  quick
                 checking of many files.

       --encrypt-files [files]
                 This  is a special version of the --encrypt com­
                 mand.  The  command  expects  the  files  to  be
                 encrypted  either  on  the command line or reads
                 the filenames from stdin; each name must  be  on
                 separate  line.  The  command  is intended for a
                 quick encryption of multiple files.

       --decrypt-files [files]
                 The same as --encrypt-files with the  difference
                 that  files will be decrypted. The syntax or the
                 filenames is the same.

       --list-keys [names]

       --list-public-keys [names]
                 List all keys from the public keyrings, or  just
                 the ones given on the command line.

       --list-secret-keys [names]
                 List  all keys from the secret keyrings, or just
                 the ones given on the command line.  A '#' after
                 the  letters  'sec' means that the secret key is
                 not usable (for example, if it was  created  via

       --list-sigs [names]
                 Same  as  --list-keys,  but  the  signatures are
                 listed too.

       --check-sigs [names]
                 Same as --list-sigs, but the signatures are ver­

       --fingerprint [names]
                 List  all  keys with their fingerprints. This is
                 the same output  as  --list-keys  but  with  the
                 additional  output  of  a  line with the finger­
                 print. May also be combined with --list-sigs  or
                 --check-sigs.   If  this command is given twice,
                 the  fingerprints  of  all  secondary  keys  are
                 listed too.
                 Present a menu which enables you to do  all  key
                 related tasks:

                 sign      Make  a  signature on key of user name
                           If the key is not yet  signed  by  the
                           default  user (or the users given with
                           -u), the program displays the informa­
                           tion  of  the key again, together with
                           its fingerprint and  asks  whether  it
                           should  be  signed.  This  question is
                           repeated for all users specified  with

                 lsign     Same  as  --sign  but the signature is
                           marked  as  non-exportable  and   will
                           therefore  never  be  used  by others.
                           This may be used to  make  keys  valid
                           only in the local environment.

                 nrsign    Same  as  --sign  but the signature is
                           marked as non-revocable and can there­
                           fore never be revoked.

                 nrlsign   Combines  the  functionality of nrsign
                           and lsign to make a signature that  is
                           both non-revocable and non-exportable.

                 revsig    Revoke a signature.  For every  signa­
                           ture  which  has been generated by one
                           of the secret keys, GnuPG asks whether
                           a  revocation  certificate  should  be

                 trust     Change the  owner  trust  value.  This
                           updates  the  trust-db immediately and
                           no save is required.


                 enable    Disable or enable  an  entire  key.  A
                           disabled  key can not normally be used
                           for encryption.

                 adduid    Create an alternate user id.

                 addphoto  Create a photographic user  id.   This
                           will  prompt for a JPEG file that will
                           be embedded into the user ID.

                 deluid    Delete a user id.

                 revuid    Revoke a user id.
                 expire    Change the key expiration time.  If  a
                           subkey  is  selected,  the  expiration
                           time of this subkey will  be  changed.
                           With  no selection, the key expiration
                           of the primary key is changed.

                 passwd    Change the passphrase  of  the  secret

                 primary   Flag  the  current user id as the pri­
                           mary one, removes the primary user  id
                           flag  from all other user ids and sets
                           the timestamp of  all  affected  self-
                           signatures  one  second  ahead.   Note
                           that setting a photo user ID  as  pri­
                           mary makes it primary over other photo
                           user IDs, and setting a  regular  user
                           ID  as  primary  makes it primary over
                           other regular user IDs.

                 uid n     Toggle selection of user id with index
                           n.  Use 0 to deselect all.

                 key n     Toggle  selection of subkey with index
                           n.  Use 0 to deselect all.

                 check     Check all selected user ids.

                 showphoto Display the selected photographic user

                 pref      List  preferences  from  the  selected
                           user ID.  This shows the actual  pref­
                           erences, without including any implied

                 showpref  More verbose preferences  listing  for
                           the  selected user ID.  This shows the
                           preferences in effect by including the
                           implied  preferences of 3DES (cipher),
                           SHA-1 (digest), and Uncompressed (com­
                           pression)  if  they  are  not  already
                           included in the preference list.

                 setpref string
                           Set the list of user ID preferences to
                           string,  this should be a string simi­
                           lar to  the  one  printed  by  "pref".
                           Using  an  empty  string  will set the
                           default   preference   string,   using
                           "none"  will  set  the  preferences to
                           nil.  Use "gpg -v --version" to get  a
                           (aka   "photo  ID"),  GnuPG  does  not
                           select keys via attribute user IDs  so
                           these  preferences will not be used by

                 toggle    Toggle between public and  secret  key

                 save      Save  all changes to the key rings and

                 quit      Quit the program without updating  the
                           key rings.

                 The listing shows you the key with its secondary
                 keys and all user ids. Selected keys or user ids
                 are indicated by an asterisk. The trust value is
                 displayed with the primary key: the first is the
                 assigned  owner trust and the second is the cal­
                 culated trust value.  Letters are used  for  the

                 -         No  ownertrust assigned / not yet cal­

                 e         Trust calculation has failed; probably
                           due to an expired key.

                 q         Not  enough  information  for calcula­

                 n         Never trust this key.

                 m         Marginally trusted.

                 f         Fully trusted.

                 u         Ultimately trusted.

       --sign-key name
                 Signs a public key with your secret key. This is
                 a shortcut version of the subcommand "sign" from

       --lsign-key name
                 Signs a public key  with  your  secret  key  but
                 marks  it as non-exportable.  This is a shortcut
                 version of the subcommand "lsign" from --edit.

       --nrsign-key name
                 Signs a public key  with  your  secret  key  but
                 marks  it  as non-revocable.  This is a shortcut
                 Same  as  --delete-key,  but  if  a  secret  key
                 exists,  it will be removed first. In batch mode
                 the key must be specified by fingerprint.

                 Generate a revocation certificate for  the  com­
                 plete  key.  To  revoke a subkey or a signature,
                 use the --edit command.

                 Generate a designated revocation certificate for
                 a  key.  This allows a user (with the permission
                 of the keyholder) to revoke someone else's  key.

       --export [names]
                 Either   export   all  keys  from  all  keyrings
                 (default  keyrings  and  those  registered   via
                 option  --keyring),  or  if at least one name is
                 given, those of the given name. The new  keyring
                 is  written  to stdout or to the file given with
                 option "output".  Use together with  --armor  to
                 mail those keys.

       --send-keys [names]
                 Same  as  --export  but sends the keys to a key­
                 server.  Option --keyserver must be used to give
                 the name of this keyserver. Don't send your com­
                 plete keyring to a keyserver - select only those
                 keys which are new or changed by you.

       --export-all [names]
                 Same  as  --export,  but also exports keys which
                 are not compatible with OpenPGP.

       --export-secret-keys [names]

       --export-secret-subkeys [names]
                 Same as --export, but exports  the  secret  keys
                 instead.  This is normally not very useful and a
                 security risk.  The second form of  the  command
                 has  the  special  property to render the secret
                 part of the primary key useless; this is  a  GNU
                 extension  to  OpenPGP and other implementations
                 can not be expected to successfully import  such
                 a key.

                 See  the option --simple-sk-checksum if you want
                 to import such an exported  key  with  an  older
                 OpenPGP implementation.

       --import [files]

                 give the name of this keyserver.

       --refresh-keys key IDs
                 Request  updates  from a keyserver for keys that
                 already exist on the  local  keyring.   This  is
                 useful for updating a key with the latest signa­
                 tures, user IDs, etc.  Option  --keyserver  must
                 be used to give the name of this keyserver.

       --search-keys [names]
                 Search  the keyserver for the given names.  Mul­
                 tiple names given here will be  joined  together
                 to  create  the search string for the keyserver.
                 Option --keyserver must be used to give the name
                 of this keyserver.

                 Do  trust  database  maintenance.   This command
                 iterates over all keys and  builds  the  Web-of-
                 Trust. This is an interactive command because it
                 may have to ask for the "ownertrust" values  for
                 keys.  The user has to give an estimation of how
                 far she trusts the owner of the displayed key to
                 correctly certify (sign) other keys.  GnuPG only
                 asks for the ownertrust value if it has not  yet
                 been  assigned  to  a key.  Using the --edit-key
                 menu, the assigned value can be changed  at  any

                 Do   trust  database  maintenance  without  user
                 interaction.   From  time  to  time  the   trust
                 database must be updated so that expired keys or
                 signatures and the resulting changes in the Web-
                 of-Trust  can  be tracked.  Normally, GnuPG will
                 calculate when this is required and do it  auto­
                 matically unless --no-auto-check-trustdb is set.
                 This command  can  be  used  to  force  a  trust
                 database  check  at any time.  The processing is
                 identical to that  of  --update-trustdb  but  it
                 skips  keys with a not yet defined "ownertrust".

                 For use with cron jobs, this command can be used
                 together  with  --batch  in which case the trust
                 database check  is  done  only  if  a  check  is
                 needed.   To  force a run even in batch mode add
                 the option --yes.

                 Send the ownertrust values to stdout.   This  is
                 useful  for  backup purposes as these values are
                 the only ones which can't be re-created  from  a

       --print-mds [files]
                 Print message digest of algorithm ALGO  for  all
                 given  files or stdin.  With the second form (or
                 a deprecated "*" as algo) digests for all avail­
                 able algorithms are printed.

       --gen-random 0|1|2                 [count]
                 Emit  COUNT  random  bytes  of the given quality
                 level. If count is not given or zero, an endless
                 sequence   of  random  bytes  will  be  emitted.
                 PLEASE, don't use this command unless  you  know
                 what  you  are  doing;  it  may  remove precious
                 entropy from the system!

       --gen-prime mode                  bits             [qbits]
                 Use the source, Luke :-). The output  format  is
                 still subject to change.

       --version Print  version  information along with a list of
                 supported algorithms.

                 Print warranty information.

       -h, --help
                 Print usage information.  This is a really  long
                 list  even  though  it doesn't list all options.
                 For every option, consult this manual.


       Long options can  be  put  in  an  options  file  (default
       "~/.gnupg/gpg.conf").   Short option names will not work -
       for example, "armor" is a valid  option  for  the  options
       file,  while  "a"  is not.  Do not write the 2 dashes, but
       simply the name of the option and any required  arguments.
       Lines with a hash ('#') as the first non-white-space char­
       acter are ignored.  Commands may be put in this file  too,
       but  that is not generally useful as the command will exe­
       cute automatically with every execution of gpg.

       gpg recognizes these options:

       -a, --armor
                 Create ASCII armored output.

       -o, --output file
                 Write output to file.


       --default-key name
                 Use  name as default user ID for signatures.  If
                 this is not used the  default  user  ID  is  the
                 first user ID found in the secret keyring.

       -r, --recipient name

                 Encrypt  for user id name. If this option is not
                 specified, GnuPG asks  for  the  user-id  unless
                 --default-recipient is given

       --default-recipient name
                 Use name as default recipient if option --recip­
                 ient is not used and don't  ask  if  this  is  a
                 valid one. name must be non-empty.

                 Use  the  default  key  as  default recipient if
                 option --recipient is not used and don't ask  if
                 this  is  a  valid  one.  The default key is the
                 first one from the secret keyring or the one set
                 with --default-key.

                 Reset  --default-recipient and --default-recipi­

       --encrypt-to name
                 Same as --recipient but this one is intended for
                 use  in  the  options  file and may be used with
                 your own user-id as an "encrypt-to-self".  These
                 keys  are only used when there are other recipi­
                 ents given either by use of  --recipient  or  by
                 the  asked  user  id.  No trust checking is per­
                 formed for these user ids and even disabled keys
                 can be used.

                 Disable the use of all --encrypt-to keys.

       -v, --verbose
                 Give more information during processing. If used
                 twice, the input data is listed in detail.

       -q, --quiet
                 Try to be as quiet as possible.

       -z n, --compress n
                 Set compression level to n. A value of 0  for  n
                 disables  compression.  Default  is  to  use the
                 default compression level of zlib (normally  6).


       -i, --interactive
                 Prompt before overwriting any files.


                 Use  batch mode.  Never ask, do not allow inter­
                 active  commands.   --no-batch   disables   this

       --no-tty  Make  sure that the TTY (terminal) is never used
                 for any output.  This option is needed  in  some
                 cases because GnuPG sometimes prints warnings to
                 the TTY if --batch is used.

       --yes     Assume "yes" on most questions.

       --no      Assume "no" on most questions.

       --default-cert-check-level n
                 The default to use  for  the  check  level  when
                 signing a key.

                 0  means  you make no particular claim as to how
                 carefully you verified the key.

                 1 means you believe the key is owned by the per­
                 son  who  claims to own it but you could not, or
                 did not verify the key at all.  This  is  useful
                 for a "persona" verification, where you sign the
                 key of a pseudonymous user.

                 2 means you did casual verification of the  key.
                 For  example,  this could mean that you verified
                 that the key fingerprint and checked the user ID
                 on the key against a photo ID.

                 3  means  you  did extensive verification of the
                 key.  For example, this could mean that you ver­
                 ified  the key fingerprint with the owner of the
                 key in person, and that you checked, by means of
                 a  hard  to forge document with a photo ID (such
                 as a passport) that the name of  the  key  owner
                 matches  the name in the user ID on the key, and
                 finally that you verified (by exchange of email)
                 that the email address on the key belongs to the
                 key owner.

                 Note that the examples given above for levels  2
                 and  3  are just that: examples.  In the end, it

       --trust-model classic|always
                 Set  what  trust model GnuPG should follow.  The
                 models are:

                 classic   This is the  regular  web-of-trust  as
                           used in PGP and GnuPG.

                 always    Skip  key  validation  and assume that
                           used keys are  always  fully  trusted.
                           You  won't  use  this  unless you have
                           installed  some  external   validation
                           scheme.   This  option also suppresses
                           the  "[uncertain]"  tag  printed  with
                           signature checks when there is no evi­
                           dence that the user ID is bound to the

                 Identical to `--trust-model always'

       --keyserver name
                 Use  name as your keyserver.  This is the server
                 that --recv-keys, --send-keys, and --search-keys
                 will communicate with to receive keys from, send
                 keys to, and search for keys on.  The format  of
                 the   name   is  a  URI:  `scheme:[//]keyserver­
                 name[:port]' The scheme  is  the  type  of  key­
                 server:  "hkp"  for the Horowitz (or compatible)
                 keyservers, "ldap" for the NAI  LDAP  keyserver,
                 or  "mailto"  for  the Horowitz email keyserver.
                 Note that your particular installation of  GnuPG
                 may  have  other  keyserver  types  available as
                 well.  Keyserver schemes are case-insensitive.

                 Most keyservers synchronize with each other,  so
                 there  is generally no need to send keys to more
                 than one server.  Using  the  command  "host  -l
                 pgp.net  | grep wwwkeys" gives you a list of HKP
                 keyservers.   When  using  one  of  the  wwwkeys
                 servers, due to load balancing using round-robin
                 DNS you may notice that you get a different  key
                 server each time.

       --keyserver-options parameters
                 This  is  a space or comma delimited string that
                 gives options for the keyserver.  Options can be
                 prepended  with  a  `no-'  to  give the opposite
                 meaning.  Valid import-options or export-options
                 may  be  used here as well to apply to importing
                 (--recv-key) or  exporting  (--send-key)  a  key
                 from  a  keyserver.   While  not all options are
                           --search-keys, include keys  that  are
                           marked  on  the keyserver as disabled.
                           Note that this option is not used with
                           HKP keyservers.

                           When  receiving a key, include subkeys
                           as potential targets.  Note that  this
                           option  is  not  used  with  HKP  key­
                           servers,  as  they  do   not   support
                           retrieving keys by subkey id.

                           On  most  Unix-like  platforms,  GnuPG
                           communicates with the keyserver helper
                           program  via  pipes, which is the most
                           efficient method.  This option  forces
                           GnuPG to use temporary files to commu­
                           nicate.  On some  platforms  (such  as
                           Win32  and  RISC  OS),  this option is
                           always enabled.

                           If  using  `use-temp-files',  do   not
                           delete  the  temp  files  after  using
                           them.  This option is useful to  learn
                           the  keyserver  communication protocol
                           by reading the temporary files.

                 verbose   Tell the keyserver helper  program  to
                           be  more  verbose.  This option can be
                           repeated multiple  times  to  increase
                           the verbosity level.

                           For  keyserver  schemes  that use HTTP
                           (such as HKP), try to access the  key­
                           server  over  the  proxy  set with the
                           environment variable "http_proxy".

                           This  option  enables  the   automatic
                           retrieving  of  keys  from a keyserver
                           when verifying signatures made by keys
                           that are not on the local keyring.

       --import-options parameters
                 This  is  a space or comma delimited string that
                 gives options for importing keys.   Options  can
                 be  prepended  with a `no-' to give the opposite
                 meaning.  The options are:

                           give you back one subkey.  Defaults to
                           no for regular --import and to yes for
                           keyserver --recv-keys.

       --export-options parameters
                 This is a space or comma delimited  string  that
                 gives  options  for exporting keys.  Options can
                 be prepended with a `no-' to give  the  opposite
                 meaning.  The options are:

                           Include  non-RFC compliant keys in the
                           export.  Defaults to yes.

                           Allow exporting key signatures  marked
                           as  "local".   This  is  not generally
                           useful unless a shared keyring  scheme
                           is being used.  Defaults to no.

                           Include attribute user IDs (photo IDs)
                           while exporting.  This  is  useful  to
                           export  keys  if  they are going to be
                           used by an OpenPGP program  that  does
                           not   accept   attribute   user   IDs.
                           Defaults to yes.

                           Include designated revoker information
                           that   was   marked   as  "sensitive".
                           Defaults to no.


                 Causes --list-keys, --list-sigs,  --list-public-
                 keys, --list-secret-keys, and verifying a signa­
                 ture to also display the photo  ID  attached  to
                 the  key,  if  any.   See  also  --photo-viewer.
                 --no-show-photos disables this option.

       --photo-viewer string
                 This is the command line that should be  run  to
                 view  a  photo  ID.   "%i" will be expanded to a
                 filename containing the photo.   "%I"  does  the
                 same,  except  the file will not be deleted once
                 the viewer exits.  Other flags are "%k" for  the
                 key  ID,  "%K" for the long key ID, "%f" for the
                 key fingerprint, "%t" for the extension  of  the
                 image  type (e.g. "jpg"), "%T" for the MIME type
                 of the image (e.g. "image/jpeg"), and  "%%"  for

                 Causes  --list-keys,   --list-public-keys,   and
                 --list-secret-keys  to  display  the name of the
                 keyring a given key resides  on.  This  is  only
                 useful when you're listing a specific key or set
                 of keys. It has no effect when listing all keys.

       --keyring file
                 Add  file  to  the  list  of  keyrings.  If file
                 begins with a  tilde  and  a  slash,  these  are
                 replaced  by the HOME directory. If the filename
                 does not contain a slash, it is assumed to be in
                 the  home-directory  ("~/.gnupg" if --homedir is
                 not used).  The filename may be prefixed with  a

                 "gnupg-ring:" is the default one.

                 It  might  make  sense  to  use it together with

       --secret-keyring file
                 Same as --keyring but for the secret keyrings.

       --homedir directory
                 Set the name of the home directory to  directory
                 If  this  option  is  not  used  it  defaults to
                 "~/.gnupg". It does not make sense to  use  this
                 in a options file. This also overrides the envi­
                 ronment variable "GNUPGHOME".

       --charset name
                 Set the name of the native character set.   This
                 is  used to convert some strings to proper UTF-8
                 encoding.  If  this  option  is  not  used,  the
                 default  character  set  is  determined from the
                 current locale.  A verbosity level  of  3  shows
                 the used one.  Valid values for name are:

                           This is the Latin 1 set.

                           The Latin 2 set.

                           This  is  currently  an  alias for the
                           Latin 1 set.

                 koi8-r    The usual Russian set (rfc1489).

                 utf-8     Bypass  all  translations  and  assume
                 Read  options  from  file and do not try to read
                 them from the default options file in the  home­
                 dir  (see  --homedir). This option is ignored if
                 used in an options file.

                 Shortcut for "--options /dev/null".  This option
                 is  detected before an attempt to open an option
                 file.  Using this option will also  prevent  the
                 creation of a "~./gnupg" homedir.

       --load-extension name
                 Load  an extension module. If name does not con­
                 tain a slash it is searched for in the directory
                 configured   when  GnuPG  was  built  (generally
                 "/usr/local/lib/gnupg").   Extensions  are   not
                 generally  useful  anymore,  and the use of this
                 option is deprecated.

       --debug flags
                 Set debugging flags. All  flags  are  or-ed  and
                 flags may be given in C syntax (e.g. 0x0042).

                 Set all useful debugging flags.

                 Enable  certain  PROGRESS  status outputs.  This
                 option allows frontends to  display  a  progress
                 indicator  while gpg is processing larger files.
                 There is a slight performance overhead using it.

       --status-fd n
                 Write   special   status  strings  to  the  file
                 descriptor n.  See the file DETAILS in the docu­
                 mentation for a listing of them.

       --logger-fd n
                 Write log output to file descriptor n and not to

       --attribute-fd n
                 Write attribute subpackets to the file  descrip­
                 tor  n.  This is most useful for use with --sta­
                 tus-fd, since the status messages are needed  to
                 separate  out  the  various  subpackets from the
                 stream delivered to the file descriptor.


                 Include secret key comment packets when  export­

                 Force to write the standard  comment  string  in
                 clear  text signatures.  Use this to overwrite a
                 --comment from a config file.   This  option  is
                 now obsolete because there is no default comment
                 string anymore.


                 Force inclusion of the version string  in  ASCII
                 armored output.  --no-emit-version disables this

       --sig-notation name=value

       --cert-notation name=value

       -N, --notation-data name=value
                 Put the name value pair into  the  signature  as
                 notation data.  name must consist only of print­
                 able characters or spaces, and  must  contain  a
                 '@'  character.   This is to help prevent pollu­
                 tion of the IETF  reserved  notation  namespace.
                 The --expert flag overrides the encoded in UTF8,
                 so you should check that your --charset  is  set
                 correctly.   If you prefix name with an exclama­
                 tion mark, the notation data will be flagged  as
                 critical   (rfc2440:    --sig-notation
                 sets a notation for  data  signatures.   --cert-
                 notation  sets  a  notation  for  key signatures
                 (certifications).  --notation-data sets both.

                 There are special codes  that  may  be  used  in
                 notation  names.  "%k" will be expanded into the
                 key ID of the key being  signed,  "%K"  for  the
                 long  key  ID  of the key being signed, "%f" for
                 the key fingerprint of  the  key  being  signed,
                 "%s" for the key ID of the key making the signa­
                 ture, "%S" for the long key ID of the key making
                 the signature, and "%%" results in a single "%".
                 %k, %K, and %f are only meaningful when making a
                 key signature (certification).


                 Show  signature  notations in the --list-sigs or
                 --check-sigs listings as well as when  verifying
                 a  signature  with a notation in it.  --no-show-
                 notation disables this option.
                 The same %-expandos used for notation  data  are
                 available here as well.


                 Show  policy URLs in the --list-sigs or --check-
                 sigs listings as well as when verifying a signa­
                 ture with a policy URL in it.  --no-show-policy-
                 url disables this option.

       --set-filename string
                 Use string as the name of file which  is  stored
                 in messages.


                 Set  the  `for  your eyes only' flag in the mes­
                 sage.  This causes GnuPG to refuse to  save  the
                 file  unless  the  --output option is given, and
                 PGP to use the "secure viewer" with  a  Tempest-
                 resistant  font  to  display  the message.  This
                 option overrides --set-filename.  --no-for-your-
                 eyes-only disables this option.

                 Try  to create a file with a name as embedded in
                 the data.  This can be a dangerous option as  it
                 allows to overwrite files.

       --completes-needed n
                 Number  of completely trusted users to introduce
                 a new key signer (defaults to 1).

       --marginals-needed n
                 Number of marginally trusted users to  introduce
                 a new key signer (defaults to 3)

       --max-cert-depth n
                 Maximum  depth of a certification chain (default
                 is 5).

       --cipher-algo name
                 Use  name as cipher algorithm. Running the  pro­
                 gram with the command --version yields a list of
                 supported algorithms. If this is  not  used  the
                 cipher  algorithm  is  selected from the prefer­
                 ences stored with the key.

       --digest-algo name
                 Use name as the message digest  algorithm.  Run­
                 Use name as the cipher algorithm used to protect
                 secret keys.  The default cipher is CAST5.  This
                 cipher  is also used for conventional encryption
                 if --cipher-algo is not given.

       --s2k-digest-algo name
                 Use name as the digest algorithm used to  mangle
                 the   passphrases.   The  default  algorithm  is
                 SHA-1.  This digest algorithm is also  used  for
                 conventional  encryption if --digest-algo is not

       --s2k-mode n
                 Selects how passphrases are mangled. If n is 0 a
                 plain passphrase (which is not recommended) will
                 be used, a 1 adds a salt to the passphrase and a
                 3  (the  default)  iterates  the whole process a
                 couple of times.  Unless --rfc1991 is used, this
                 mode is also used for conventional encryption.

                 Secret  keys  are integrity protected by using a
                 SHA-1 checksum.  This method will be part of  an
                 enhanced OpenPGP specification but GnuPG already
                 uses it  as  a  countermeasure  against  certain
                 attacks.  Old applications don't understand this
                 new format, so this option may be used to switch
                 back  to  the  old  behaviour.   Using this this
                 option bears a security risk.  Note  that  using
                 this  option  only  takes effect when the secret
                 key is encrypted - the simplest way to make this
                 happen  is  to  change the passphrase on the key
                 (even changing it to the same value  is  accept­

       --compress-algo n
                 Use  compression  algorithm  n.   The value 2 is
                 RFC1950  ZLIB  compression.   The  value  1   is
                 RFC-1951  ZIP  compression which is used by PGP.
                 0 disables compression.  If this option  is  not
                 used,  the  default  behavior  is to examine the
                 recipient key preferences  to  see  which  algo­
                 rithms  the  recipient  supports.   If  all else
                 fails, ZIP is used  for  maximum  compatibility.
                 Note,  however,  that  ZLIB may give better com­
                 pression results if that is more  important,  as
                 the  compression  window  size is not limited to

       --disable-cipher-algo name
                 Never allow the use of name as cipher algorithm.
                 The  given  name  will  not be checked so that a
                 disable  the caching.  It probably does not make
                 sense to disable it because all kind  of  damage
                 can  be done if someone else has write access to
                 your public keyring.

                 GnuPG normally  verifies  each  signature  right
                 after creation to protect against bugs and hard­
                 ware malfunctions which could leak out bits from
                 the  secret  key.  This extra verification needs
                 some time (about 115% for DSA keys), and so this
                 option  can be used to disable it.  However, due
                 to the fact that the  signature  creation  needs
                 manual  interaction,  this  performance  penalty
                 does not matter in most settings.


                 If GnuPG feels that its  information  about  the
                 Web-of-Trust has to be updated, it automatically
                 runs  the  --check-trustdb  command  internally.
                 This  may  be  a  time consuming process.  --no-
                 auto-check-trustdb disables this option.

                 Do not put the  keyid  into  encrypted  packets.
                 This  option  hides  the receiver of the message
                 and is a countermeasure against  traffic  analy­
                 sis.   It  may  slow down the decryption process
                 because all available secret keys are tried.

                 This option changes the  behavior  of  cleartext
                 signatures  so  that  they can be used for patch
                 files. You should not send such an armored  file
                 via  email  because  all spaces and line endings
                 are hashed too.  You can not use this option for
                 data  which  has  5 dashes at the beginning of a
                 line, patch files don't  have  this.  A  special
                 armor header line tells GnuPG about this cleart­
                 ext signature option.


                 Because some mailers change lines starting  with
                 "From  "  to  ">From " it is good to handle such
                 lines in a special way when  creating  cleartext
                 signatures  to  prevent  the  mail  system  from
                 breaking the signature.  Note that all other PGP
                 versions   do  it  this  way  too.   Enabled  by
                 TTY but from  the  given  file  descriptor.   It
                 should  be  used  together with --status-fd. See
                 the file doc/DETAILS in the source  distribution
                 for details on how to use it.


                 Try  to  use  the  GnuPG-Agent. Please note that
                 this agent is  still  under  development.   With
                 this option, GnuPG first tries to connect to the
                 agent before it asks for  a  passphrase.   --no-
                 use-agent disables this option.

                 Override  the  value of the environment variable
                 GPG_AGENT_INFO.  This is only used  when  --use-
                 agent has been given

       --rfc1991 Try to be more RFC1991 (PGP 2.x) compliant.


       --no-pgp2 Set up all options to be as PGP 2.x compliant as
                 possible, and warn if an action is  taken  (e.g.
                 encrypting  to a non-RSA key) that will create a
                 message that PGP 2.x will not be able to handle.
                 Note  that `PGP 2.x' here means `MIT PGP 2.6.2'.
                 There are other versions of PGP  2.x  available,
                 but the MIT release is a good common baseline.

                 This   option  implies  `--rfc1991  --no-openpgp
                 --disable-mdc  --no-force-v4-certs  --no-comment
                 --escape-from-lines   --force-v3-sigs  --no-ask-
                 sig-expire  --no-ask-cert-expire   --cipher-algo
                 IDEA  --digest-algo  MD5 --compress-algo 1'.  It
                 also disables --textmode when encrypting.  --no-
                 pgp2 disables this option.


       --no-pgp6 Set  up  all options to be as PGP 6 compliant as
                 possible.  This restricts  you  to  the  ciphers
                 IDEA  (if  the  IDEA plugin is installed), 3DES,
                 and CAST5, the hashes MD5, SHA1  and  RIPEMD160,
                 and  the  compression  algorithms  none and ZIP.
                 This also  disables  --throw-keyid,  and  making
                 signatures  with  signing  subkeys as PGP 6 does
                 not understand signatures made by  signing  sub­

                 This  option implies `--disable-mdc --no-comment

       --no-pgp8 Set  up  all options to be as PGP 8 compliant as
                 possible.  PGP 8 is a lot closer to the  OpenPGP
                 standard  than  previous versions of PGP, so all
                 this  does  is  disable  --throw-keyid  and  set
                 --escape-from-lines  and --compress-algo 1.  The
                 allowed algorithms list is the  same  as  --pgp7
                 with  the  addition  of the SHA-256 digest algo­
                 rithm.  --no-pgp8 disables this option.

       --openpgp Reset all packet, cipher and digest  options  to
                 OpenPGP  behavior.  Use this option to reset all
                 previous  options   like   --rfc1991,   --force-
                 v3-sigs,  --s2k-*,  --cipher-algo, --digest-algo
                 and --compress-algo to OpenPGP compliant values.
                 All  PGP  workarounds  and --pgpX modes are also


                 OpenPGP states  that  an  implementation  should
                 generate  v4  signatures  but PGP versions 5 and
                 higher only recognize v4 signatures on key mate­
                 rial.  This option forces v3 signatures for sig­
                 natures on data.  Note that  this  option  over­
                 rides  --ask-sig-expire, as v3 signatures cannot
                 have expiration dates.  --no-force-v3-sigs  dis­
                 ables this option.


                 Always  use  v4  key signatures even on v3 keys.
                 This option also changes the default hash  algo­
                 rithm  for v3 RSA keys from MD5 to SHA-1.  --no-
                 force-v4-certs disables this option.

                 Force the use of encryption with a  modification
                 detection  code.   This  is always used with the
                 newer ciphers (those with  a  blocksize  greater
                 than  64  bits), or if all of the recipient keys
                 indicate MDC support in their feature flags.

                 Disable the use of  the  modification  detection
                 code.   Note  that  by  using  this  option, the
                 encrypted message becomes vulnerable to  a  mes­
                 sage modification attack.


                 GnuPG  normally checks that the timestamps asso­
                 ciated with keys and signatures  have  plausible
                 values.  However, sometimes a signature seems to
                 be older than the key  due  to  clock  problems.
                 This option makes these checks just a warning.

                 GnuPG  normally  does not select and use subkeys
                 created in the future.  This option  allows  the
                 use of such keys and thus exhibits the pre-1.0.7
                 behaviour.   You  should  not  use  this  option
                 unless you there is some clock problem.

                 The  ASCII armor used by OpenPGP is protected by
                 a  CRC  checksum  against  transmission  errors.
                 Sometimes  it  happens that the CRC gets mangled
                 somewhere on the transmission  channel  but  the
                 actual   content  (which  is  protected  by  the
                 OpenPGP protocol anyway) is  still  okay.   This
                 option will let gpg ignore CRC errors.

                 This  option  changes a MDC integrity protection
                 failure into a warning.  This can be useful if a
                 message  is  partially corrupt, but it is neces­
                 sary to get as much data as possible out of  the
                 corrupt  message.   However, be aware that a MDC
                 protection failure may also mean that  the  mes­
                 sage  was  tampered  with  intentionally  by  an

                 Lock the databases the  first  time  a  lock  is
                 requested  and do not release the lock until the
                 process terminates.

                 Release the locks every time a lock is no longer
                 needed.  Use this to override a previous --lock-
                 once from a config file.

                 Disable locking entirely.  This option should be
                 used only in very special environments, where it
                 can be assured that only one process is  access­
                 ing  those  files.   A  bootable  floppy  with a
                 stand-alone encryption system will probably  use
                 this.  Improper usage of this option may lead to
                 data and key corruption.

                 Suppress  the warning about "using insecure mem­

                 Suppress the warning about unsafe  file  permis­
                 sions.   Note  that  the  file permission checks
                 that GnuPG  performs  are  not  intended  to  be
                 authoritative,  rather  they  simply  warn about
                 certain  common  permission  problems.   Do  not
                 assume  that  the  lack  of a warning means that
                 your system is secure.

                 Suppress the warning about missing MDC integrity

                 Assume  the  input  data is not in ASCII armored

                 Do not add the default keyrings to the  list  of

                 Skip  the signature verification step.  This may
                 be used to make the  decryption  faster  if  the
                 signature verification is not needed.

                 Print  key  listings delimited by colons.  Note,
                 that the output will be encoded in UTF-8 regard­
                 less of any --charset setting.

                 Print  key  listings  delimited  by colons (like
                 --with-colons) and print the public key data.

                 Same as the command  --fingerprint  but  changes
                 only  the  format  of the output and may be used
                 together with another command.

                 Changes the output of the list commands to  work
                 faster;  this  is achieved by leaving some parts
                 empty.  Some applications don't need the user ID
                 and the trust information given in the listings.
                 By using this options  they  can  get  a  faster
                 listing.  The exact behaviour of this option may

                 This  is  not for normal use.  Use the source to
                 see for what it might be useful.

                 This is not for normal use.  Use the  source  to
                 see for what it might be useful.

                 GnuPG  versions  prior to 1.0.2 had a bug in the
                 way  a  signature  was  encoded.   This  options
                 enables  a  workaround by checking faulty signa­
                 tures again with the encoding used in  old  ver­
                 sions.   This may only happen for ElGamal signa­
                 tures which are not widely used.

                 Display the session key used  for  one  message.
                 See  --override-session-key  for the counterpart
                 of this option.

                 We think that Key-Escrow is a Bad Thing; however
                 the  user  should  have  the  freedom  to decide
                 whether to go to prison or to reveal the content
                 of one specific message without compromising all
                 messages ever  encrypted  for  one  secret  key.

       --override-session-key string
                 Don't use the public key  but  the  session  key
                 string.   The  format of this string is the same
                 as the one printed by --show-session-key.   This
                 option  is  normally not used but comes handy in
                 case someone forces you to reveal the content of
                 an  encrypted message; using this option you can
                 do this without handing out the secret key.


                 When making a  data  signature,  prompt  for  an
                 expiration  time.   If this option is not speci­
                 fied, the expiration time is "never".  --no-ask-
                 sig-expire disables this option.


                 When making a key signature, prompt for an expi­
                 ration time.  If this option is  not  specified,
                 of what it allows you to  do,  leave  this  off.
                 --no-expert disables this option.

                 Don't  insert  new  keys into the keyrings while
                 doing an import.

                 This is an obsolete option and is not used  any­

                 Don't  look  at the key ID as stored in the mes­
                 sage but try all secret keys in turn to find the
                 right  decryption  key.   This option forces the
                 behaviour as used by anonymous recipients  (cre­
                 ated  by  using  --throw-keyid)  and  might come
                 handy in case where an  encrypted  message  con­
                 tains a bogus key ID.

                 This  options  enables a mode in which filenames
                 of the form -&n, where n is a non-negative deci­
                 mal  number,  refer to the file descriptor n and
                 not to a file with that name.

                 Experimental use only.

       --group name=value1 [value2 value3 ...]
                 Sets up a  named  group,  which  is  similar  to
                 aliases  in  email programs.  Any time the group
                 name is a recipient (-r or --recipient), it will
                 be expanded to the values specified.

                 The  values are key IDs or fingerprints, but any
                 key description is accepted.  Note that a  value
                 with spaces in it will be treated as two differ­
                 ent values.  Note also there is only  one  level
                 of  expansion  -  you  cannot make an group that
                 points to another group.   When  used  from  the
                 command  line,  it may be necessary to quote the
                 argument to this option  to  prevent  the  shell
                 from treating it as multiple arguments.

                 Don't change the permissions of a secret keyring
                 back to user read/write only.  Use  this  option
                 only if you really know what you are doing.

       --personal-cipher-preferences string
                 Set  the  list of personal cipher preferences to

       --personal-compress-preferences string
                 Set the list of personal compression preferences
                 to string, this list should be a string  similar
                 to  the one printed by the command "pref" in the
                 edit menu.  This allows the user  to  factor  in
                 their  own  preferred algorithms when algorithms
                 are chosen via recipient key preferences.

       --default-preference-list string
                 Set the list of default preferences  to  string,
                 this  list should be a string similar to the one
                 printed by the command "pref" in the edit  menu.
                 This  affects  both key generation and "updpref"
                 in the edit menu.

How to specify a user ID

       There are different ways to specify a user  ID  to  GnuPG;
       here are some examples:




                 Here  the  key  ID  is  given in the usual short




                 Here the key ID is given in  the  long  form  as
                 used  by  OpenPGP  (you  can get the long key ID
                 using the option --with-colons).




                 The best way to specify a key ID is by using the
                 fingerprint of the key.  This avoids any ambigu­
                 tive)  but  can  appear in any order in the user
                 ID.  Words are any sequences of letters, digits,
                 the  underscore  and  all  characters with bit 7


       *Heine    By case insensitive substring matching.  This is
                 the  default  mode  but applications may want to
                 explicitly indicate this by putting the asterisk
                 in front.

       Note that you can append an exclamation mark to key IDs or
       fingerprints.  This flag tells GnuPG to  use  exactly  the
       given  primary  or  secondary key and not to try to figure
       out which secondary or primary key to use.


       The program returns 0 if everything  was  fine,  1  if  at
       least a signature was bad, and other error codes for fatal


       gpg -se -r Bob file
                 sign and encrypt for user Bob

       gpg --clearsign file
                 make a clear text signature

       gpg -sb  file
                 make a detached signature

       gpg --list-keys  user_ID
                 show keys

       gpg --fingerprint  user_ID
                 show fingerprint

       gpg --verify  pgpfile

       gpg --verify  sigfile [files]
                 Verify the signature of the file but do not out­
                 put  the  data.  The  second  form  is  used for
                 detached  signatures,  where  sigfile   is   the
                 detached  signature  (either  ASCII  armored  of
                 binary) and [files] are the signed data; if this
                 is  not  given  the name of the file holding the
                 signed data is constructed by  cutting  off  the
                 extension  (".asc"  or  ".sig") of sigfile or by
                 asking the user for the filename.
                 is  set to the correct value.  The option --gpg-
                 agent-info can be used to override it.

                 Only honored when  the  keyserver-option  honor-
                 http-proxy is set.


                 The secret keyring

                 and the lock file

                 The public keyring

                 and the lock file

                 The trust database

                 and the lock file

                 used to preserve the internal random pool

                 Default configuration file

                 Old  style  configuration  file;  only used when
                 gpg.conf is not found

                 Skeleton options file

                 Default location for extensions


       Use a *good* password for your user account and  a  *good*
       passphrase to protect your secret key.  This passphrase is
       the weakest part of the whole system.  Programs to do dic­
       tionary  attacks  on  your secret keyring are very easy to
       write and so you should protect your "~/.gnupg/" directory
       very well.

       Keep  in mind that, if this program is used over a network
       (telnet), it is *very* easy to spy out your passphrase!
       possible  to create a perfectly valid OpenPGP message, but
       one that cannot be read by the intended recipient.

       For example, as of this writing, no  version  of  official
       PGP  supports  the  BLOWFISH cipher algorithm.  If you use
       it, no PGP user will be able to decrypt your message.  The
       same  thing applies to the ZLIB compression algorithm.  By
       default, GnuPG uses the OpenPGP  preferences  system  that
       will  always  do  the right thing and create messages that
       are usable by all recipients, regardless of which  OpenPGP
       program  they use.  Only override this safe default if you
       know what you are doing.

       If you absolutely must override the safe  default,  or  if
       the  preferences  on a given key are invalid for some rea­
       son, you are far better  off  using  the  --pgp2,  --pgp6,
       --pgp7, or --pgp8 options.  These options are safe as they
       do not force any particular  algorithms  in  violation  of
       OpenPGP,  but  rather reduce the available algorithms to a
       "PGP-safe" list.


       On many  systems  this  program  should  be  installed  as
       setuid(root).  This  is  necessary  to  lock memory pages.
       Locking memory pages prevents the  operating  system  from
       writing  memory  pages to disk. If you get no warning mes­
       sage about insecure memory your operating system  supports
       locking  without being root. The program drops root privi­
       leges as soon as locked memory is allocated.




Security Code
Security Code
Type Security Code

Don't have an account yet? You can create one. As a registered user you have some advantages like theme manager, comments configuration and post comments with your name.

Help if you can!

Amazon Wish List

Did You Know?
You can choose larger fonts by selecting a different themes.


Tell a Friend About Us

Bookmark and Share

Web site powered by PHP-Nuke

Is this information useful? At the very least you can help by spreading the word to your favorite newsgroups, mailing lists and forums.
All logos and trademarks in this site are property of their respective owner. The comments are property of their posters. Articles are the property of their respective owners. Unless otherwise stated in the body of the article, article content (C) 1994-2013 by James Mohr. All rights reserved. The stylized page/paper, as well as the terms "The Linux Tutorial", "The Linux Server Tutorial", "The Linux Knowledge Base and Tutorial" and "The place where you learn Linux" are service marks of James Mohr. All rights reserved.
The Linux Knowledge Base and Tutorial may contain links to sites on the Internet, which are owned and operated by third parties. The Linux Tutorial is not responsible for the content of any such third-party site. By viewing/utilizing this web site, you have agreed to our disclaimer, terms of use and privacy policy. Use of automated download software ("harvesters") such as wget, httrack, etc. causes the site to quickly exceed its bandwidth limitation and are therefore expressly prohibited. For more details on this, take a look here

PHP-Nuke Copyright © 2004 by Francisco Burzi. This is free software, and you may redistribute it under the GPL. PHP-Nuke comes with absolutely no warranty, for details, see the license.
Page Generation: 0.24 Seconds