gpgm [--homedir name] [--options file] [options] command [args]
-s, --sign Make a signature. This option may be combined with --encrypt.
--clearsign Make a clear text signature.
-b, --detach-sign Make a detached signature.
-e, --encrypt Encrypt data. This option may be combined with --sign.
-c, --symmetric Encrypt with symmetric cipher only This command asks for a passphrase.
--store store only (make a simple RFC1991 packet).
--decrypt [file] Decrypt file (or stdin if no file is specified) and write it to stdout (or the file specified with --output). If the decrypted file is signed, the signature is also verified. This command differs from the default operation, as it never writes to the filename which is included in the file and it rejects files which don't begin with an encrypted message.
--verify [[sigfile] {signed-files}] Assume that filename is a signature and verify it without generating any output. With no arguments, the signature packet is read from stdin (it may be a detached signature when not used in batch mode). If only a sigfile is given, it may be a complete signature or a detached signature, in which case the signed stuff is expected in a file without the .sig or .asc extension (if such a file does not exist it is expected at stdin - use - as filename to force a read from stdin). With more than 1 argument, the first should be a detached signature and the remaining files are the signed stuff.
-k [username] [keyring] Kludge to be somewhat compatible with PGP. Without arguments, all public keyrings are listed. With one argument, only keyring is listed. Special combinations are also allowed, but it may give strange results when combined with more options. -kv Same as -k -kvv List the signatures with every key. -kvvv Additionally check all signatures. -kvc List fingerprints -kvvc List fingerprints and signatures
--list-keys [names] List all keys from the public keyrings, or just the ones given on the command line.
--list-secret-keys [names] List all keys from the secret keyrings, or just the ones given on the command line.
--list-sigs [names] Same as --list-keys, but the signatures are listed too.
--check-sigs [names] Same as --list-sigs, but the signatures are verified.
--fingerprint [names] List all keys with their fingerprints. This is the same output as list-keys but with the additonal output of a line with the fingerprint. May also be combined with --list-sigs or --check-sigs.
--list-packets List only the sequence of packets. This is mainly useful for debugging.
--gen-key Generate a new key pair. This command can only be used interactive.
--edit-key name Present a menu which enables you to do all key related tasks: sign Make a signature on key of user name. If the key is not yet signed by the default user (or the users given with -u), the program displays the information of the key again, together with its fingerprint and asks whether it should be signed. This question is repeated for all users specified with -u. trust Change the owner trust value. This updates the trust-db immediately and no save is required. adduid Create an alternate user id. deluid Delete an user id. addkey Add a subkey to this key. delkey Remove a subkey. expire Change the key expiration time. If a key is select, the time of this key will be changed. With no selection the key expiration of the primary key is changed. passwd Change the passphrase of the secret key. uid n Toggle selection of user id with index n. Use 0 to deselect all. key n Toggle selection of subkey with index n. Use 0 to deselect all. check Check all selected user ids. pref List preferences. toggle Toggle between public and secret key listing. save Save all changes to the key rings and quit. quit Quit the program without updating the key rings. The listing shows you the key with its secondary keys and all user ids. Selected keys or user ids indicated by an asterisk. The trust value is displayed with the primary key: The first one is the assigned owner trust and the second the calculated trust value; letters are used for the values: - No ownertrust assigned / not yet calculated. e Trust calculation has failed. q Not enough information for calculation. n Never trust this key. m Marginally trusted. f Fully trusted. u Ultimately trusted
--delete-key Remove key from the public keyring
--delete-secret-key Remove key from the secret and public keyring
--gen-revoke Generate a revocation certificate.
--export [names] Either export all keys from all keyrings (default keyrings and those registered via option --keyring), or if at least one name is given, those of the given name. The new keyring is written to stdout or to the file given with option ``output''. Use together with -a to mail those keys.
--export-secret-keys [names Same as --export, but does export the secret keys. This is normally not very useful.
--import, --fast-import Import/merge keys. The fast version does not build the trustdb; this can be deon at anytime with the command --update-trustdb.
--export-ownertrust List the assigned ownertrust values in ascii format for backup purposes [gpgm only].
--import-ownertrust [filename] Update the trustdb with the ownertrust values stored in filename (or stdin if not given); existing values will be overwritten. [gpgm only].
gpg recognizes these options:
-a, --armor Create ASCII armored output.
-o file, --output file Write output to file.
-u name, --local-user name Use name as the user-id to sign. This option is silently ignored for the list commands, so that it can be used in an options file.
--default-key name Use name as default user-id for signatures. If this is not used the default user-id is the first user-id from the secret keyring.
--trusted-key keyid Assume that the key with the keyid (which must be a full (8 byte) keyid) is as trustworthy as one of your own secret keys. This may be used to make keys valid which are not directly ceritified by you but by a CA you trust. The advantage of this option is that it shortens the path of certification.
You may also use this option to skip the verification
of your own secret keys which is normally done every
time GnuPG starts up: Use for I<keyid> the one of
your key.
-r name, --remote-user name Use name as the user-id for encryption. This option is silently ignored for the list commands, so that it can be used in an options file.
-v, --verbose Give more information during processing. If used twice, the input data is listed in detail.
-q, --quiet Be somewhat more quiet in some cases.
-z n Set compress level to n. A value of 0 for n disables compression. Default is to use the default compression level of zlib (which is 6).
-t, --textmode Use canonical text mode. If -t (but not --textmode) is used together with armoring and signing, this enables clearsigned messages. This kludge is needed for PGP compatibility; normally you would use --sign or --clearsign to selected the type os signatures.
-n, --dry-run Don't make any changes (not yet implemented).
--batch Batch mode; never ask, do not allow interactive commands.
--no-batch Disable batch mode; this may be used if batch is used in the options file.
--yes Assume ``yes'' on most questions.
--no Assume ``no'' on most questions.
--keyring file Add file to the list of keyrings. If file begins with a tilde and a slash, these are replaced by the HOME directory. If the filename does not contain a slash, it is assumed to be in the home-directory (~/.gnupg if --homedir) is not used. The filename may be prefixed with a scheme: ``gnupg-ring:'' is the default one. ``gnupg-gdbm:'' may be used for a GDBM ring.
--secret-keyring file Same as --keyring but for secret keyrings.
--homedir dir
Set the name of the home directory to dir. If this option is not used it defaults to ~/.gnupg. It does not make sense to use this in a options file. This also overrides
the environment variable GNUPGHOME.
--charset name Set the name of the native character set. This is used to convert some strings to proper UTF-8 encoding. Valid values for name are: iso-8859-1 This is the default. koi8-r The usual Russian set (rfc1489).
--options file Read options from file and do not try to read them from the default options file in the homedir (see --homedir). This option is ignored when used in an options file.
--no-options Shortcut for --options /dev/null. This option is detected before an attempt to open an option file.
--load-extension modulename Load an extension module. If modulename does not contain a slash it is searched in /usr/local/lib/gnupg See the manual for more information about extensions.
--debug flags Set debugging flags. All flags are or-ed and flags may be given in C syntax (e.g. 0x0042).
--debug-all Set all useful debugging flags.
--status-fd n Write special status strings to the file descriptor n.
--no-comment Do not write comment packets. This option affects only the generation of secret keys. Output of option packets is disabled since version 0.4.2.
--comment string Use string as comment string in clear text signatures.
--set-filename string Use string as the name of file which is stored in messages.
--completes-needed n Number of completely trusted users to introduce a new key signator (defaults to 1).
--marginals-needed n Number of marginally trusted users to introduce a new key signator (defaults to 3)
--max-cert-depth n Maximum depth of a certification chain (default is 5).
--cipher-algo name Use name as cipher algorithm. Running the program with the command --version yields a list of supported algorithms. If this is not used the cipher algorithm is selected from the preferences stored with the key.
--digest-algo name Use name as message digest algorithm. Running the program with the command --version yields a list of supported algorithms. Please note that using this option may violate the OpenPGP requirement, that a 160 bit hash is to be used for DSA.
--s2k-cipher-algo name Use name as the cipher algorithm used to protect secret keys. The default cipher is BLOWFISH. This cipher is also used for conventional encryption if --cipher-algo is not given.
--s2k-digest-algo name Use name as the digest algorithm used to mangle the passphrases. The default algorithm is RIPE-MD-160. This digest algorithm is also used for conventional encryption if --digest-algo is not given.
--s2k-mode number Selects how passphrases are mangled: A number of uses the plain passphrase (which is not recommended), a 1 (default) adds a salt to the passphrase and 3 interates the whole process a couple of times. Unless ---rfc1991 is used, this mode is also used for conventional encryption.
--compress-algo number Use compress algorithm number. Default is 2 which is RFC1950 compression; you may use 1 to use the old zlib version which is used by PGP. This is only used for new messages. The default algorithm may give better results because the window size is not limited to 8K. If this is not used the OpenPGP behaviour is used; i.e. the compression algorith is selected from the preferences.
--digest-algo name Use name as message digest algorithm. Running the program with the command --version yields a list of supported algorithms.
--throw-keyid Do not put the keyid into encrypted packets. This option hides the receiver of the message and is a countermeasure against traffic analysis. It may slow down the decryption process because all available secret keys are tried.
--not-dash-escaped This option changes the behaviour of cleartext signature so that they can be used for patch files. You should not send such an armored file via email because all spaces and line endings are hashed too. You can not use this option for data which has 5 dashes somewhere at the beginning of a line - patch files don't have this. A special armor header line tells GnuPG about this cleartext signature framework.
--passphrase-fd n Read the passphrase from file descriptor n. If you use 0 for n, the passphrase will be read from stdin. This can only be used if only one passphrase is supplied. Don't use this option if you can avoid it
--rfc1991 Try to be more RFC1991 (PGP 2.x) compliant.
--force-v3-sigs OpenPGP states that a implemenation should generate v4 signatures but PGP 5.x does only recognize such signatures on key material. This options forces v3 signatures for signatures on data.
--lock-once Lock the file the first time a lock is requested and do not release the lock until the process terminates.
--no-verbose Reset verbose level to 0.
--no-greeting Suppress the initial copyright message but do not enter batch mode.
--no-armor Assume the input data is not in ASCCI armored format.
--no-default-keyring Do not add the default keyrings to the list of keyrings.
--skip-verify Skip the signature verification step. This may be used to make the encryption faster if the signature verification is not needed.
--version Print version information along with a list of supported algorithms.
--with-colons Print key listings delimited by colons.
--warranty Print warranty information.
-h, --help Print usage information.
-se -r Bob [file] sign and encrypt for user Bob -sat [file] make a clear text signature -sb [file] make a detached signature -k [userid] show keys -kc [userid] show fingerprint
HOME Used to locate the default home directory.
GNUPGHOME If set directory used instead of ~/.gnupg.
~/.gnupg/pubring.gpg The public keyring ~/.gnupg/pubring.gpg.lock and the lock file
~/.gnupg/trustdb.gpg The trust database ~/.gnupg/trustdb.gpg.lock and the lock file
~/.gnupg/options May contain options
/usr[/local]/lib/gnupg/ Default location for extensions
gpg(1) gpgm(1)
Keep in mind that, if this program is used over a network (telnet), it is very easy to spy out your passphrase!
setuid(root); this is necessary to lock some pages of memory.
If you get no warning message about insecure memory your OS kernel supports
locking without being root; setuid is dropped as soon as this memory is
allocated.