The GNU Privacy Handbook

Please direct questions, bug reports, or suggesstions concerning this manual to the maintainer, Mike Ashley (). Contributors to this manual also include Matthew Copeland, Joergen Grahn, and David A. Wheeler. J Horacio MG has translated the manual to Spanish.

This manual may be redistributed under the terms of the GNU General Public License.


Table of Contents
1. Getting Started
Generating a new keypair
Generating a revocation certificate
Exchanging keys
Exporting a public key
Importing a public key
Encrypting and decrypting documents
Making and verifying signatures
Clearsigned documents
Detached signatures
2. Concepts
Symmetric ciphers
Public-key ciphers
Hybrid ciphers
Digital signatures
3. Key Management
Managing your own keypair
Key integrity
Adding and deleting key components
Revoking key components
Updating a key's expiration time
Validating other keys on your public keyring
Trust in a key's owner
Using trust to validate keys
Distributing keys
4. Daily use of GnuPG
Defining your security needs
Choosing a key size
Protecting your private key
Selecting expiration dates and using subkeys
Managing your web of trust
Building your web of trust
Using GnuPG legally
5. Topics
Writing user interfaces
I. Command Reference
sign — sign a document
detach-signature — make a detached signature
encrypt — encrypt a document
symmetric — encrypt a document using only a symmetric encryption algorithm
decrypt — decrypt an encrypted document
clearsign — make a cleartext signature
verify — verify a signed document
gen-key — generate a new keypair
gen-revoke — generate a revocation certificate for a public/private keypair
send-keys — send keys to a key server
recv-keys — retrieve keys from a key server
list-keys — list information about keys
list-public-keys — list keys on public keyrings
list-secret-keys — list keys on secret keyrings
list-sigs — list information about keys including signatures
check-sigs — list information about keys including validated signatures
fingerprint — display key fingerprints
import — import keys to a local keyring
fast-import — import/merge keys
export — export keys from a local keyring
export-all — export all public keys
export-secret-keys — export secret keys
edit-key — presents a menu for operating on keys
sign-key — sign a public key with a private key
lsign-key — locally sign a public key with a private key
delete-key — remove a public key
delete-secret-key — remove a public and private key
store — make only simple rfc1991 packets
export-ownertrust — export assigned owner-trust values
import-ownertrust — import owner-trust values
update-trustdb — update the trust database
print-md — display message digests
gen-random — generate random data
gen-prime — ?
version — display version information
warranty — display warranty information
help — display usage information
II. Options Reference
keyserver — specify the keyserver to use to locate keys
output — specify the file in which to place output
recipient — specify the recipient of a public-key encrypted document
default-recipient — specify the default recipient of a public-key encrypted document
default-recipient-self — use the default key user ID as the default recipient of a public-key encrypted document
no-default-recipient — ignore the options default-recipient and default-recipient-self
encrypt-to — specify an additional recipient of a public-key encrypted document
no-encrypt-to — ignore the option encrypt-to
armor — ASCII-armor encrypted or signed output
no-armor — assume input data is not ASCII armored
no-greeting — suppress the opening copyright notice but do not enter batch mode
no-secmem-warning — suppress warnings if insecure memory is used
batch — use batch mode
no-batch — disable batch mode
local-user — specifies a user id to use for signing
default-key — specifies a user ID as a default user ID for signatures
completes-needed — specifies the number of fully-trusted people needed to validate a new key.
marginals-needed — specifies the number of marginally-trusted people needed to validate a new key.
load-extension — specifies an extension to load.
rfc1991 — try to be more RFC1991 (PGP 2.x) compliant
allow-non-selfsigned-uid — allow the import of keys with user IDs which are not self-signed
cipher-algo — use a specified algorithm as the symmetric cipher
compress-algo — use a specified compression algorithm
z — set compression level
verbose — provide additional information during processing
no-verbose — resets verbosity to none
quiet — supress informational output
textmode — use canonical text mode
dry-run — do not make changes
interactive — prompt before overwriting files
yes — assume ``yes'' to most questions
no — assume ``no'' to most questions
always-trust — skip key validation
skip-verify — skip signature verification
keyring — add a keyring to the list of keyrings
secret-keyring — add a secret keyring
no-default-keyring — do not add the default keyrings to the list of keyrings
homedir — set the home directory
charset — set the name of the native character set.
no-literal — ?
set-filesize — ?
with-fingerprint — modifies key listing output
with-colons — modifies key listing output
with-key-data — modifies key listing output
lock-once — locks the databases once
lock-multiple — locks the databases each time they are used
passphrase-fd — read the passphrase from a different input stream
force-mdc — force the use of encryption with appended manipulation code
force-v3-sigs — force the use of v3 signatures on data
openpgp — reset all packet, cipher, and digest options to the OpenPGP specification
utf8-strings — assume that arguments are provided as UTF8 strings
no-utf8-strings — assume that arguments are not provided as UTF8 strings
no-options — use no options file
debug — set debug flags
debug-all — set all useful debugging flags
status-fd — write status messages to an alternative output stream
logger-fd — write log messages to an alternative output stream
no-comment — do not write comment packets
comment — set the comment string to use in cleartext signatures
default-comment — use the standard comment string in cleartext signatures
no-version — omit the version string in clear text signatures
emit-version — emit the version string in cleartext signatures
notation-data — add data to a signature as notation data
set-policy-url — set the policy URL for signatures
set-filename — sets the filename stored in encrypted or signed messages
use-embedded-filename — use the filename embedded in a message for storing its plaintext or verified version
max-cert-depth — set the maximum depth of a certification chain
digest-algo — set the message digest algorithm
s2k-cipher-algo — use a specified algorithm as the symmetric cipher for encrypting private keys
s2k-digest-algo — set the message digest algorithm for mangling passphrases protecting private keys
s2k-mode — sets how passphrases are mangled
disable-cipher-algo — prevents a symmetric cipher from being used
disable-pubkey-algo — prevents a public key cipher from being used
throw-keyid — do not put key IDs into encrypted packets
not-dash-escaped — changes the format of cleartext signatures
escape-from-lines — modifies messages beginning with ``From'' when cleartext signing