LinuxDevCenter.com
oreilly.comSafari Books Online.Conferences.





Linux in a Nutshell

This directory of Linux commands is from Linux in a Nutshell, 5th Edition.

Click on any of the 687 commands below to get a description and list of available options. All links in the command summaries point to the online version of the book on Safari Bookshelf.

Buy it now, or read it online on Safari Bookshelf.



gpg

gpg [options] command [options]

The GNU Privacy Guard application allows you to encrypt and decrypt information, create public and private encryption keys, and use or verify digital signatures. GPG is based on the use of a pair of keys, one public and one private (or "secret"). Data encrypted with one key can only be decrypted with the other. To encrypt a message to you, someone would use your public key to create a message that could only be unlocked with your private key. To sign information, you would lock it with your private key, allowing anyone to verify that it came from you by unlocking it with your public key.

GPG has dozens of additional options that fine-tune its available options. For a complete list, plus a guide to careful use of encryption and a deeper explanation of how public-key encryption works, visit www.gnupg.org.

Key Commands

--check-sigs[keyname]

Lists keys and signatures like --list-sigs, but also verifies them.

--delete-key keyname

Delete the specified key from the keyring.

--delete-secret-key keyname

Delete the named secret key from the keyring.

--delete-secret-and-public-key keyname

Delete the secret (if any) and then the public key for the specified name.

--desig-revoke keyname

Create a revocation certificate for a key pair and designate authority to issue it to someone else. This allows the user to permit someone else to revoke the key, if necessary.

--edit-key [keyname]

Edit key options using a menu-driven tool. Key options are too numerous to list here, but include everything from trust settings to images attached to keys for user identification purposes.

--export [keyname]

Output the specified key or, if no key is named, the entire keyring. Use the --output flag to send the key information to a file, and --armor to make the key mailable as ASCII text.

--export-secret-keys [keyname]

Outputs the specified secret key or keys. Operation is the same as --export, except with secret keys. This is a security risk and should be used with caution.

--export-secret-subkeys [keyname]

Outputs the specified secret subkeys. Operation is the same as --export, except with secret keys. This is a security risk and should be used with caution.

--fingerprint [keyname]

List keys and their fingerprints for keys named, or all keys if no name is specified. If repeated, shows fingerprints of secondary keys.

--gen-key

Generate a new pair of keys, prompting for several preferences and a passphrase. For most purposes, the default answers to the questions about algorithm and key length are fine.

--gen-revoke keyname

Create a revocation certificate for a key pair. A revocation certificate is designed to assure all parties that the key pair is no longer valid and should be discarded.

--keyserver keyserver

Specifies the name of the keyserver holding the key.

--list-keys [keyname]

List keys with the specified name, or all keys if no name is specified.

--list-public-keys [keyname]

List public keys with the specified name, or all public keys if no name is specified.

--list-secret-keys [keyname]

List secret keys with the specified name, or all secret keys if no name is specified.

--list-sigs [keyname]

Lists keys as --list-keys does, but also lists the signatures.

--gen-revoke keyname

Delete the secret (if any) and then the public key for the specified name.

--import file

Read keys from a file and add them to your keyring. This is most often used with public keys that are sent by email, but can also be used to move private keys from one system to another. Combined with the --merge-only option, adds only new signatures, subkeys, and user IDs, not keys.

--lsign-key keyname

Sign a public key, but mark it as non-exportable.

--nrsign-key keyname

Sign a public key and mark it as nonrevocable.

--recv-keys keyname

Download and import keys from a keyserver. The key name here should be the key ID as known to the keyserver, and the server must be specified with the --keyserver option.

--refresh-keys [keyname]

Check the keyserver for updates to keys already in the keyring. You can specify which keys to check for updates using the key IDs known to the server, and you must specify the server with the --keyserver option.

--search-keys [string]

Search the names of keys on the keyserver. Specify the keyserver with --keyserver.

--send-keys [keyname]

Send one or more keys to a keyserver. Specify the keyserver with --keyserver.

--sign-key keyname

Sign a public key using your private key. Often used to send the public key to a third party. This is the same as selecting "sign" from the --edit-key menu.

Signature Commands

-b,--detach-sign

Create a signature that is not attached to anything.

--clearsign

Create a signature in clear text.

-s,--sign

Create a signature. May be combined with --encrypt.

--verify [detached-signature] [signed-file]

Verify the signature attached to a file. If the signature and data are in the same file, only one file needs to be specified. For detached signatures, the first file should be the .sig or .asc signature file, and the second the datafile. If you wish to use stdin instead of a file for the non-attached data, you must specify a single dash (-) as the second filename.

--verify-files [files]

Verify one or more files entered on the command line or to stdin. Signatures must be part of the files submitted, and files sent to stdin should be one file per line. This is designed to check many files at once.

Encryption Commands

--encrypt

Encrypt data. May be used with --sign to create signed, encrypted data.

--encrypt-files [files]

Encrypt files one after another, either at the command line or sent to stdin one per line.

-c,--symmetric

Encrypt using a symmetric cipher. The cipher is encrypted using the CAST5 algorithm unless you specify otherwise using the --cipher-algo flag.

--store

Create a PGP message packet (RFC 1991). This does not encrypt data; it just puts it into the right packet format.

Decryption Commands

--decrypt [file]

Decrypt a file. If no file is specified, stdin is decrypted. Decrypted data is sent to stdout or to the file specified with the --output flag. If the encrypted data is signed, the signature is also verified.

--decrypt-files [files]

Decrypt files one after another, either at the command line or sent to stdin one per line.

Other Commands

--check-trustdb

Check the list of keys with defined trust levels to see if they have expired or been revoked.

--export-ownertrust

Create a backup of the trust values for keys.

--h,--help

Display a help message.

--import-ownertrust [file]

Import trust values from a file or stdin. Overwrites existing values.

--list-packets

Display packet sequence for an encrypted message. Used for debugging.

--update-trustdb

Update the database of trusted keys. For each key that has no defined level of trust, --update-trustdb prompts for an estimate of how much the key's owner can be trusted to certify other keys. This builds a web of more-trusted and less-trusted keys by which the overall security of a given key can be estimated.

--version

Display version information and quit.

--warranty

Display warranty information. There is no warranty.