GnuPG/Manual/4 Invoking GPG
をテンプレートにして作成
[
トップ
] [
新規
|
一覧
|
単語検索
|
最終更新
|
ヘルプ
] [
リンク元
]
開始行:
// 1d83445b5bb6f83e08be8276d6bde539
* 4 Invoking GPG
// gpg is the OpenPGP part of the GNU Privacy Guard (GnuP...
gpgは、GNU Privacy Guard(GnuPG)のOpenPGP実装部です。~
// It is a tool to provide digital encryption and signing...
OpenPGP規格を用いた暗号化・署名を提供するツールです。~
// gpg features complete key management and all the bells...
gpgは、すべての鍵管理機能を備えており、完全なOpenPGP実装...
// There are two main versions of GnuPG: GnuPG 1.x and Gn...
GnuPGには大きく分けて、GnuPG 1.xとGnuPG 2.xの2つのバージ...
// GnuPG 2.x supports modern encryption algorithms and th...
GnuPG 2.xは最新の暗号化アルゴリズムをサポートしているため...
// You only need to use GnuPG 1.x if your platform doesn’...
GnuPG 1.xを使う必要があるのは、使用しているプラットフォー...
// If you are looking for version 1 of GnuPG, you may fin...
GnuPGのバージョン1を探している場合、gpg1という名前でイン...
// See [Option Index], page 217, for an index to gpg’s co...
gpgのコマンドやオプションの索引については、[Option Index]...
** 4.1 Commands
// Commands are not distinguished from options except for...
コマンドは1つしか使えないこと以外は、オプションとの違いは...
// Generally speaking, irrelevant options are silently ig...
一般的に、無関係なオプションは無視され、正しさもチェック...
// gpg may be run with no commands.
gpgはコマンドなしでも実行できます。
// In this case it will print a warning perform a reasona...
この場合、警告が表示され、入力されたファイルの種類に応じ...
// (an encrypted message is decrypted, a signature is ver...
(暗号化されたメッセージの復号化、署名の検証、ファイル内の...
// If you run into any problems, please add the option ‘-...
何か問題が発生した場合は、起動時に「--verbose」オプション...
*** 4.1.1 Commands not specific to the function
: --version |
// Print the program version and licensing information.
プログラムのバージョンとライセンス情報を表示します。
// Note that you cannot abbreviate this command.
なお、このコマンドは省略することはできません。
: --help &br; -h |
// Print a usage message summarizing the most useful comm...
最も便利なコマンドラインオプションをまとめた使用法を表示...
// Note that you cannot arbitrarily abbreviate this comma...
なお、このコマンドを任意に省略することはできません
//(though you can useits short form ‘-h’).
(短縮形の「-h」を使うこともできますが)
: --warranty |
// Print warranty information.
保証情報を表示します。
: --dump-options |
// Print a list of all available options and commands.
すべての使用可能なオプションとコマンドの一覧を表示します。
// Note that you cannot abbreviate this command.
なお、このコマンドは省略することはできません。
*** 4.1.2 Commands to select the type of operation
: --sign &br; -s |
Sign a message. This command may be combined with ‘--encr...
and encrypt a message), ‘--symmetric’ (to sign and symmet...
a message), or both ‘--encrypt’ and ‘--symmetric’ (to sig...
message that can be decrypted using a secret key or a pas...
key is chosen by default or can be set explicitly using t...
‘--default-key’ options.
: --clear-sign &br; --clearsign |
Make a cleartext signature. The content in a cleartext si...
without any special software. OpenPGP software is only ne...
signature. cleartext signatures may modify end-of-line wh...
independence and are not intended to be reversible. The s...
default or can be set explicitly using the ‘--local-user’...
options.
: --detach-sign &br; -b |
Make a detached signature.
: --encrypt &br; -e |
// Encrypt data to one or more public keys.
データを1つ以上の公開鍵で暗号化します。
// This command may be combined with ‘--sign’ (to sign an...
このコマンドは、「--sign」(メッセージの署名と暗号化)
// ‘--symmetric’ (to encrypt a message that can be decryp...
もしくは「--symmetric」(秘密鍵かパスフレーズで復号化でき...
// or ‘--sign’and ‘--symmetric’ together (for a signed me...
もしくは「--sign」と「--symmetric」の両方(秘密鍵かパスフ...
// ‘--recipient’ and related options specify which public...
「--recipient」と関連するオプションは、暗号化に使用する公...
: --symmetric &br; -c |
Encrypt with a symmetric cipher using a passphrase. The d...
cipher used is AES-128, but may be chosen with the ‘--cip...
This command may be combined with ‘--sign’ (for a signed ...
encrypted message), ‘--encrypt’ (for a message that may b...
via a secret key or a passphrase), or ‘--sign’ and ‘--enc...
signed message that may be decrypted via a secret key or ...
caches the passphrase used for symmetric encryption so th...
may not require that the user needs to enter the passphra...
‘--no-symkey-cache’ can be used to disable this feature.
: --store |
Store only (make a simple literal data packet).
: --decrypt &br; -d |
// Decrypt the file given on the command line (or STDIN i...
コマンドラインで指定されたファイル(ファイルが指定されてい...
// If the decrypted file is signed, the signature is also...
復号化されたファイルが署名されている場合、その署名も検証...
// This command differs from the default operation, as it...
このコマンドは、デフォルトの動作と異なり、ファイルに含ま...
: --verify |
Assume that the first argument is a signed file and verif...
any output. With no arguments, the signature packet is re...
only one argument is given, the specified file is expecte...
signature.
With more than one argument, the first argument should sp...
detached signature and the remaining files should contain...
read the signed data from STDIN, use ‘-’ as the second fi...
reasons, a detached signature will not read the signed ma...
not explicitly specified.
Note: If the option ‘--batch’ is not used, gpg may assume...
is a file with a detached signature, and it will try to f...
data file by stripping certain suffixes. Using this histo...
detached signature is strongly discouraged; you should al...
file explicitly.
Note: When verifying a cleartext signature, gpg verifies ...
cleartext signed data and not any extra data outside of t...
or the header lines directly following the dash marker li...
may be used to write out the actual signed data, but ther...
with this format as well. It is suggested to avoid cleart...
of detached signatures.
Note: Sometimes the use of the gpgv tool is easier than u...
gpg with this option. gpgv is designed to compare signed ...
trusted keys and returns with success only for a good sig...
manual page.
: --multifile |
This modifies certain other commands to accept multiple f...
on the command line or read from STDIN with each filename...
line. This allows for many files to be processed at once....
currently be used along with ‘--verify’, ‘--encrypt’, and...
that ‘--multifile --verify’ may not be used with detached...
: --verify-files |
Identical to ‘--multifile --verify’.
: --encrypt-files |
Identical to ‘--multifile --encrypt’.
: --decrypt-files |
Identical to ‘--multifile --decrypt’.
: --list-keys &br; -k &br; --list-public-keys |
List the specified keys. If no keys are specified, then a...
public keyrings are listed.
Never use the output of this command in scripts or other ...
output is intended only for humans and its format is like...
‘--with-colons’ option emits the output in a stable, mach...
which is intended for use by scripts and other programs.
: --list-secret-keys &br; -K |
List the specified secret keys. If no keys are specified,...
keys are listed. A # after the initial tags sec or ssb me...
subkey is currently not usable. We also say that this key...
(for example, a primary key can be taken offline by expor...
command ‘--export-secret-subkeys’). A > after these tags ...
key is stored on a smartcard. See also ‘--list-keys’.
: --check-signatures &br; --check-sigs |
Same as ‘--list-keys’, but the key signatures are verifie...
Note that for performance reasons the revocation status o...
not shown. This command has the same effect as using ‘--l...
‘--with-sig-check’.
The status of the verification is indicated by a flag dir...
tag (and thus before the flags described below. A "!" ind...
has been successfully verified, a "-" denotes a bad signa...
used if an error occurred while checking the signature (e...
algorithm). Signatures where the public key is not availa...
see their keyids the command ‘--list-sigs’ can be used.
For each signature listed, there are several flags in bet...
status flag and keyid. These flags give additional inform...
signature. From left to right, they are the numbers 1-3 f...
level (see ‘--ask-cert-level’), "L" for a local or non-ex...
(see ‘--lsign-key’), "R" for a nonRevocable signature (se...
command "nrsign"), "P" for a signature that contains a po...
‘--cert-policy-url’), "N" for a signature that contains a...
‘--cert-notation’), "X" for an eXpired signature (see ‘--...
and the numbers 1-9 or "T" for 10 and above to indicate t...
(see the ‘--edit-key’ command "tsign").
: --locate-keys &br; --locate-external-keys |
Locate the keys given as arguments. This command basicall...
algorithm as used when locating keys for encryption and m...
see what keys gpg might use. In particular external metho...
‘--auto-key-locate’ are used to locate a key if the argum...
mail addresses. Only public keys are listed.
The variant ‘--locate-external-keys’ does not consider a ...
key and can thus be used to force the refresh of a key vi...
methods. If a fingerprint is given and and the methods de...
define LDAP servers, the key is fetched from these resour...
non-LDAP keyservers are skipped.
: --show-keys |
This commands takes OpenPGP keys as input and prints info...
them in the same way the command ‘--list-keys’ does for l...
In addition the list options show-unusable-uids, show-unu...
show-notations and show-policy-urls are also enabled. As ...
automated processing, this command should be combined wit...
‘--with-colons’.
: --fingerprint |
List all keys (or the specified ones) along with their fi...
same output as ‘--list-keys’ but with the additional outp...
the fingerprint. May also be combined with ‘--check-signa...
command is given twice, the fingerprints of all secondary...
This command also forces pretty printing of fingerprints ...
been set to "none".
: --list-packets |
List only the sequence of packets. This command is only u...
When used with option ‘--verbose’ the actual MPI values a...
not only their lengths. Note that the output of this comm...
new releases.
: --edit-card &br; --card-edit |
Present a menu to work with a smartcard. The subcommand "...
an overview on available commands. For a detailed descrip...
Card HOWTO at https://gnupg.org/documentation/howtos.html...
: --card-status |
Show the content of the smart card.
: --change-pin |
Present a menu to allow changing the PIN of a smartcard. ...
also available as the subcommand "passwd" with the ‘--edi...
: --delete-keys name |
Remove key from the public keyring. In batch mode either ...
the key must be specified by fingerprint. This is a safeg...
deletion of multiple keys. If the exclamation mark syntax...
fingerprint of a subkey only that subkey is deleted; if t...
used with the fingerprint of the primary key the entire p...
: --delete-secret-keys name |
Remove key from the secret keyring. In batch mode the key...
fingerprint. The option ‘--yes’ can be used to advise gpg...
a confirmation. This extra pre-caution is done because gp...
the secret key (as controlled by gpg-agent) is only used ...
public key. If the exclamation mark syntax is used with t...
subkey only the secret part of that subkey is deleted; if...
used with the fingerprint of the primary key only the sec...
key is deleted.
: --delete-secret-and-public-key name |
Same as ‘--delete-key’, but if a secret key exists, it wi...
batch mode the key must be specified by fingerprint. The ...
be used to advise gpg-agent not to request a confirmation.
: --export |
Either export all keys from all keyrings (default keyring...
via option ‘--keyring’), or if at least one name is given...
name. The exported keys are written to STDOUT or to the f...
option ‘--output’. Use together with ‘--armor’ to mail th...
: --send-keys keyIDs |
Similar to ‘--export’ but sends the keys to a keyserver. ...
used instead of key IDs. Don’t send your complete keyring...
select only those keys which are new or changed by you. I...
gpg does nothing.
Take care: Keyservers are by design write only systems an...
possible to ever delete keys once they have been send to ...
: --export-secret-keys &br; --export-secret-subkeys |
Same as ‘--export’, but exports the secret keys instead. ...
written to STDOUT or to the file given with option ‘--out...
is often used along with the option ‘--armor’ to allow fo...
key for paper backup; however the external tool paperkey ...
creating backups on paper. Note that exporting a secret k...
risk if the exported keys are sent over an insecure chann...
The second form of the command has the special property t...
part of the primary key useless; this is a GNU extension ...
other implementations can not be expected to successfully...
Its intended use is in generating a full key with an addi...
a dedicated machine. This command then exports the key wi...
key to the main machine.
GnuPG may ask you to enter the passphrase for the key. Th...
because the internal protection method of the secret key ...
one specified by the OpenPGP protocol.
: --export-ssh-key |
This command is used to export a key in the OpenSSH publi...
It requires the specification of one key by the usual mea...
latest valid subkey which has an authentication capabilit...
the file given with option ‘--output’. That output can di...
ssh’s ‘authorized_key’ file.
By specifying the key to export using a key ID or a finge...
an exclamation mark (!), a specific subkey or the primary...
This does not even require that the key has the authentic...
set.
: --import &br; --fast-import |
Import/merge keys. This adds the given keys to the keyrin...
is currently just a synonym.
There are a few other options which control how this comm...
notable here is the ‘--import-options merge-only’ option ...
insert new keys but does only the merging of new signatur...
subkeys.
: --receive-keys keyIDs & br; --recv-keys keyIDs |
Import the keys with the given keyIDs from a keyserver.
: --refresh-keys |
Request updates from a keyserver for keys that already ex...
keyring. This is useful for updating a key with the lates...
IDs, etc. Calling this with no arguments will refresh the...
: --search-keys names |
Search the keyserver for the given names. Multiple names ...
joined together to create the search string for the keyse...
search for names in a different and simpler way than gpg ...
best choice is to use a mail address. Due to data privacy...
may even not even allow searching by user id or mail addr...
only return results when being used with the ‘--recv-key’...
by key fingerprint or keyid.
: --fetch-keys URIs |
Retrieve keys located at the specified URIs. Note that di...
of GnuPG may support different protocols (HTTP, FTP, LDAP...
using HTTPS the system provided root certificates are use...
: --update-trustdb |
Do trust database maintenance. This command iterates over...
the Web of Trust. This is an interactive command because ...
for the "ownertrust" values for keys. The user has to giv...
far she trusts the owner of the displayed key to correctl...
keys. GnuPG only asks for the ownertrust value if it has ...
to a key. Using the ‘--edit-key’ menu, the assigned value...
any time.
: --check-trustdb |
Do trust database maintenance without user interaction. F...
time the trust database must be updated so that expired k...
and the resulting changes in the Web of Trust can be trac...
GnuPG will calculate when this is required and do it auto...
‘--no-auto-check-trustdb’ is set. This command can be use...
trust database check at any time. The processing is ident...
‘--update-trustdb’ but it skips keys with a not yet defin...
For use with cron jobs, this command can be used together...
which case the trust database check is done only if a che...
a run even in batch mode add the option ‘--yes’.
: --export-ownertrust |
Send the ownertrust values to STDOUT. This is useful for ...
as these values are the only ones which can’t be re-creat...
trustdb. Example:
gpg --export-ownertrust > otrust.txt
: --import-ownertrust |
Update the trustdb with the ownertrust values stored in f...
not given); existing values will be overwritten. In case ...
trustdb and if you have a recent backup of the ownertrust...
file ‘otrust.txt’), you may re-create the trustdb using t...
cd ~/.gnupg
rm trustdb.gpg
gpg --import-ownertrust < otrust.txt
: --rebuild-keydb-caches |
When updating from version 1.0.6 to 1.0.7 this command sh...
create signature caches in the keyring. It might be handy...
too.
: --print-md algo &br; --print-mds |
Print message digest of algorithm algo for all given file...
second form (or a deprecated "*" for algo) digests for al...
are printed.
: --gen-random 0/1/2 count |
Emit count random bytes of the given quality level 0, 1 o...
given or zero, an endless sequence of random bytes will b...
with ‘--armor’ the output will be base64 encoded. PLEASE,...
command unless you know what you are doing; it may remove...
from the system!
: --gen-prime mode bits |
Use the source, Luke :-). The output format is subject to...
release.
: --enarmor &br; --dearmor |
Pack or unpack an arbitrary input into/from an OpenPGP AS...
is a GnuPG extension to OpenPGP and in general not very u...
: --unwrap |
This command is similar to ‘--decrypt’ with the change th...
the usual plaintext but the original message with the dec...
Thus the output will be an OpenPGP data structure which o...
signed OpenPGP message. Note that this command may or may...
compression layer which is often found beneath the encryp...
: --tofu-policy {auto/good/unknown/bad/ask} keys |
Set the TOFU policy for all the bindings associated with ...
For more information about the meaning of the policies, s...
page 59. The keys may be specified either by their finger...
their keyid.
*** 4.1.3 How to manage your keys
This section explains the main commands for key management.
: --quick-generate-key user-id [algo [usage [expire]]] &b...
This is a simple command to generate a standard key with ...
contrast to ‘--generate-key’ the key is generated directl...
answer a bunch of prompts. Unless the option ‘--yes’ is g...
will be canceled if the given user id already exists in t...
If invoked directly on the console without any special op...
“Continue?” style confirmation prompt is required. In cas...
exists in the keyring a second prompt to force the creati...
up.
If algo or usage are given, only the primary key is creat...
shown. To specify an expiration date but still create a p...
“default” or “future-default” for algo and “default” for ...
of these optional arguments see the command --quick-add-k...
accepts also the value “cert” which can be used to create...
primary key; the default is to a create certification and...
The expire argument can be used to specify an expiration ...
Several formats are supported; commonly the ISO formats “...
or “YYYYMMDDThhmmss” are used. To make the key expire in ...
days, N weeks, N months, or N years use “seconds=N”, “Nd”...
“Ny” respectively. Not specifying a value, or using “-” r...
in a reasonable default interval. The values “never”, “no...
expiration date.
If this command is used with ‘--batch’, ‘--pinentry-mode’...
set to loopback, and one of the passphrase options (‘--pa...
‘--passphrase-fd’, or ‘--passphrase-file’) is used, the s...
is used for the new key and the agent does not ask for it...
without any protection --passphrase ’’ may be used.
To create an OpenPGP key from the keys available on the c...
smartcard, the special string “card” can be used for algo...
encryption and a signing key, gpg will figure them out an...
key consisting of the usual primary key and one subkey. T...
certain smartcards. Note that the interactive ‘--full-gen...
to do the same but with greater flexibility in the select...
keys.
Note that it is possible to create a primary key and a su...
algorithms by using “default” and changing the default pa...
option ‘--default-new-key-algo’.
: --quick-set-expire fpr expire [*/subfprs] |
With two arguments given, directly set the expiration tim...
identified by fpr to expire. To remove the expiration tim...
three arguments and the third given as an asterisk, the e...
non-revoked and not yet expired subkeys are set to expire...
arguments and a list of fingerprints given for subfprs, a...
matching these fingerprints are set to expire.
: --quick-add-key fpr [algo [usage [expire]]] |
Directly add a subkey to the key identified by the finger...
optional arguments an encryption subkey is added. If any ...
given a more specific subkey is added.
algo may be any of the supported algorithms or curve name...
as used by key listings. To use the default algorithm the...
or “-” can be used. Supported algorithms are “rsa”, “dsa”...
“cv25519”, and other ECC curves. For example the string “...
key with the default key length; a string “rsa4096” reque...
is 4096 bits. The string “future-default” is an alias for...
likely be used as default algorithm in future versions of...
ECC curves the command gpg --with-colons --list-config cu...
can be used.
Depending on the given algo the subkey may either be an e...
a signing subkey. If an algorithm is capable of signing a...
a subkey is desired, a usage string must be given. This s...
or “-” to keep the default or a comma delimited list (or ...
keywords: “sign” for a signing subkey, “auth” for an auth...
“encr” for an encryption subkey (“encrypt” can be used as...
The valid combinations depend on the algorithm.
The expire argument can be used to specify an expiration ...
Several formats are supported; commonly the ISO formats “...
or “YYYYMMDDThhmmss” are used. To make the key expire in ...
days, N weeks, N months, or N years use “seconds=N”, “Nd”...
“Ny” respectively. Not specifying a value, or using “-” r...
in a reasonable default interval. The values “never”, “no...
expiration date.
: --generate-key &br; --gen-key |
Generate a new key pair using the current default paramet...
standard command to create a new key. In addition to the ...
certificate is created and stored in the ‘openpgp-revocs....
GnuPG home directory.
: --full-generate-key &br; --full-gen-key |
Generate a new key pair with dialogs for all options. Thi...
of ‘--generate-key’.
There is also a feature which allows you to create keys i...
manual section “Unattended key generation” on how to use ...
: --generate-revocation name &br; --gen-revoke name |
Generate a revocation certificate for the complete key. T...
or a key signature, use the ‘--edit’ command.
This command merely creates the revocation certificate so...
to revoke the key if that is ever needed. To actually rev...
revocation certificate needs to be merged with the key to...
by importing the revocation certificate using the ‘--impo...
the revoked key needs to be published, which is best done...
to a keyserver (command ‘--send-key’) and by exporting (‘...
file which is then send to frequent communication partners.
: --generate-designated-revocation name &br; --desig-revo...
Generate a designated revocation certificate for a key. T...
the permission of the keyholder) to revoke someone else’s...
: --edit-key |
Present a menu which enables you to do most of the key ma...
tasks. It expects the specification of a key on the comma...
:: uid n |
Toggle selection of user ID or photographic user ID with ...
Use * to select all and 0 to deselect all.
:: key n |
Toggle selection of subkey with index n or key ID n. Use ...
all and 0 to deselect all.
:: sign |
Make a signature on key of user name. If the key is not y...
the default user (or the users given with ‘-u’), the prog...
the information of the key again, together with its finge...
asks whether it should be signed. This question is repeat...
users specified with ‘-u’.
:: lsign |
Same as "sign" but the signature is marked as non-exporta...
will therefore never be used by others. This may be used ...
keys valid only in the local environment.
:: nrsign |
Same as "sign" but the signature is marked as non-revocab...
can therefore never be revoked.
:: tsign |
Make a trust signature. This is a signature that combines...
of certification (like a regular signature), and trust (l...
"trust" command). It is generally only useful in distinct...
or groups. For more information please read the sections
“Trust Signature” and “Regular Expression” in RFC-4880.
:|Note that "l" (for local / non-exportable), "nr" (for n...
(for trust) may be freely mixed and prefixed to "sign" to...
any type desired.
If the option ‘--only-sign-text-ids’ is specified, then a...
user ids (e.g., photo IDs) will not be selected for signi...
:: delsig |
Delete a signature. Note that it is not possible to retra...
once it has been send to the public (i.e. to a keyserver)...
that case you better use revsig.
:: revsig |
Revoke a signature. For every signature which has been ge...
by one of the secret keys, GnuPG asks whether a revocation
certificate should be generated.
:: check |
Check the signatures on all selected user IDs. With the e...
selfsig only self-signatures are shown.
:: adduid |
Create an additional user ID.
:: addphoto |
Create a photographic user ID. This will prompt for a JPE...
that will be embedded into the user ID. Note that a very ...
will make for a very large key. Also note that some progr...
display your JPEG unchanged (GnuPG), and some programs will
scale it to fit in a dialog box (PGP).
:: showphoto |
Display the selected photographic user ID.
:: deluid |
Delete a user ID or photographic user ID. Note that it is...
to retract a user id, once it has been send to the public...
keyserver). In that case you better use revuid.
:: revuid |
Revoke a user ID or photographic user ID.
:: primary |
Flag the current user id as the primary one, removes the ...
user id flag from all other user ids and sets the timesta...
affected self-signatures one second ahead. Note that sett...
user ID as primary makes it primary over other photo user...
setting a regular user ID as primary makes it primary ove...
regular user IDs.
:: keyserver |
Set a preferred keyserver for the specified user ID(s). T...
other users to know where you prefer they get your key fr...
‘--keyserver-options honor-keyserver-url’ for more on how
this works. Setting a value of "none" removes an existing...
keyserver.
:: notation |
Set a name=value notation for the specified user ID(s). See
‘--cert-notation’ for more on how this works. Setting a v...
of "none" removes all notations, setting a notation prefi...
a minus sign (-) removes that notation, and setting a not...
name (without the =value) prefixed with a minus sign remo...
notations with that name.
:: pref |
List preferences from the selected user ID. This shows th...
preferences, without including any implied preferences.
:: showpref |
More verbose preferences listing for the selected user ID...
the preferences in effect by including the implied prefer...
3DES (cipher), SHA-1 (digest), and Uncompressed (compress...
if they are not already included in the preference list. ...
the preferred keyserver and signature notations (if any) ...
:: setpref string |
Set the list of user ID preferences to string for all (or...
the selected) user IDs. Calling setpref with no arguments...
the preference list to the default (either built-in or se...
‘--default-preference-list’), and calling setpref with "n...
as the argument sets an empty preference list. Use gpg--v...
to get a list of available algorithms. Note that while yo...
change the preferences on an attribute user ID (aka "phot...
GnuPG does not select keys via attribute user IDs so these
preferences will not be used by GnuPG.
When setting preferences, you should list the algorithms ...
order which you’d like to see them used by someone else w...
a message to your key. If you don’t include 3DES, it will
be automatically added at the end. Note that there are ma...
that go into choosing an algorithm (for example, your key...
not be the only recipient), and so the remote OpenPGP app...
being used to send to you may or may not follow your exac...
order for a given message. It will, however, only choose ...
that is present on the preference list of every recipient...
See also the INTEROPERABILITY WITH OTHER OPENPGP
PROGRAMS section below.
:: addkey |
Add a subkey to this key.
:: addcardkey |
Generate a subkey on a card and add it to this key.
:: keytocard |
Transfer the selected secret subkey (or the primary key i...
has been selected) to a smartcard. The secret key in the ...
will be replaced by a stub if the key could be stored suc...
on the card and you use the save command later. Only cert...
types may be transferred to the card. A sub menu allows y...
select on what card to store the key. Note that it is not...
to get that key back from the card - if the card gets bro...
secret key will be lost unless you have a backup somewhere.
:: bkuptocard file |
Restore the given file to a card. This command may be use...
restore a backup key (as generated during card initializa...
new card. In almost all cases this will be the encryption...
should use this command only with the corresponding publi...
and make sure that the file given as argument is indeed t...
to restore. You should then select 2 to restore as encryp...
You will first be asked to enter the passphrase of the ba...
and then for the Admin PIN of the card.
:: keytotpm |
Transfer the selected secret subkey (or the primary key i...
has been selected) to TPM form. The secret key in the key...
be replaced by the TPM representation of that key, which ...
be read by the particular TPM that created it (so the key...
becomes locked to the laptop containing the TPM). Only ce...
key types may be transferred to the TPM (all TPM 2.0 syst...
mandated to have the rsa2048 and nistp256 algorithms but ...
TPMs may have more). Note that the key itself is not tran...
into the TPM, merely encrypted by the TPM in-place, so if...
keyfile is deleted, the key will be lost. Once transferre...
representation, the key file can never be converted back ...
TPM form and the key will die when the TPM does, so you s...
first have a backup on secure offline storage of the actu...
key file before conversion. It is essential to use the ph...
TPM that you have rw permission on the TPM resource manager
device (/dev/tpmrm0). Usually this means you must be a me...
of the tss group.
:: delkey |
Remove a subkey (secondary key). Note that it is not poss...
retract a subkey, once it has been send to the public (i....
keyserver). In that case you better use revkey. Also note...
only deletes the public part of a key.
:: revkey |
Revoke a subkey.
:: expire |
Change the key or subkey expiration time. If a subkey is ...
the expiration time of this subkey will be changed. With ...
the key expiration of the primary key is changed.
:: trust |
Change the owner trust value for the key. This updates th...
immediately and no save is required.
:: disable &br; enable |
Disable or enable an entire key. A disabled key can not n...
be used for encryption.
:: addrevoker |
Add a designated revoker to the key. This takes one optio...
"sensitive". If a designated revoker is marked as sensiti...
it will not be exported by default (see export-options).
:: passwd |
Change the passphrase of the secret key.
:: toggle |
This is dummy command which exists only for backward comp...
:: clean |
Compact (by removing all signatures except the selfsig) a...
ID that is no longer usable (e.g. revoked, or expired). T...
any signatures that are not usable by the trust calculati...
Specifically, this removes any signature that does not va...
signature that is superseded by a later signature, revoke...
and signatures issued by keys that are not present on the
keyring.
:: minimize |
Make the key as small as possible. This removes all signa...
each user ID except for the most recent self-signature.
:: change-usage |
Change the usage flags (capabilities) of the primary key ...
These usage flags (e.g. Certify, Sign, Authenticate, Encr...
are set during key creation. Sometimes it is useful to ha...
opportunity to change them (for example to add Authentica...
they have been created. Please take care when doing this;...
allowed usage flags depend on the key algorithm.
:: cross-certify |
Add cross-certification signatures to signing subkeys that
may not currently have them. Cross-certification signatures
protect against a subtle attack against signing subkeys. ...
‘--require-cross-certification’. All new keys generated h...
this signature by default, so this command is only useful...
older keys up to date.
:: save |
Save all changes to the keyring and quit.
:: quit |
Quit the program without updating the keyring.
:|The listing shows you the key with its secondary keys a...
primary user ID is indicated by a dot, and selected keys ...
by an asterisk. The trust value is displayed with the pri...
the assigned owner trust and "validity" is the calculated...
Validity values are also displayed for all user IDs. For ...
see [trust-values], page 137.
: --sign-key name |
Signs a public key with your secret key. This is a shortc...
subcommand "sign" from ‘--edit-key’.
: --lsign-key name |
Signs a public key with your secret key but marks it as n...
is a shortcut version of the subcommand "lsign" from ‘--e...
: --quick-sign-key fpr [names] &br; --quick-lsign-key fpr...
Directly sign a key from the passphrase without any furth...
The fpr must be the verified primary fingerprint of a key...
If no names are given, all useful user ids are signed; wi...
useful user ids matching one of these names are signed. B...
is prefixed with a ’*’, a case insensitive substring matc...
prefixed with a ’=’ a case sensitive exact match is done.
The command ‘--quick-lsign-key’ marks the signatures as n...
If such a non-exportable signature already exists the ‘--...
turns it into a exportable signature. If you need to upda...
signature, for example to add or change notation data, yo...
option ‘--force-sign-key’.
This command uses reasonable defaults and thus does not p...
flexibility of the "sign" subcommand from ‘--edit-key’. I...
help unattended key signing by utilizing a list of verifi...
: --quick-add-uid user-id new-user-id |
This command adds a new user id to an existing key. In co...
sub-command adduid of ‘--edit-key’ the new-user-id is add...
with only leading and trailing white space removed, it is...
encoded, and no checks on its form are applied.
: --quick-revoke-uid user-id user-id-to-revoke |
This command revokes a user ID on an existing key. It can...
revoke the last user ID on key (some non-revoked user ID ...
revocation reason “User ID is no longer valid”. If you wa...
revocation reason, or to supply supplementary revocation ...
the interactive sub-command revuid of ‘--edit-key’.
: --quick-revoke-sig fpr signing-fpr [names] |
This command revokes the key signatures made by signing-f...
key specified by the fingerprint fpr. With names given on...
on user ids of the key matching any of the given names ar...
‘--quick-sign-key’). If a revocation already exists a not...
of creating a new revocation; no error is returned in thi...
signature revocations may be superseded by a newer key si...
again revoked.
: --quick-set-primary-uid user-id primary-user-id |
This command sets or updates the primary user ID flag on ...
user-id specifies the key and primary-user-id the user ID...
as the primary user ID. The primary user ID flag is remov...
ids and the timestamp of all affected self-signatures is ...
: --change-passphrase user-id &br; --passwd user-id |
Change the passphrase of the secret key belonging to the ...
as user-id. This is a shortcut for the sub-command passwd...
menu. When using together with the option ‘--dry-run’ thi...
change the passphrase but check that the current passphra...
** 4.2 Option Summary
gpg features a bunch of options to control the exact beha...
configuration.
Long options can be put in an options file (default "~/.g...
names will not work - for example, "armor" is a valid opt...
is not. Do not write the 2 dashes, but simply the name of...
arguments. Lines with a hash (’#’) as the first non-white...
Commands may be put in this file too, but that is not gen...
execute automatically with every execution of gpg.
Please remember that option parsing stops as soon as a no...
can explicitly stop parsing by using the special option ‘...
*** 4.2.1 How to change the configuration
*** 4.2.2 Key related options
*** 4.2.3 Input and Output
*** 4.2.4 OpenPGP protocol specific options
*** 4.2.5 Compliance options
*** 4.2.6 Doing things one usually doesn’t want to do
*** 4.2.7 Deprecated options
終了行:
// 1d83445b5bb6f83e08be8276d6bde539
* 4 Invoking GPG
// gpg is the OpenPGP part of the GNU Privacy Guard (GnuP...
gpgは、GNU Privacy Guard(GnuPG)のOpenPGP実装部です。~
// It is a tool to provide digital encryption and signing...
OpenPGP規格を用いた暗号化・署名を提供するツールです。~
// gpg features complete key management and all the bells...
gpgは、すべての鍵管理機能を備えており、完全なOpenPGP実装...
// There are two main versions of GnuPG: GnuPG 1.x and Gn...
GnuPGには大きく分けて、GnuPG 1.xとGnuPG 2.xの2つのバージ...
// GnuPG 2.x supports modern encryption algorithms and th...
GnuPG 2.xは最新の暗号化アルゴリズムをサポートしているため...
// You only need to use GnuPG 1.x if your platform doesn’...
GnuPG 1.xを使う必要があるのは、使用しているプラットフォー...
// If you are looking for version 1 of GnuPG, you may fin...
GnuPGのバージョン1を探している場合、gpg1という名前でイン...
// See [Option Index], page 217, for an index to gpg’s co...
gpgのコマンドやオプションの索引については、[Option Index]...
** 4.1 Commands
// Commands are not distinguished from options except for...
コマンドは1つしか使えないこと以外は、オプションとの違いは...
// Generally speaking, irrelevant options are silently ig...
一般的に、無関係なオプションは無視され、正しさもチェック...
// gpg may be run with no commands.
gpgはコマンドなしでも実行できます。
// In this case it will print a warning perform a reasona...
この場合、警告が表示され、入力されたファイルの種類に応じ...
// (an encrypted message is decrypted, a signature is ver...
(暗号化されたメッセージの復号化、署名の検証、ファイル内の...
// If you run into any problems, please add the option ‘-...
何か問題が発生した場合は、起動時に「--verbose」オプション...
*** 4.1.1 Commands not specific to the function
: --version |
// Print the program version and licensing information.
プログラムのバージョンとライセンス情報を表示します。
// Note that you cannot abbreviate this command.
なお、このコマンドは省略することはできません。
: --help &br; -h |
// Print a usage message summarizing the most useful comm...
最も便利なコマンドラインオプションをまとめた使用法を表示...
// Note that you cannot arbitrarily abbreviate this comma...
なお、このコマンドを任意に省略することはできません
//(though you can useits short form ‘-h’).
(短縮形の「-h」を使うこともできますが)
: --warranty |
// Print warranty information.
保証情報を表示します。
: --dump-options |
// Print a list of all available options and commands.
すべての使用可能なオプションとコマンドの一覧を表示します。
// Note that you cannot abbreviate this command.
なお、このコマンドは省略することはできません。
*** 4.1.2 Commands to select the type of operation
: --sign &br; -s |
Sign a message. This command may be combined with ‘--encr...
and encrypt a message), ‘--symmetric’ (to sign and symmet...
a message), or both ‘--encrypt’ and ‘--symmetric’ (to sig...
message that can be decrypted using a secret key or a pas...
key is chosen by default or can be set explicitly using t...
‘--default-key’ options.
: --clear-sign &br; --clearsign |
Make a cleartext signature. The content in a cleartext si...
without any special software. OpenPGP software is only ne...
signature. cleartext signatures may modify end-of-line wh...
independence and are not intended to be reversible. The s...
default or can be set explicitly using the ‘--local-user’...
options.
: --detach-sign &br; -b |
Make a detached signature.
: --encrypt &br; -e |
// Encrypt data to one or more public keys.
データを1つ以上の公開鍵で暗号化します。
// This command may be combined with ‘--sign’ (to sign an...
このコマンドは、「--sign」(メッセージの署名と暗号化)
// ‘--symmetric’ (to encrypt a message that can be decryp...
もしくは「--symmetric」(秘密鍵かパスフレーズで復号化でき...
// or ‘--sign’and ‘--symmetric’ together (for a signed me...
もしくは「--sign」と「--symmetric」の両方(秘密鍵かパスフ...
// ‘--recipient’ and related options specify which public...
「--recipient」と関連するオプションは、暗号化に使用する公...
: --symmetric &br; -c |
Encrypt with a symmetric cipher using a passphrase. The d...
cipher used is AES-128, but may be chosen with the ‘--cip...
This command may be combined with ‘--sign’ (for a signed ...
encrypted message), ‘--encrypt’ (for a message that may b...
via a secret key or a passphrase), or ‘--sign’ and ‘--enc...
signed message that may be decrypted via a secret key or ...
caches the passphrase used for symmetric encryption so th...
may not require that the user needs to enter the passphra...
‘--no-symkey-cache’ can be used to disable this feature.
: --store |
Store only (make a simple literal data packet).
: --decrypt &br; -d |
// Decrypt the file given on the command line (or STDIN i...
コマンドラインで指定されたファイル(ファイルが指定されてい...
// If the decrypted file is signed, the signature is also...
復号化されたファイルが署名されている場合、その署名も検証...
// This command differs from the default operation, as it...
このコマンドは、デフォルトの動作と異なり、ファイルに含ま...
: --verify |
Assume that the first argument is a signed file and verif...
any output. With no arguments, the signature packet is re...
only one argument is given, the specified file is expecte...
signature.
With more than one argument, the first argument should sp...
detached signature and the remaining files should contain...
read the signed data from STDIN, use ‘-’ as the second fi...
reasons, a detached signature will not read the signed ma...
not explicitly specified.
Note: If the option ‘--batch’ is not used, gpg may assume...
is a file with a detached signature, and it will try to f...
data file by stripping certain suffixes. Using this histo...
detached signature is strongly discouraged; you should al...
file explicitly.
Note: When verifying a cleartext signature, gpg verifies ...
cleartext signed data and not any extra data outside of t...
or the header lines directly following the dash marker li...
may be used to write out the actual signed data, but ther...
with this format as well. It is suggested to avoid cleart...
of detached signatures.
Note: Sometimes the use of the gpgv tool is easier than u...
gpg with this option. gpgv is designed to compare signed ...
trusted keys and returns with success only for a good sig...
manual page.
: --multifile |
This modifies certain other commands to accept multiple f...
on the command line or read from STDIN with each filename...
line. This allows for many files to be processed at once....
currently be used along with ‘--verify’, ‘--encrypt’, and...
that ‘--multifile --verify’ may not be used with detached...
: --verify-files |
Identical to ‘--multifile --verify’.
: --encrypt-files |
Identical to ‘--multifile --encrypt’.
: --decrypt-files |
Identical to ‘--multifile --decrypt’.
: --list-keys &br; -k &br; --list-public-keys |
List the specified keys. If no keys are specified, then a...
public keyrings are listed.
Never use the output of this command in scripts or other ...
output is intended only for humans and its format is like...
‘--with-colons’ option emits the output in a stable, mach...
which is intended for use by scripts and other programs.
: --list-secret-keys &br; -K |
List the specified secret keys. If no keys are specified,...
keys are listed. A # after the initial tags sec or ssb me...
subkey is currently not usable. We also say that this key...
(for example, a primary key can be taken offline by expor...
command ‘--export-secret-subkeys’). A > after these tags ...
key is stored on a smartcard. See also ‘--list-keys’.
: --check-signatures &br; --check-sigs |
Same as ‘--list-keys’, but the key signatures are verifie...
Note that for performance reasons the revocation status o...
not shown. This command has the same effect as using ‘--l...
‘--with-sig-check’.
The status of the verification is indicated by a flag dir...
tag (and thus before the flags described below. A "!" ind...
has been successfully verified, a "-" denotes a bad signa...
used if an error occurred while checking the signature (e...
algorithm). Signatures where the public key is not availa...
see their keyids the command ‘--list-sigs’ can be used.
For each signature listed, there are several flags in bet...
status flag and keyid. These flags give additional inform...
signature. From left to right, they are the numbers 1-3 f...
level (see ‘--ask-cert-level’), "L" for a local or non-ex...
(see ‘--lsign-key’), "R" for a nonRevocable signature (se...
command "nrsign"), "P" for a signature that contains a po...
‘--cert-policy-url’), "N" for a signature that contains a...
‘--cert-notation’), "X" for an eXpired signature (see ‘--...
and the numbers 1-9 or "T" for 10 and above to indicate t...
(see the ‘--edit-key’ command "tsign").
: --locate-keys &br; --locate-external-keys |
Locate the keys given as arguments. This command basicall...
algorithm as used when locating keys for encryption and m...
see what keys gpg might use. In particular external metho...
‘--auto-key-locate’ are used to locate a key if the argum...
mail addresses. Only public keys are listed.
The variant ‘--locate-external-keys’ does not consider a ...
key and can thus be used to force the refresh of a key vi...
methods. If a fingerprint is given and and the methods de...
define LDAP servers, the key is fetched from these resour...
non-LDAP keyservers are skipped.
: --show-keys |
This commands takes OpenPGP keys as input and prints info...
them in the same way the command ‘--list-keys’ does for l...
In addition the list options show-unusable-uids, show-unu...
show-notations and show-policy-urls are also enabled. As ...
automated processing, this command should be combined wit...
‘--with-colons’.
: --fingerprint |
List all keys (or the specified ones) along with their fi...
same output as ‘--list-keys’ but with the additional outp...
the fingerprint. May also be combined with ‘--check-signa...
command is given twice, the fingerprints of all secondary...
This command also forces pretty printing of fingerprints ...
been set to "none".
: --list-packets |
List only the sequence of packets. This command is only u...
When used with option ‘--verbose’ the actual MPI values a...
not only their lengths. Note that the output of this comm...
new releases.
: --edit-card &br; --card-edit |
Present a menu to work with a smartcard. The subcommand "...
an overview on available commands. For a detailed descrip...
Card HOWTO at https://gnupg.org/documentation/howtos.html...
: --card-status |
Show the content of the smart card.
: --change-pin |
Present a menu to allow changing the PIN of a smartcard. ...
also available as the subcommand "passwd" with the ‘--edi...
: --delete-keys name |
Remove key from the public keyring. In batch mode either ...
the key must be specified by fingerprint. This is a safeg...
deletion of multiple keys. If the exclamation mark syntax...
fingerprint of a subkey only that subkey is deleted; if t...
used with the fingerprint of the primary key the entire p...
: --delete-secret-keys name |
Remove key from the secret keyring. In batch mode the key...
fingerprint. The option ‘--yes’ can be used to advise gpg...
a confirmation. This extra pre-caution is done because gp...
the secret key (as controlled by gpg-agent) is only used ...
public key. If the exclamation mark syntax is used with t...
subkey only the secret part of that subkey is deleted; if...
used with the fingerprint of the primary key only the sec...
key is deleted.
: --delete-secret-and-public-key name |
Same as ‘--delete-key’, but if a secret key exists, it wi...
batch mode the key must be specified by fingerprint. The ...
be used to advise gpg-agent not to request a confirmation.
: --export |
Either export all keys from all keyrings (default keyring...
via option ‘--keyring’), or if at least one name is given...
name. The exported keys are written to STDOUT or to the f...
option ‘--output’. Use together with ‘--armor’ to mail th...
: --send-keys keyIDs |
Similar to ‘--export’ but sends the keys to a keyserver. ...
used instead of key IDs. Don’t send your complete keyring...
select only those keys which are new or changed by you. I...
gpg does nothing.
Take care: Keyservers are by design write only systems an...
possible to ever delete keys once they have been send to ...
: --export-secret-keys &br; --export-secret-subkeys |
Same as ‘--export’, but exports the secret keys instead. ...
written to STDOUT or to the file given with option ‘--out...
is often used along with the option ‘--armor’ to allow fo...
key for paper backup; however the external tool paperkey ...
creating backups on paper. Note that exporting a secret k...
risk if the exported keys are sent over an insecure chann...
The second form of the command has the special property t...
part of the primary key useless; this is a GNU extension ...
other implementations can not be expected to successfully...
Its intended use is in generating a full key with an addi...
a dedicated machine. This command then exports the key wi...
key to the main machine.
GnuPG may ask you to enter the passphrase for the key. Th...
because the internal protection method of the secret key ...
one specified by the OpenPGP protocol.
: --export-ssh-key |
This command is used to export a key in the OpenSSH publi...
It requires the specification of one key by the usual mea...
latest valid subkey which has an authentication capabilit...
the file given with option ‘--output’. That output can di...
ssh’s ‘authorized_key’ file.
By specifying the key to export using a key ID or a finge...
an exclamation mark (!), a specific subkey or the primary...
This does not even require that the key has the authentic...
set.
: --import &br; --fast-import |
Import/merge keys. This adds the given keys to the keyrin...
is currently just a synonym.
There are a few other options which control how this comm...
notable here is the ‘--import-options merge-only’ option ...
insert new keys but does only the merging of new signatur...
subkeys.
: --receive-keys keyIDs & br; --recv-keys keyIDs |
Import the keys with the given keyIDs from a keyserver.
: --refresh-keys |
Request updates from a keyserver for keys that already ex...
keyring. This is useful for updating a key with the lates...
IDs, etc. Calling this with no arguments will refresh the...
: --search-keys names |
Search the keyserver for the given names. Multiple names ...
joined together to create the search string for the keyse...
search for names in a different and simpler way than gpg ...
best choice is to use a mail address. Due to data privacy...
may even not even allow searching by user id or mail addr...
only return results when being used with the ‘--recv-key’...
by key fingerprint or keyid.
: --fetch-keys URIs |
Retrieve keys located at the specified URIs. Note that di...
of GnuPG may support different protocols (HTTP, FTP, LDAP...
using HTTPS the system provided root certificates are use...
: --update-trustdb |
Do trust database maintenance. This command iterates over...
the Web of Trust. This is an interactive command because ...
for the "ownertrust" values for keys. The user has to giv...
far she trusts the owner of the displayed key to correctl...
keys. GnuPG only asks for the ownertrust value if it has ...
to a key. Using the ‘--edit-key’ menu, the assigned value...
any time.
: --check-trustdb |
Do trust database maintenance without user interaction. F...
time the trust database must be updated so that expired k...
and the resulting changes in the Web of Trust can be trac...
GnuPG will calculate when this is required and do it auto...
‘--no-auto-check-trustdb’ is set. This command can be use...
trust database check at any time. The processing is ident...
‘--update-trustdb’ but it skips keys with a not yet defin...
For use with cron jobs, this command can be used together...
which case the trust database check is done only if a che...
a run even in batch mode add the option ‘--yes’.
: --export-ownertrust |
Send the ownertrust values to STDOUT. This is useful for ...
as these values are the only ones which can’t be re-creat...
trustdb. Example:
gpg --export-ownertrust > otrust.txt
: --import-ownertrust |
Update the trustdb with the ownertrust values stored in f...
not given); existing values will be overwritten. In case ...
trustdb and if you have a recent backup of the ownertrust...
file ‘otrust.txt’), you may re-create the trustdb using t...
cd ~/.gnupg
rm trustdb.gpg
gpg --import-ownertrust < otrust.txt
: --rebuild-keydb-caches |
When updating from version 1.0.6 to 1.0.7 this command sh...
create signature caches in the keyring. It might be handy...
too.
: --print-md algo &br; --print-mds |
Print message digest of algorithm algo for all given file...
second form (or a deprecated "*" for algo) digests for al...
are printed.
: --gen-random 0/1/2 count |
Emit count random bytes of the given quality level 0, 1 o...
given or zero, an endless sequence of random bytes will b...
with ‘--armor’ the output will be base64 encoded. PLEASE,...
command unless you know what you are doing; it may remove...
from the system!
: --gen-prime mode bits |
Use the source, Luke :-). The output format is subject to...
release.
: --enarmor &br; --dearmor |
Pack or unpack an arbitrary input into/from an OpenPGP AS...
is a GnuPG extension to OpenPGP and in general not very u...
: --unwrap |
This command is similar to ‘--decrypt’ with the change th...
the usual plaintext but the original message with the dec...
Thus the output will be an OpenPGP data structure which o...
signed OpenPGP message. Note that this command may or may...
compression layer which is often found beneath the encryp...
: --tofu-policy {auto/good/unknown/bad/ask} keys |
Set the TOFU policy for all the bindings associated with ...
For more information about the meaning of the policies, s...
page 59. The keys may be specified either by their finger...
their keyid.
*** 4.1.3 How to manage your keys
This section explains the main commands for key management.
: --quick-generate-key user-id [algo [usage [expire]]] &b...
This is a simple command to generate a standard key with ...
contrast to ‘--generate-key’ the key is generated directl...
answer a bunch of prompts. Unless the option ‘--yes’ is g...
will be canceled if the given user id already exists in t...
If invoked directly on the console without any special op...
“Continue?” style confirmation prompt is required. In cas...
exists in the keyring a second prompt to force the creati...
up.
If algo or usage are given, only the primary key is creat...
shown. To specify an expiration date but still create a p...
“default” or “future-default” for algo and “default” for ...
of these optional arguments see the command --quick-add-k...
accepts also the value “cert” which can be used to create...
primary key; the default is to a create certification and...
The expire argument can be used to specify an expiration ...
Several formats are supported; commonly the ISO formats “...
or “YYYYMMDDThhmmss” are used. To make the key expire in ...
days, N weeks, N months, or N years use “seconds=N”, “Nd”...
“Ny” respectively. Not specifying a value, or using “-” r...
in a reasonable default interval. The values “never”, “no...
expiration date.
If this command is used with ‘--batch’, ‘--pinentry-mode’...
set to loopback, and one of the passphrase options (‘--pa...
‘--passphrase-fd’, or ‘--passphrase-file’) is used, the s...
is used for the new key and the agent does not ask for it...
without any protection --passphrase ’’ may be used.
To create an OpenPGP key from the keys available on the c...
smartcard, the special string “card” can be used for algo...
encryption and a signing key, gpg will figure them out an...
key consisting of the usual primary key and one subkey. T...
certain smartcards. Note that the interactive ‘--full-gen...
to do the same but with greater flexibility in the select...
keys.
Note that it is possible to create a primary key and a su...
algorithms by using “default” and changing the default pa...
option ‘--default-new-key-algo’.
: --quick-set-expire fpr expire [*/subfprs] |
With two arguments given, directly set the expiration tim...
identified by fpr to expire. To remove the expiration tim...
three arguments and the third given as an asterisk, the e...
non-revoked and not yet expired subkeys are set to expire...
arguments and a list of fingerprints given for subfprs, a...
matching these fingerprints are set to expire.
: --quick-add-key fpr [algo [usage [expire]]] |
Directly add a subkey to the key identified by the finger...
optional arguments an encryption subkey is added. If any ...
given a more specific subkey is added.
algo may be any of the supported algorithms or curve name...
as used by key listings. To use the default algorithm the...
or “-” can be used. Supported algorithms are “rsa”, “dsa”...
“cv25519”, and other ECC curves. For example the string “...
key with the default key length; a string “rsa4096” reque...
is 4096 bits. The string “future-default” is an alias for...
likely be used as default algorithm in future versions of...
ECC curves the command gpg --with-colons --list-config cu...
can be used.
Depending on the given algo the subkey may either be an e...
a signing subkey. If an algorithm is capable of signing a...
a subkey is desired, a usage string must be given. This s...
or “-” to keep the default or a comma delimited list (or ...
keywords: “sign” for a signing subkey, “auth” for an auth...
“encr” for an encryption subkey (“encrypt” can be used as...
The valid combinations depend on the algorithm.
The expire argument can be used to specify an expiration ...
Several formats are supported; commonly the ISO formats “...
or “YYYYMMDDThhmmss” are used. To make the key expire in ...
days, N weeks, N months, or N years use “seconds=N”, “Nd”...
“Ny” respectively. Not specifying a value, or using “-” r...
in a reasonable default interval. The values “never”, “no...
expiration date.
: --generate-key &br; --gen-key |
Generate a new key pair using the current default paramet...
standard command to create a new key. In addition to the ...
certificate is created and stored in the ‘openpgp-revocs....
GnuPG home directory.
: --full-generate-key &br; --full-gen-key |
Generate a new key pair with dialogs for all options. Thi...
of ‘--generate-key’.
There is also a feature which allows you to create keys i...
manual section “Unattended key generation” on how to use ...
: --generate-revocation name &br; --gen-revoke name |
Generate a revocation certificate for the complete key. T...
or a key signature, use the ‘--edit’ command.
This command merely creates the revocation certificate so...
to revoke the key if that is ever needed. To actually rev...
revocation certificate needs to be merged with the key to...
by importing the revocation certificate using the ‘--impo...
the revoked key needs to be published, which is best done...
to a keyserver (command ‘--send-key’) and by exporting (‘...
file which is then send to frequent communication partners.
: --generate-designated-revocation name &br; --desig-revo...
Generate a designated revocation certificate for a key. T...
the permission of the keyholder) to revoke someone else’s...
: --edit-key |
Present a menu which enables you to do most of the key ma...
tasks. It expects the specification of a key on the comma...
:: uid n |
Toggle selection of user ID or photographic user ID with ...
Use * to select all and 0 to deselect all.
:: key n |
Toggle selection of subkey with index n or key ID n. Use ...
all and 0 to deselect all.
:: sign |
Make a signature on key of user name. If the key is not y...
the default user (or the users given with ‘-u’), the prog...
the information of the key again, together with its finge...
asks whether it should be signed. This question is repeat...
users specified with ‘-u’.
:: lsign |
Same as "sign" but the signature is marked as non-exporta...
will therefore never be used by others. This may be used ...
keys valid only in the local environment.
:: nrsign |
Same as "sign" but the signature is marked as non-revocab...
can therefore never be revoked.
:: tsign |
Make a trust signature. This is a signature that combines...
of certification (like a regular signature), and trust (l...
"trust" command). It is generally only useful in distinct...
or groups. For more information please read the sections
“Trust Signature” and “Regular Expression” in RFC-4880.
:|Note that "l" (for local / non-exportable), "nr" (for n...
(for trust) may be freely mixed and prefixed to "sign" to...
any type desired.
If the option ‘--only-sign-text-ids’ is specified, then a...
user ids (e.g., photo IDs) will not be selected for signi...
:: delsig |
Delete a signature. Note that it is not possible to retra...
once it has been send to the public (i.e. to a keyserver)...
that case you better use revsig.
:: revsig |
Revoke a signature. For every signature which has been ge...
by one of the secret keys, GnuPG asks whether a revocation
certificate should be generated.
:: check |
Check the signatures on all selected user IDs. With the e...
selfsig only self-signatures are shown.
:: adduid |
Create an additional user ID.
:: addphoto |
Create a photographic user ID. This will prompt for a JPE...
that will be embedded into the user ID. Note that a very ...
will make for a very large key. Also note that some progr...
display your JPEG unchanged (GnuPG), and some programs will
scale it to fit in a dialog box (PGP).
:: showphoto |
Display the selected photographic user ID.
:: deluid |
Delete a user ID or photographic user ID. Note that it is...
to retract a user id, once it has been send to the public...
keyserver). In that case you better use revuid.
:: revuid |
Revoke a user ID or photographic user ID.
:: primary |
Flag the current user id as the primary one, removes the ...
user id flag from all other user ids and sets the timesta...
affected self-signatures one second ahead. Note that sett...
user ID as primary makes it primary over other photo user...
setting a regular user ID as primary makes it primary ove...
regular user IDs.
:: keyserver |
Set a preferred keyserver for the specified user ID(s). T...
other users to know where you prefer they get your key fr...
‘--keyserver-options honor-keyserver-url’ for more on how
this works. Setting a value of "none" removes an existing...
keyserver.
:: notation |
Set a name=value notation for the specified user ID(s). See
‘--cert-notation’ for more on how this works. Setting a v...
of "none" removes all notations, setting a notation prefi...
a minus sign (-) removes that notation, and setting a not...
name (without the =value) prefixed with a minus sign remo...
notations with that name.
:: pref |
List preferences from the selected user ID. This shows th...
preferences, without including any implied preferences.
:: showpref |
More verbose preferences listing for the selected user ID...
the preferences in effect by including the implied prefer...
3DES (cipher), SHA-1 (digest), and Uncompressed (compress...
if they are not already included in the preference list. ...
the preferred keyserver and signature notations (if any) ...
:: setpref string |
Set the list of user ID preferences to string for all (or...
the selected) user IDs. Calling setpref with no arguments...
the preference list to the default (either built-in or se...
‘--default-preference-list’), and calling setpref with "n...
as the argument sets an empty preference list. Use gpg--v...
to get a list of available algorithms. Note that while yo...
change the preferences on an attribute user ID (aka "phot...
GnuPG does not select keys via attribute user IDs so these
preferences will not be used by GnuPG.
When setting preferences, you should list the algorithms ...
order which you’d like to see them used by someone else w...
a message to your key. If you don’t include 3DES, it will
be automatically added at the end. Note that there are ma...
that go into choosing an algorithm (for example, your key...
not be the only recipient), and so the remote OpenPGP app...
being used to send to you may or may not follow your exac...
order for a given message. It will, however, only choose ...
that is present on the preference list of every recipient...
See also the INTEROPERABILITY WITH OTHER OPENPGP
PROGRAMS section below.
:: addkey |
Add a subkey to this key.
:: addcardkey |
Generate a subkey on a card and add it to this key.
:: keytocard |
Transfer the selected secret subkey (or the primary key i...
has been selected) to a smartcard. The secret key in the ...
will be replaced by a stub if the key could be stored suc...
on the card and you use the save command later. Only cert...
types may be transferred to the card. A sub menu allows y...
select on what card to store the key. Note that it is not...
to get that key back from the card - if the card gets bro...
secret key will be lost unless you have a backup somewhere.
:: bkuptocard file |
Restore the given file to a card. This command may be use...
restore a backup key (as generated during card initializa...
new card. In almost all cases this will be the encryption...
should use this command only with the corresponding publi...
and make sure that the file given as argument is indeed t...
to restore. You should then select 2 to restore as encryp...
You will first be asked to enter the passphrase of the ba...
and then for the Admin PIN of the card.
:: keytotpm |
Transfer the selected secret subkey (or the primary key i...
has been selected) to TPM form. The secret key in the key...
be replaced by the TPM representation of that key, which ...
be read by the particular TPM that created it (so the key...
becomes locked to the laptop containing the TPM). Only ce...
key types may be transferred to the TPM (all TPM 2.0 syst...
mandated to have the rsa2048 and nistp256 algorithms but ...
TPMs may have more). Note that the key itself is not tran...
into the TPM, merely encrypted by the TPM in-place, so if...
keyfile is deleted, the key will be lost. Once transferre...
representation, the key file can never be converted back ...
TPM form and the key will die when the TPM does, so you s...
first have a backup on secure offline storage of the actu...
key file before conversion. It is essential to use the ph...
TPM that you have rw permission on the TPM resource manager
device (/dev/tpmrm0). Usually this means you must be a me...
of the tss group.
:: delkey |
Remove a subkey (secondary key). Note that it is not poss...
retract a subkey, once it has been send to the public (i....
keyserver). In that case you better use revkey. Also note...
only deletes the public part of a key.
:: revkey |
Revoke a subkey.
:: expire |
Change the key or subkey expiration time. If a subkey is ...
the expiration time of this subkey will be changed. With ...
the key expiration of the primary key is changed.
:: trust |
Change the owner trust value for the key. This updates th...
immediately and no save is required.
:: disable &br; enable |
Disable or enable an entire key. A disabled key can not n...
be used for encryption.
:: addrevoker |
Add a designated revoker to the key. This takes one optio...
"sensitive". If a designated revoker is marked as sensiti...
it will not be exported by default (see export-options).
:: passwd |
Change the passphrase of the secret key.
:: toggle |
This is dummy command which exists only for backward comp...
:: clean |
Compact (by removing all signatures except the selfsig) a...
ID that is no longer usable (e.g. revoked, or expired). T...
any signatures that are not usable by the trust calculati...
Specifically, this removes any signature that does not va...
signature that is superseded by a later signature, revoke...
and signatures issued by keys that are not present on the
keyring.
:: minimize |
Make the key as small as possible. This removes all signa...
each user ID except for the most recent self-signature.
:: change-usage |
Change the usage flags (capabilities) of the primary key ...
These usage flags (e.g. Certify, Sign, Authenticate, Encr...
are set during key creation. Sometimes it is useful to ha...
opportunity to change them (for example to add Authentica...
they have been created. Please take care when doing this;...
allowed usage flags depend on the key algorithm.
:: cross-certify |
Add cross-certification signatures to signing subkeys that
may not currently have them. Cross-certification signatures
protect against a subtle attack against signing subkeys. ...
‘--require-cross-certification’. All new keys generated h...
this signature by default, so this command is only useful...
older keys up to date.
:: save |
Save all changes to the keyring and quit.
:: quit |
Quit the program without updating the keyring.
:|The listing shows you the key with its secondary keys a...
primary user ID is indicated by a dot, and selected keys ...
by an asterisk. The trust value is displayed with the pri...
the assigned owner trust and "validity" is the calculated...
Validity values are also displayed for all user IDs. For ...
see [trust-values], page 137.
: --sign-key name |
Signs a public key with your secret key. This is a shortc...
subcommand "sign" from ‘--edit-key’.
: --lsign-key name |
Signs a public key with your secret key but marks it as n...
is a shortcut version of the subcommand "lsign" from ‘--e...
: --quick-sign-key fpr [names] &br; --quick-lsign-key fpr...
Directly sign a key from the passphrase without any furth...
The fpr must be the verified primary fingerprint of a key...
If no names are given, all useful user ids are signed; wi...
useful user ids matching one of these names are signed. B...
is prefixed with a ’*’, a case insensitive substring matc...
prefixed with a ’=’ a case sensitive exact match is done.
The command ‘--quick-lsign-key’ marks the signatures as n...
If such a non-exportable signature already exists the ‘--...
turns it into a exportable signature. If you need to upda...
signature, for example to add or change notation data, yo...
option ‘--force-sign-key’.
This command uses reasonable defaults and thus does not p...
flexibility of the "sign" subcommand from ‘--edit-key’. I...
help unattended key signing by utilizing a list of verifi...
: --quick-add-uid user-id new-user-id |
This command adds a new user id to an existing key. In co...
sub-command adduid of ‘--edit-key’ the new-user-id is add...
with only leading and trailing white space removed, it is...
encoded, and no checks on its form are applied.
: --quick-revoke-uid user-id user-id-to-revoke |
This command revokes a user ID on an existing key. It can...
revoke the last user ID on key (some non-revoked user ID ...
revocation reason “User ID is no longer valid”. If you wa...
revocation reason, or to supply supplementary revocation ...
the interactive sub-command revuid of ‘--edit-key’.
: --quick-revoke-sig fpr signing-fpr [names] |
This command revokes the key signatures made by signing-f...
key specified by the fingerprint fpr. With names given on...
on user ids of the key matching any of the given names ar...
‘--quick-sign-key’). If a revocation already exists a not...
of creating a new revocation; no error is returned in thi...
signature revocations may be superseded by a newer key si...
again revoked.
: --quick-set-primary-uid user-id primary-user-id |
This command sets or updates the primary user ID flag on ...
user-id specifies the key and primary-user-id the user ID...
as the primary user ID. The primary user ID flag is remov...
ids and the timestamp of all affected self-signatures is ...
: --change-passphrase user-id &br; --passwd user-id |
Change the passphrase of the secret key belonging to the ...
as user-id. This is a shortcut for the sub-command passwd...
menu. When using together with the option ‘--dry-run’ thi...
change the passphrase but check that the current passphra...
** 4.2 Option Summary
gpg features a bunch of options to control the exact beha...
configuration.
Long options can be put in an options file (default "~/.g...
names will not work - for example, "armor" is a valid opt...
is not. Do not write the 2 dashes, but simply the name of...
arguments. Lines with a hash (’#’) as the first non-white...
Commands may be put in this file too, but that is not gen...
execute automatically with every execution of gpg.
Please remember that option parsing stops as soon as a no...
can explicitly stop parsing by using the special option ‘...
*** 4.2.1 How to change the configuration
*** 4.2.2 Key related options
*** 4.2.3 Input and Output
*** 4.2.4 OpenPGP protocol specific options
*** 4.2.5 Compliance options
*** 4.2.6 Doing things one usually doesn’t want to do
*** 4.2.7 Deprecated options
ページ名:
![[PukiWiki]](image/pukiwiki.png "[PukiWiki]")
