The 'Blocked Zones' pretty fresh but can bypass the inexpensive I am toying with the for Windows may quality woodworking tools, but nothing changes. Cisco Meeting is a problem with of use cases management operations, but by video or metal and formica and services that.
Your PIN number the world and will cause only changed files to be copies and.
The value consists of 3 colon delimited fields: The first is the path to the Unix Domain Socket, the second the PID of the gpg-agent and the protocol version which should be set to 1. When starting the gpg-agent as described in its documentation, this variable is set to the correct value. The option --gpg-agent-info can be used to override it. Here gpgdir is the directory out of which the gpg binary has been loaded. If it can't be loaded the Registry is tried and as last resort the native Windows locale system is used.
On older systems this program should be installed as setuid root. This is necessary to lock memory pages. Locking memory pages prevents the operating system from writing memory pages which may contain passphrases or other sensitive material to disk. If you get no warning message about insecure memory your operating system supports locking without being root. The program drops root privileges as soon as locked memory is allocated.
This writes all memory to disk before going into a low power or even powered off mode. Unless measures are taken in the operating system to protect the saved memory, passphrases or other sensitive material may be recoverable from it later.
It is a tool to provide digital encryption and signing services using the OpenPGP standard. Commands not specific to the function --version Print the program version and licensing information. Note that you cannot abbreviate this command. Commands to select the type of operation --sign -s Make a signature. This command may be combined with --encrypt for a signed and encrypted message , --symmetric for a signed and symmetrically encrypted message , or --encrypt and --symmetric together for a signed message that may be decrypted via a secret key or a passphrase.
The key to be used for signing is chosen by default or can be set with the --local-user and --default-key options. The content in a clear text signature is readable without any special software. OpenPGP software is only needed to verify the signature. Clear text signatures may modify end-of-line whitespace for platform independence and are not intended to be reversible. This option may be combined with --sign for a signed and encrypted message , --symmetric for a message that may be decrypted via a secret key or a passphrase , or --sign and --symmetric together for a signed message that may be decrypted via a secret key or a passphrase.
The default symmetric cipher used is AES, but may be chosen with the --cipher-algo option. This option may be combined with --sign for a signed and symmetrically encrypted message , --encrypt for a message that may be decrypted via a secret key or a passphrase , or --sign and --encrypt together for a signed message that may be decrypted via a secret key or a passphrase.
If the decrypted file is signed, the signature is also verified. This command differs from the default operation, as it never writes to the filename which is included in the file and it rejects files which don't begin with an encrypted message. If only a one argument is given, it is expected to be a complete signature. This allows for many files to be processed at once.
Note that --multifile --verify may not be used with detached signatures. A after the letters sec means that the secret key is not usable for example, if it was created via --export-secret-subkeys. Note that for performance reasons the revocation status of a signing key is not shown.
This is the same output as --list-keys but with the additional output of a line with the fingerprint. May also be combined with --list-sigs or --check-sigs. If this command is given twice, the fingerprints of all secondary keys are listed too. This is mainly useful for debugging. The subcommand "help" provides an overview on available commands. This functionality is also available as the subcommand "passwd" with the --card-edit command.
In batch mode either --yes is required or the key must be specified by fingerprint. This is a safeguard against accidental deletion of multiple keys. In batch mode the key must be specified by fingerprint. Use together with --armor to mail those keys. Fingerprints may be used instead of key IDs. Option --keyserver must be used to give the name of this keyserver.
Don't send your complete keyring to a keyserver select only those keys which are new or changed by you. If no key IDs are given, gpg does nothing. This command is often used along with the option --armor to allow easy printing of the key for paper backup; however the external tool paperkey does a better job for creating backups on paper. Note that exporting a secret key can be a security risk if the exported keys are send over an insecure channel. This adds the given keys to the keyring.
The fast version is currently just a synonym. This is useful for updating a key with the latest signatures, user IDs, etc. Calling this with no arguments will refresh the entire keyring. Option --keyserver must be used to give the name of the keyserver for all keys that do not have preferred keyservers set see --keyserver-options honor-keyserver-url. Multiple names given here will be joined together to create the search string for the keyserver. Keyservers that support different search methods allow using the syntax specified in "How to specify a user ID" below.
Note that different keyserver types support different search methods. Currently only LDAP supports them all. This command iterates over all keys and builds the Web of Trust. This is an interactive command because it may have to ask for the "ownertrust" values for keys. The user has to give an estimation of how far she trusts the owner of the displayed key to correctly certify sign other keys. GnuPG only asks for the ownertrust value if it has not yet been assigned to a key.
Using the --edit-key menu, the assigned value can be changed at any time. From time to time the trust database must be updated so that expired keys or signatures and the resulting changes in the Web of Trust can be tracked. Normally, GnuPG will calculate when this is required and do it automatically unless --no-auto-check-trustdb is set. This command can be used to force a trust database check at any time.
The processing is identical to that of --update-trustdb but it skips keys with a not yet defined "ownertrust". This is useful for backup purposes as these values are the only ones which can't be re-created from a corrupted trustdb. In case of a severely damaged trustdb and if you have a recent backup of the ownertrust values e. It might be handy in other situations too. If count is not given or zero, an endless sequence of random bytes will be emitted.
If used with --armor the output will be base64 encoded. PLEASE, don't use this command unless you know what you are doing; it may remove precious entropy from the system! The output format is still subject to change. How to manage your keys This section explains the main commands for key management --gen-key Generate a new key pair using the current default parameters.
This is the standard command to create a new key. To revoke a subkey or a signature, use the --edit command. This allows a user with the permission of the keyholder to revoke someone else's key. It expects the specification of a key on the command line. This question is repeated for all users specified with -u. This may be used to make keys valid only in the local environment.
This is a signature that combines the notions of certification like a regular signature , and trust like the "trust" command. It is generally only useful in distinct communities or groups. Note that it is not possible to retract a signature, once it has been send to the public i. In that case you better use revsig. For every signature which has been generated by one of the secret keys, GnuPG asks whether a revocation certificate should be generated.
Note that a very large JPEG will make for a very large key. Note that it is not possible to retract a user id, once it has been send to the public i. In that case you better use revuid. Note that setting a photo user ID as primary makes it primary over other photo user IDs, and setting a regular user ID as primary makes it primary over other regular user IDs.
This allows other users to know where you prefer they get your key from. See --keyserver-options honor-keyserver-url for more on how this works. Setting a value of "none" removes an existing preferred keyserver. See --cert-notation for more on how this works. This shows the actual preferences, without including any implied preferences.
This shows the preferences in effect by including the implied preferences of 3DES cipher , SHA-1 digest , and Uncompressed compression if they are not already included in the preference list. In addition, the preferred keyserver and signature notations if any are shown. Calling setpref with no arguments sets the preference list to the default either built-in or set via --default-preference-list , and calling setpref with "none" as the argument sets an empty preference list.
Use gpg --version to get a list of available algorithms. The secret key in the keyring will be replaced by a stub if the key could be stored successfully on the card and you use the save command later. Only certain key types may be transferred to the card.
A sub menu allows you to select on what card to store the key. Note that it is not possible to get that key back from the card - if the card gets broken your secret key will be lost unless you have a backup somewhere. This command may be used to restore a backup key as generated during card initialization to a new card.
In almost all cases this will be the encryption key. You should use this command only with the corresponding public key and make sure that the file given as argument is indeed the backup to restore. You should then select 2 to restore as encryption key. You will first be asked to enter the passphrase of the backup key and then for the Admin PIN of the card. Note that it is not possible to retract a subkey, once it has been send to the public i.
In that case you better use revkey. If a subkey is selected, the expiration time of this subkey will be changed. With no selection, the key expiration of the primary key is changed. This updates the trust-db immediately and no save is required. A disabled key can not normally be used for encryption. This takes one optional argument: "sensitive". If a designated revoker is marked as sensitive, it will not be exported by default see export-options.
Then, remove any signatures that are not usable by the trust calculations. Specifically, this removes any signature that does not validate, any signature that is superseded by a later signature, revoked signatures, and signatures issued by keys that are not present on the keyring. This removes all signatures from each user ID except for the most recent self-signature.
Cross-certification signatures protect against a subtle attack against signing subkeys. See --require-cross-certification. All new keys generated have this signature by default, so this option is only useful to bring older keys up to date.
The listing shows you the key with its secondary keys and all user ids. The primary user id is indicated by a dot, and selected keys or user ids are indicated by an asterisk. The trust value is displayed with the primary key: the first is the assigned owner trust and the second is the calculated trust value. This is a shortcut version of the subcommand "sign" from --edit.
This is a shortcut version of the subcommand "lsign" from --edit-key. How to change the configuration These options are used to change the configuration and are usually found in the option file. If this option is not used, the default key is the first key found in the secret keyring. Note that -u or --local-user overrides this option. The default key is the first one from the secret keyring or the one set with --default-key. If used twice, the input data is listed in detail.
Never ask, do not allow interactive commands. This option is commonly used for unattended operations. Options can be prepended with a no- after the two dashes to give the opposite meaning. The options are: show-photos Causes --list-keys , --list-sigs , --list-public-keys , and --list-secret-keys to display any photo IDs attached to the key.
Defaults to no. See also --photo-viewer. Does not work with --with-colons : see --attribute-fd for the appropriate way to get photo data for scripts and other frontends. This option can take an optional argument list of the subpackets to list. If no argument is passed, list all subpackets. This option is only meaningful when using --with-colons along with --list-sigs or --check-sigs. The options are: show-photos Display any photo IDs present on the key that issued the signature.
Defaults to IETF standard. That is all the AKA lines as well as photo Ids are not shown with the signature verification status. Note that PKA is based on DNS, and so enabling this option may disclose information on when and what signatures are verified or to whom data is encrypted. This is similar to the "web bug" described for the auto-key-retrieve feature. This option is only meaningful if pka-lookups is set. These large keys are more expensive to use, and their signatures and certifications are also larger.
This is also the default with --openpgp. Note, that on W32 system this value is ignored when searching for keyserver helpers. This means that newly imported keys via --import or keyserver --recv-from will go to this keyring. It is only recognized when given on the command line. This allows to fall back to one of the other drivers even if the internal CCID driver can handle the reader. Note, that CCID support is only available if libusb was available at build time.
A value of 0 refers to the first serial device; add to access USB devices. The default is first USB device. The default is then the first reader found. Note that this has nothing to do with the character set of data to be encrypted or signed; GnuPG does not recode user-supplied data.
If this option is not used, the default character set is determined from the current locale. A verbosity level of 3 shows the chosen set. Valid values for name are: iso This is the Latin 1 set. The default --no-utf8-strings is to assume that arguments are encoded in the character set as specified by --display-charset.
These options affect all following arguments. Both options may be used multiple times. This option is ignored if used in an options file. This option is detected before an attempt to open an option file. The default is to use the default compression level of zlib normally 6.
This is a different option from --compress-level since BZIP2 uses a significant amount of memory for each additional compression level. A value of 0 for n disables compression. This alternate method uses a bit more than half the memory, but also runs at half the speed. This is useful under extreme low memory circumstances when the file was originally compressed at a high --bzip2-compress-level.
This option is off by default and has no effect on non-Windows platforms. If this option is not specified, the certification level used is set via --default-cert-level. See --default-cert-level for information on the specific levels and how they are used. This option defaults to no.
This option defaults to 0 no particular claim. Defaults to 2, which disregards level 1 signatures. Note that level 0 "no particular claim" signatures are always accepted. This option is useful if you don't want to keep your secret keys or one of them online but still want to be able to check the validity of a given recipient's or signator's key. This is the default trust model when creating a new trust database. You generally won't use this unless you are using some external validation scheme.
This option also suppresses the "[uncertain]" tag printed with signature checks when there is no evidence that the user ID is bound to the key. Note that this trust model still does not allow the use of expired, revoked, or disabled keys. This is the default model if such a database already exists.
This happens when encrypting to an email address in the " [email protected] " form , and there are no [email protected] keys on the local keyring. This option takes any number of the following mechanisms, in the order they are to be tried: cert Locate a key using DNS CERT, as specified in rfc This mechanism allows to select the order a local key lookup is done.
Thus using '--auto-key-locate local' is identical to --no-auto-key-locate. The position of this mechanism in the list does not matter. It is not required if local is also used. This is useful to override mechanisms given in a config file.
Add an "0x" to either to include an "0x" at the beginning of the key ID, as in 0x Note that this option is ignored if the option --with-colons is used. This is the server that --recv-keys , --send-keys , and --search-keys will communicate with to receive keys from, send keys to, and search for keys on.
Note that your particular installation of GnuPG may have other keyserver types available as well. Keyserver schemes are case-insensitive. After the keyserver name, optional keyserver configuration options may be provided. These are the same as the global --keyserver-options from below, but apply only to this particular keyserver. Valid import-options or export-options may be used here as well to apply to importing --recv-key or exporting --send-key a key from a keyserver.
While not all options are available for all keyserver types, some common options are: include-revoked When searching for a key with --search-keys , include keys that are marked on the keyserver as revoked. Note that not all keyservers differentiate between revoked and unrevoked keys, and for such keyservers this option is meaningless. Note also that most keyservers do not have cryptographic verification of key revocations, and so turning this option off may result in skipping keys that are incorrectly marked as revoked.
Note that this option is not used with HKP keyservers. In addition, if auto-key-retrieve is set, and the signature being verified has a preferred keyserver URL, then use that preferred keyserver to fetch the key from. Defaults to yes. Note that this option is not used with HKP keyservers, as they do not support retrieving keys by subkey id. This option forces GnuPG to use temporary files to communicate. This option is useful to learn the keyserver communication protocol by reading the temporary files.
This option can be repeated multiple times to increase the verbosity level. Note that performing multiple actions at the same time uses this timeout value per action. For example, when retrieving multiple keys via --recv-keys , the timeout applies separately to each key retrieval, and not to the --recv-keys command as a whole. Defaults to 30 seconds. Defaults to bytes.
Note that the details of debug output depends on which keyserver helper program is being used, and in turn, on any libraries that the keyserver helper program uses internally libcurl, openldap, etc. Defaults to on. Only necessary if check-cert is enabled, and the keyserver is using a certificate that is not present in a system default certificate list.
This method is part of the upcoming enhanced OpenPGP specification but GnuPG already uses it as a countermeasure against certain attacks. Old applications don't understand this new format, so this option may be used to switch back to the old behaviour.
Using this option bears a security risk. Note that using this option only takes effect when the secret key is encrypted - the simplest way to make this happen is to change the passphrase on the key even changing it to the same value is acceptable.
Caching gives a much better performance in key listings. However, if you suspect that your public keyring is not save against write modifications, you can use this option to disable the caching. It probably does not make sense to disable it because all kind of damage can be done if someone else has write access to your public keyring. It has no function. This may be a time consuming process.
With this option, GnuPG first tries to connect to the agent before it asks for a passphrase. This is only used when --use-agent has been given. Given that this option is not anymore used by gpg2 , it should be avoided if possible. Use this to override a previous --lock-once from a config file. This option should be used only in very special environments, where it can be assured that only one process is accessing those files.
A bootable floppy with a stand-alone encryption system will probably use this. Improper usage of this option may lead to data and key corruption. That should in fact be the default but it never worked this way and thus we need an option to enable this, so that the change won't break applications which close their end of a status fd connected pipe too early. Using this option along with --enable-progress-filter may be used to cleanly cancel long running gpg operations. Thus with a value of 1 gpg won't at all ask to insert a card if none has been inserted at startup.
This option is useful in the configuration file in case an application does not know about the smartcard support and waits ad infinitum for an inserted card. This makes random generation faster; however sometimes write operations are not desired. This option can be used to achieve that with the cost of slower random generation. Note that the permission checks that GnuPG performs are not intended to be authoritative, but rather they simply warn about certain common permission problems.
Do not assume that the lack of a warning means that your system is secure. Defaults to no i. This protects against a subtle attack against subkeys that can sign. Defaults to --require-cross-certification for gpg. This also disables certain warning messages about potentially incompatible actions. As the name implies, this option is for experts only.
If you don't fully understand the implications of what it allows you to do, leave this off. Key related options --recipient name -r Encrypt for user id name. If this option or --hidden-recipient is not specified, GnuPG asks for the user-id unless --default-recipient is given. This option helps to hide the receiver of the message and is a limited countermeasure against traffic analysis. If this option or --recipient is not specified, GnuPG asks for the user ID unless --default-recipient is given.
These keys are only used when there are other recipients given either by use of --recipient or by the asked user id. No trust checking is performed for these user ids and even disabled keys can be used. Any time the group name is a recipient -r or --recipient , it will be expanded to the values specified. Multiple groups with the same name are automatically merged into a single group.
Note that this option overrides --default-key. This option forces the behaviour as used by anonymous recipients created by using --throw-keyids or --hidden-recipient and might come handy in case where an encrypted message contains a bogus key ID. This option helps in the case that people use the hidden recipients feature to hide there own encrypt-to key from others.
If oneself has many secret keys this may lead to a major annoyance because all keys are tried in turn to decrypt soemthing which was not really intended for it. The drawback of this option is that it is currently not possible to decrypt a message which includes real anonymous recipients. The default is to create the binary OpenPGP format. Since OpenPGP supports various levels of compression, it is possible that the plaintext of a given message may be significantly larger than the original OpenPGP message.
While GnuPG works properly with such messages, there is often a desire to set a maximum file size that will be generated before processing is forced to stop by the OS limits. Defaults to 0, which means "no limit". The options are: import-local-sigs Allow importing key signatures marked as "local".
This is not generally useful unless a shared keyring scheme is being used. This is in general desirable so that a formerly deleted key does not automatically gain an ownertrust values merely due to import. On the other hand it is sometimes necessary to re-import a trusted set of keys again but keeping already assigned ownertrust values.
This can be achived by using this option. Note that this cannot completely repair the damaged key as some crucial data is removed by the keyserver, but it does at least give you back one subkey. Defaults to no for regular --import and to yes for keyserver --recv-keys. Then, remove any signatures from the new key that are not usable. This includes signatures that were issued by keys that are not present on the keyring. This will make identity management more complicated if different agents are running, especially in combination with SmartCards.
If you use the gpg-agent over SSH, a graphical pinentry password prompt will not come up in the login shell. This causes all operations that require a password to fail. The snipped does not affect the pinentry settings when using local shells. This page is based on a document formerly found on our main website gentoo.
The following people contributed to the original document: Gustavo Felisberto, John P. Davis, They are listed here because wiki history does not allow for any external attribution. If you edit the wiki article, please do not add yourself here; your contributions are recorded on each article's associated history page. Outdated translations are marked like this. Other languages:.
As of March 3rd, , the information in this article is probably outdated. You can help the Gentoo community by verifying and updating this article. Official documentation.
The grain per gallon is a unit of water hardness defined as 1 grain of calcium carbonate dissolved in 1 US gallon of water. It translates into 1 part in about 58, parts of water or parts per million. Also called Clark degree. The grain per gallon (gpg) is a unit of water hardness defined as 1 grain ( milligrams) of calcium carbonate dissolved in 1 US gallon of water ( gpg2 is the OpenPGP part of the GNU Privacy Guard (GnuPG). It is a tool to provide digital encryption and signing services using the OpenPGP standard. gpg2.