(gnupg1.info.gz) OpenPGP Key Management
Info Catalog
(gnupg1.info.gz) Operational GPG Commands
(gnupg1.info.gz) GPG Commands
1.1.3 How to manage your keys
-----------------------------
This section explains the main commands for key management
`--gen-key'
Generate a new key pair. This command is normally only used
interactively.
There is an experimental feature which allows you to create keys in
batch mode. See the file `doc/DETAILS' in the source distribution
on how to use this.
`--gen-revoke `name''
Generate a revocation certificate for the complete key. To revoke
a subkey or a signature, use the `--edit' command.
`--desig-revoke `name''
Generate a designated revocation certificate for a key. This
allows a user (with the permission of the keyholder) to revoke
someone else's key.
`--edit-key'
Present a menu which enables you to do most of the key management
related tasks. It expects the specification of a key on the
command line.
sign
Make a signature on key of user `name' If the key is not yet
signed by the default user (or the users given with -u), the
program displays the information of the key again, together
with its fingerprint and asks whether it should be signed.
This question is repeated for all users specified with -u.
lsign
Same as "sign" but the signature is marked as non-exportable
and will therefore never be used by others. This may be used
to make keys valid only in the local environment.
nrsign
Same as "sign" but the signature is marked as non-revocable
and can therefore never be revoked.
tsign
Make a trust signature. This is a signature that combines the
notions of certification (like a regular signature), and
trust (like the "trust" command). It is generally only useful
in distinct communities or groups.
Note that "l" (for local / non-exportable), "nr" (for
non-revocable, and "t" (for trust) may be freely mixed and
prefixed to "sign" to create a signature of any type desired.
revsig
Revoke a signature. For every signature which has been
generated by one of the secret keys, GnuPG asks whether a
revocation certificate should be generated.
trust
Change the owner trust value. This updates the trust-db
immediately and no save is required.
disable
enable
Disable or enable an entire key. A disabled key can not
normally be used for encryption.
adduid
Create an alternate user id.
addphoto
Create a photographic user id. This will prompt for a JPEG
file that will be embedded into the user ID. Note that a very
large JPEG will make for a very large key. Also note that
some programs will display your JPEG unchanged (GnuPG), and
some programs will scale it to fit in a dialog box (PGP).
deluid
Delete a user id. Note that it is not possible to retract a
user id, once it has been send to the public (i.e. to a
keyserver). In that case you better use `revuid'.
delsig
Delete a signature. Note that it is not possible to retract a
signature, once it has been send to the public (i.e. to a
keyserver). In that case you better use `revsig'.
revuid
Revoke a user id.
addkey
Add a subkey to this key.
addcardkey
Generate a key on a card and add it to this key.
keytocard
Transfer the selected secret key (or the primary key if no
key has been selected) to a smartcard. The secret key in the
keyring will be replaced by a stub if the key could be stored
successfully on the card and you use the save command later.
Only certain key types may be transferred to the card. A sub
menu allows you to select on what card to store the key. Note
that it is not possible to get that key back from the card -
if the card gets broken your secret key will be lost unless
you have a backup somewhere.
bkuptocard `file'
Restore the given file to a card. This command may be used to
restore a backup key (as generated during card
initialization) to a new card. In almost all cases this will
be the encryption key. You should use this command only with
the corresponding public key and make sure that the file
given as argument is indeed the backup to restore. You should
then select 2 to restore as encryption key. You will first
be asked to enter the passphrase of the backup key and then
for the Admin PIN of the card.
delkey
Remove a subkey (secondart key). Note that it is not possible
to retract a subkey, once it has been send to the public
(i.e. to a keyserver). In that case you better use `revkey'.
addrevoker
Add a designated revoker. This takes one optional argument:
"sensitive". If a designated revoker is marked as sensitive,
it will not be exported by default (see export-options).
revkey
Revoke a subkey.
expire
Change the key expiration time. If a subkey is selected, the
expiration time of this subkey will be changed. With no
selection, the key expiration of the primary key is changed.
passwd
Change the passphrase of the secret key.
primary
Flag the current user id as the primary one, removes the
primary user id flag from all other user ids and sets the
timestamp of all affected self-signatures one second ahead.
Note that setting a photo user ID as primary makes it primary
over other photo user IDs, and setting a regular user ID as
primary makes it primary over other regular user IDs.
uid `n'
Toggle selection of user id with index `n'. Use 0 to
deselect all.
key `n'
Toggle selection of subkey with index `n'. Use 0 to deselect
all.
check
Check all selected user ids.
showphoto
Display the selected photographic user id.
pref
List preferences from the selected user ID. This shows the
actual preferences, without including any implied preferences.
showpref
More verbose preferences listing for the selected user ID.
This shows the preferences in effect by including the implied
preferences of 3DES (cipher), SHA-1 (digest), and
Uncompressed (compression) if they are not already included
in the preference list. In addition, the preferred keyserver
and signature notations (if any) are shown.
setpref `string'
Set the list of user ID preferences to `string' for all (or
just the selected) user IDs. Calling setpref with no
arguments sets the preference list to the default (either
built-in or set via `--default-preference-list'), and calling
setpref with "none" as the argument sets an empty preference
list. Use `gpg --version' to get a list of available
algorithms. Note that while you can change the preferences on
an attribute user ID (aka "photo ID"), GnuPG does not select
keys via attribute user IDs so these preferences will not be
used by GnuPG.
keyserver
Set a preferred keyserver for the specified user ID(s). This
allows other users to know where you prefer they get your key
from. See `--keyserver-options honor-keyserver-url' for more
on how this works. Setting a value of "none" removes an
existing preferred keyserver.
notation
Set a name=value notation for the specified user ID(s). See
`--cert-notation' for more on how this works. Setting a value
of "none" removes all notations, setting a notation prefixed
with a minus sign (-) removes that notation, and setting a
notation name (without the =value) prefixed with a minus sign
removes all notations with that name.
toggle
Toggle between public and secret key listing.
clean
Compact (by removing all signatures except the selfsig) any
user ID that is no longer usable (e.g. revoked, or expired).
Then, remove any signatures that are not usable by the trust
calculations. Specifically, this removes any signature that
does not validate, any signature that is superseded by a
later signature, revoked signatures, and signatures issued by
keys that are not present on the keyring.
minimize
Make the key as small as possible. This removes all
signatures from each user ID except for the most recent
self-signature.
cross-certify
Add cross-certification signatures to signing subkeys that
may not currently have them. Cross-certification signatures
protect against a subtle attack against signing subkeys. See
`--require-cross-certification'.
save
Save all changes to the key rings and quit.
quit
Quit the program without updating the key rings.
The listing shows you the key with its secondary keys and all user
ids. Selected keys or user ids are indicated by an asterisk. The
trust value is displayed with the primary key: the first is the
assigned owner trust and the second is the calculated trust value.
Letters are used for the values:
-
No ownertrust assigned / not yet calculated.
e
Trust calculation has failed; probably due to an expired key.
q
Not enough information for calculation.
n
Never trust this key.
m
Marginally trusted.
f
Fully trusted.
u
Ultimately trusted.
`--sign-key `name''
Signs a public key with your secret key. This is a shortcut
version of the subcommand "sign" from `--edit'.
`--lsign-key `name''
Signs a public key with your secret key but marks it as
non-exportable. This is a shortcut version of the subcommand
"lsign" from `--edit-key'.
Info Catalog
(gnupg1.info.gz) Operational GPG Commands
(gnupg1.info.gz) GPG Commands
automatically generated byinfo2html