This document provides an introduction to basic command line use of GPG in a UNIX shell like Bash or Tcsh (for BSD, Linux, OS X, etc. users) and the Windows DOS prompt. The command line options used here work with both GPG 1.4.x and GPG 2.0.x.As with my previous guides, my instructions use GPG 1.4.12 on a POSIX compliant system. Some UNIX commands (e.g. grep, less, more, etc.) will not be available to Windows users.The guide assumes you know how open a shell/Terminal/DOS prompt on your system(s) and know the most basic commands for moving between directories, moving files and deleting files (although it is often better to use a secure deletion program).*** REQUIREMENTS ***Before using this guide you need to make sure that you have correctly configured your copy of GPG using my previous guide on that topic:GPG HOWTO: GPG Configuration - The gpg.conf filehttp://dkn255hz262ypmii.onion/index.php?topic=34204.0I will be assuming that this type of configuration is in use throughout this guide.You will need a text editor like Notepad (Windows), TextEdit (OS X), Nano (OS X, Linux, BSD, etc.), Vim (OS X, Linux, BSD, etc.) or Emacs (Windows, OS X, Linux, BSD, etc.). More advanced text editors, like Vim and Emacs, provide greater options and are valuable to command line users. This guide, as with all my guides, has been written with Emacs.Files saved and used in this guide are all assumed to be in the same directory that you are running the commands in.You will also need a GPG key and I strongly encourage using 4096-bit RSA/RSA or 4096-bit RSA/Elgamal keys. To make an RSA/Elgamal key you can see my guide on that here:GPG HOWTO: Creating large keys and mixing algorithms (expert mode)http://dkn255hz262ypmii.onion/index.php?topic=28474.0If you do not feel comfortable making an RSA/Elgamal key, that's fine, you can always do it later if you change your mind. If you make a 4096-bit RSA/RSA key you can change it into an RSA/Elgamal key later anyway.*** Online Resources (clearnet) ***The following guides are essential resources for command line users of GPG:The GNU Privacy Handbookhttp://www.gnupg.org/gph/en/manual.htmlThe GNU Privacy Guard Manualhttp://www.gnupg.org/documentation/manuals/gnupg/GnuPG - Command Referencehttp://www.spywarewarrior.com/uiuc/gpg/gpg-com-0.htm*** GPG Command ***GPG 1.4.x is invoked on the command line as: gpgGPG 2.0.x is invoked on the command line as: gpg2Note: Systems can have both GPG 1.4.x and 2.0.x installed. Systems with just GPG 2.0.x installed often have the gpg command linked to the gpg2 command.GPG includes help on the command line which can be accessed at any time with the following command:Code: [Select]gpg --helpFor the most part commands which work in GPG 1.4.x work in the same way in 2.0.x. All commands in this guide will work with both versions.Most options or flags that can be invoked on the command line can also be included in a gpg.conf. There are some exceptions to this, but the details of those exceptions are included in the GPG manual and are beyond the scope of this introductory guide.*** The Public Keyring ***The entire public keyring can be viewed with this command:Code: [Select]gpg --list-keysThere is also a shortcut for it:Code: [Select]gpg -kIf, like me, you have a lot of keys on your keyring you can do this:Code: [Select]gpg -k | lessYou can also check for a specific key by using the user ID (i.e. the name or email address) or using the key ID (i.e. the hexadecimal code identifying the key):Code: [Select]gpg -k lcyphregpg -k "Louis Cyphre"gpg -k 0x7E8BE6B1DD7B4576gpg -k DD7B4576All those commands will display the details for my key if it is in your public keyring.The --fingerprint flag can be added to display the fingerprint of any key or keys:Code: [Select]gpg -k --fingerprint 0x7E8BE6B1DD7B4576If a string is used to list keys using the user ID which matches multiple keys then all keys including that string will be displayed:Code: [Select]gpg -k tormailUNIX users can count the number of keys in their keyring with this command:Code: [Select]gpg -k | grep "^pub" | wc -lOr the number of Tor Mail users:Code: [Select]gpg -k tormail | grep "^pub" | wc -l*** The Secret Keyring ***The entire secret or private keyring can be viewed with this command:Code: [Select]gpg --list-secret-keysThere is also a shortcut for it:Code: [Select]gpg -KNote the uppercase K in the shortcut this time.The other variations included for the the public keyring also operate with the secret keyring.*** ASCII Armoured Files ***GPG uses two main file types (there are more, but these two are the ones that concern us here):1) GPG encrypted messages or GPG signatures using the .gpg extension.2) GPG encrypted messages or GPG signatures with ASCII armouring using the .asc extension.Public keys and encrypted messages posted to the forum, sent in email and posted on Silk Road all need to use ASCII armouring in order to be displayed correctly and used by others here. ASCII armouring increases the file size when converting the encrypted data to base64 encoding, but it works and is somewhat offset by the compression used by GPG before a file is encrypted.The armour flag is included with other commands at the time they are invoked and cannot be used after encryption to convert an encrypted message to an ASCII armoured one. There are three flags available and they all perform the same function:Code: [Select]--armor--armour-a*** GPG Output ***GPG can display output to the screen, but a lot of commands need the output redirected to files. Some commands, like encrypting, do this automatically by appending the .asc or .gpg extension. Other commands, like exporting a key do not. When using these other commands we need to specify the output file by using:Code: [Select]--output $FILENAME-o $FILENAMEThe output flag can be used to override the default filename GPG might otherwise use.*** Importing Keys ***To import a key first select the ASCII armoured key block and copy it. Open your text editor, paste it in and save the file to a suitable filename (e.g. pubkey.asc). To import the key just run this command:Code: [Select]gpg --import pubkey.ascWhen the key has been imported you can safely delete the pubkey.asc file.The import command will work on both public and secret keys. GPG recognises the difference and saves them in the appropriate keyring file. Secret keys include the public key so importing a secret key automatically imports the public key at the same time.*** Exporting Public Keys ***Exporting keys is essential to provide a copy of your public key to those people who need it. You can also export any key in your public keyring, multiple keys or all the keys into a single public key block.When I need to export my key I run this command:Code: [Select]gpg -a --export -o lc.asc 0x7E8BE6B1DD7B4576The export command will never export a secret key, there is a separate command for that which is used to backup a secret key.*** Exporting Secret Keys ***The command to export a secret key for backup purposes is:Code: [Select]gpg -a --export-secret-keys -o mysecret.asc $KEY_IDWhere $KEY_ID is the key ID for your secret key. You can leave that blank if you only have one secret key or want to export all the secret keys.More detail on securely exporting and backing up secret keys can be found here:GPG HOWTO: Backing up secret keys securelyhttp://dkn255hz262ypmii.onion/index.php?topic=28859.0*** Encrypting Files and Messages ***To encrypt a message or file we need to specify that we are encrypting, using ASCII armouring, the recipient or recipients and optionally an output file.The encryption flag is:Code: [Select]--encryptThe shortcut for this flag is:Code: [Select]-eThe flag to specify a recipient is:Code: [Select]--recipientThe shortcut for this flag is:Code: [Select]-rBy default messages are encrypted to the keys specified at the time of encryption plus any keys included in the "encrypt-to" line of the gpg.conf file. It is HIGHLY recommended that you include your key in the "encrypt-to" line of your gpg.conf file.If I wanted to encrypt a message (e.g. message.txt) to Guru I could use any of the following commands to do it:Code: [Select]gpg --armor --encrypt -o message.txt.asc --recipient 0x523FCBEE886855CA message.txtgpg --armor --encrypt --recipient 0x523FCBEE886855CA message.txtgpg --armour --encrypt --recipient 0x523FCBEE886855CA message.txtWhat I actually do is much shorter and uses the shortcuts mentioned so far:Code: [Select]gpg -ea -r guru message.txtAll of these commands will produce an ASCII armoured file encrypted with both Guru's key and my key (which is included using the gpg.conf settings) called message.txt.asc.Encrypting to multiple users can be done by specifying additional recipient flags. If I wanted to encrypt my message to Guru and Pine I could do this:Code: [Select]gpg -ea -r guru -r 0xE9094AF9 message.txtNote: When using user IDs to specify a key to encrypt to, make sure that the user ID is unique and does not match any other keys. Otherwise GPG will use the first key in the public keyring that matches for the recipient.*** Decrypting Files and Messages ***Once Guru has my message he needs to decrypt it. The decryption process is just as straight forward.The decryption flag is:Code: [Select]--decryptThe shortcut for this flag is:Code: [Select]-dBy default GPG will attempt to decrypt any file when no flags are used, so both of the above flags are effectively optional.Some of the possible commands for decrypting the encrypted message (message.txt.asc) are:Code: [Select]gpg --output message.txt --decrypt message.txt.ascgpg --decrypt message.txt.ascgpg -o message.txt -d message.txt.ascgpg -d message.txt.ascgpg message.txt.ascWhen the command is run you will be prompted to enter the passphrase for your secret key.All of those commands will save the decrypted file in a new file called message.txt.*** Signing Messages ***There are numerous ways to sign messages and files, in addition to signing or certifying keys. For this basic guide the only options which concern us are clearsigning messages (e.g. like DPR does when making an official announcement) and signing a message when we encrypt it.The flag to sign a message or file is:Code: [Select]--signThe shortcut for that flag is:Code: [Select]-sThe flag to clearsign a message is:Code: [Select]--clearsignThere is no shortcut for clearsigning.To return to our previous example message (message.txt) if I wanted to sign it when I encrypted the message to Guru I would include either of the --sign or -s flags in my encryption command:Code: [Select]gpg -sea -r guru message.txtGPG would know to use the "default-key" specified in my gpg.conf and prompt me for the passphrase. If I did not have a default-key specified or wanted to override the default key I could use the local-user flag:Code: [Select]--local-userThe shortcut for this flag is:Code: [Select]-uFor example:Code: [Select]gpg -u $OTHER_KEY_ID -sea -r guru message.txtClearsigning a message produces a plaintext file which contains a GPG signature. By default GPG will name the output file the same way as it would an encrypted file with the .asc file. You need to look at the file contents to see whether it is a clearsigned message or not.If I had wanted to clearsign the message to Guru the command would be:Code: [Select]gpg --clearsign message.txtNote: The ASCII armouring flag is NOT required when clearsigning a message as it is not possible to clearsign without armouring.To clearsign and then encrypt a message to Guru the commands would be:Code: [Select]gpg -o message-c.txt --clearsign message.txtgpg -o message.txt.asc -ea -r guruI would be prompted for my passphrase following the first command.Other types of signatures not covered here include detached signatures, which are mainly for verifying files and signing and armouring text without encrypting it.*** Verifying a Signature ***To see if a signature is a GOOD signature or a BAD signature the command is:Code: [Select]--verifyThere is no shortcut for this command, but messages that are signed and encrypted are automatically verified during the decryption process.A GOOD signature means that the message or file has not been modified since the signature was made.A BAD signature means that either the message or file has been modified or that an error occurred during the signing process. It does NOT mean that there is definitely a problem, but it is advisable to contact the sender and confirm the details or what happened.Note: Some GUIs are known to modify clearsigned messages after signing in select circumstances. As are some mail systems. A common offender is a conflict between different character encoding settings.To verify a message that has been clearsigned, save the message to a file (e.g. announcement.asc) and run this command:Code: [Select]gpg --verify announcement.asc*****I hope you have found this of some benefit.In future posts I will provide more advanced commands, but this covers the basics for general usage on Silk Road and elsewhere.