# The GNU Privacy Guard [ A Quick Reference Guide ]

GNUPG is a powerful tool that provides cryptographic privacy and authentication for your data communication. It allows you to sign, encrypt, and decrypt programs, disks, and even emails.

### Generating and Managing Keys

* **Generate a key pair:** Use `gpg --full-generate-key` to create a unique pair of keys for encryption and signing.
    
* **List key pairs:** View all your available keys with `gpg --list-keys --keyid-format=long`.
    
* **Display your public key:** Share your public key with others using `gpg -a --export <Your Key ID>`. **Never share your private key!**
    
* **Add a subkey:** Subkeys enhance security. Use `gpg --edit-key [Your Key ID]` followed by `addkey` and `save` to add one.
    
* **Display subkeys:** After listing keys with `gpg --list-keys`, edit a key using `gpg --edit-key <Your Key ID>`. Copy the subkey ID and use `gpg -a --export <KEY ID>` to display it.
    

### Sharing and Revoking Keys

* **Send your public key to a public server:** Public keys are meant to be shared. Use `gpg --send-keys <Your KEY ID>` to upload it.
    
* **Generate a revocation certificate:** If your key is compromised, create a revocation certificate with `gpg --output revoke.asc --gen-revoke <Your Key ID>`. Import it and upload it again to revoke the key.
    

### Searching for and Importing Public Keys

* **Search for a public key:** Find a key using its ID with `gpg --search-keys <KEY ID>`.
    
* **Import a public key:** Once found, import the key with `gpg --recv-keys <Key ID>`.
    

### Understanding Trust

* **Beware of key impersonation:** Anyone can create a key with your email address. To verify a key's authenticity, compare fingerprints.
    
* **Verify fingerprints:** Use `gpg --fingerprint <Person's KEY ID>` to see a key's fingerprint. Contact the person and confirm it matches.
    

### The Web of Trust

The web of trust allows you to trust others based on established trust relationships.

* **Trust a key:** Use `gpg --edit-key <Person's Key ID>`, then `trust` and `save` to trust someone's key.
    
* **Sign a key:** Signing a key verifies its ownership. Edit the key with `gpg --ask-cert-level --edit-key <Person's Key ID>`. Look for "Full" trust on the left side of the user ID. Use `check` to see who signed the key and `sign` to add your signature. Upload the signed key again to the public server.
    
* **Revoke your signature:** If a signed key becomes invalid, use `gpg --edit-key <Person's Key ID>`, then `revsig` and `save` to revoke your signature. Upload the updated key information.
    

### Encryption vs. Signing

* **Encryption** uses the receiver's public key to scramble the message. Only their private key can decrypt it. Share your public key beforehand for them to receive encrypted messages.
    
* **Signing** uses your private key to create a digital signature that verifies the message's origin and integrity. The receiver uses your public key to confirm the signature.
    

### Using GPG with Git

* **Signed commits:** Add your GPG public key to your GitHub account.
    
    Go to: [https://github.com/settings/keys](https://github.com/settings/keys)
    
    Scroll to the bottom. You'll find Add GPG Key button in the GPG keys section.
    
    Export your public key using this command:
    
    `gpg --export --armor <KEY ID>`
    
    Replace &lt;KEY ID&gt; with your actual KEY ID which you can find by listing your keys using this command: `gpg --list-keys`.
    
    If you have not created a gpg key yet, check this out: [Generating and Managing Keys](https://blog.aadarshadhakal.com.np/the-gnu-privacy-guard-a-quick-reference-guide?t=1725018775683#heading-generating-and-managing-keys)
    
    Copy the exported public key content and paste it in the Github and save.
    
    ***<mark>Note:</mark>*** *<mark> The email associated to your key should match the primary email in your github and email in your local git.</mark>*
    
* **Sign a single commit**: Use `git commit -S <Your Key ID> -m "message"` to create signed commits.
    
* **Global configuration:** Set global Git settings with:
    
    * `git config --global user.signingkey "<Your KEY ID>"`
        
    * `git config --global commit.gpgsign true`
        
    * `git config --global tag.gpgsign true`
        
* **Commit email:** Ensure the primary email in your key matches your Git commit email. Set it with:
    
    * `git config --global` [`user.email`](http://user.email) `"<Email associated to your Key>"`
        
* **Verify signed commits:** Use `git log --show-signature` to see which commits are signed.
    

### Using GPG to Encrypt Emails

GPG keys can encrypt emails. Upload your private key to a trusted email client like Thunderbird. You can then choose to digitally sign or encrypt emails based on the recipient's public key availability.