GPG Commands: Are They The Same?

TL;DR

No, the commands aren’t necessarily identical even if they *look* similar. Subtle differences in options can change behaviour significantly. This guide explains common variations and how to ensure you’re doing what you intend with GPG.

Understanding GPG Command Differences

GPG (GNU Privacy Guard) is a powerful tool for encryption and signing. It’s easy to make mistakes when typing commands, or to assume options work the same way they do in other tools. Here’s how to spot potential differences.

1. Encryption Commands

1. Symmetric vs. Asymmetric Encryption: The most fundamental difference is whether you’re encrypting *to* a recipient (using their public key – asymmetric) or encrypting *with* a password (symmetric).
• Encrypting to a Recipient: This uses the recipient’s public key.

gpg --encrypt --recipient 'Recipient Name/Email' filename

• Encrypting with a Password: This is simpler but less secure as it relies on password strength.

gpg --symmetric filename

2. ASCII Armour vs. Binary Output: ASCII armour creates text-based output, which is easier to copy and paste. Binary output is more compact.
• ASCII Armour (default): The encrypted file will be readable text.
• Binary Output: Use the --armor option to *disable* ASCII armour for binary files.

gpg --encrypt --recipient 'Recipient Name/Email' --armor filename

3. Hidden Recipient (for multiple recipients): You can encrypt a file for multiple people, but hide some of the recipient information.

gpg --encrypt --recipient 'Recipient1 Name/Email' --hidden-recipient 'Recipient2 Name/Email' filename

2. Signing Commands

1. Detached vs. Inline Signatures: A detached signature creates a separate file containing the signature, while an inline signature adds it to the original file.
• Detached Signature: Creates a .sig file.

gpg --detach-sig filename

• Inline Signature (default): Adds the signature to the end of the file, making it larger.

gpg --sign filename

2. ASCII Armour for Signatures: Similar to encryption, you can control whether signatures are ASCII armoured or binary.

gpg --armor --detach-sig filename

3. Local vs. Key ID Signing: You can sign with your default key, or specify a specific key ID.

gpg --sign --keyid 'YourKeyID' filename

3. Verification Commands

1. Good vs. Bad Signatures: Verification confirms the file hasn’t been tampered with and comes from the claimed sender.

gpg --verify filename.sig filename

2. Checking Trust Levels: GPG uses a web of trust. Verification results depend on how much you *trust* the key that signed the file. Use gpg --fingerprint to check key details before trusting it.

gpg --fingerprint 'Recipient Name/Email'

4. Common Mistakes & How To Avoid Them

• Typos: Double-check recipient names and email addresses! A small mistake means the file won’t be decrypted correctly.
• Key Selection: Ensure you’re using the correct key for encryption or signing. Use gpg --list-keys to see your available keys.

gpg --list-keys

• Incorrect Options: Read the GPG documentation (man gpg) carefully before using unfamiliar options.

5. Testing Your Commands

Always test your commands with dummy files before encrypting or signing important data. Encrypt a file, send it to yourself, and verify you can decrypt it correctly.