gpgCraft — GPG command builder

gpgcraft

// GPG command builder with plain-English explanations

generated command

$ gpg --gen-key

// gpgcraft — GPG quick reference

GPG (GNU Privacy Guard) implements the OpenPGP standard for encrypting and signing data. It uses public-key cryptography: you have a key pair — a public key you share with everyone, and a private key you keep secret.

the core idea

Anyone who has your public key can encrypt a message that only you can decrypt (using your private key). You can also use your private key to digitally sign data — anyone with your public key can verify the signature is really from you.

key management

--gen-key	Generate a new key pair interactively.
--full-gen-key	Full control over algorithm, expiry, etc.
--list-keys / -k	List all public keys in your keyring.
--list-secret-keys / -K	List private keys you hold.
--fingerprint	Show a key's fingerprint — the canonical identity check.
--export	Export a public key to share with others.
--export-secret-keys	Export private key for backup. Keep this secret!
--import	Import a key file someone sent you.
--delete-key	Remove a public key from your keyring.
--edit-key	Interactive: trust, sign, expire, revoke subkeys.
--send-keys	Upload a key to a keyserver.
--recv-keys	Download a key from a keyserver.

encryption & decryption

--encrypt / -e	Encrypt for one or more recipients.
--symmetric / -c	Encrypt with a passphrase (no key pair needed).
--decrypt / -d	Decrypt. GPG auto-detects symmetric vs asymmetric.
--recipient / -r	Recipient's key ID or email for encryption.
--armor / -a	ASCII text output instead of binary.
--output / -o	Write output to a file instead of stdout.

signing & verification

--sign / -s	Sign (output contains data + signature together).
--clearsign	Sign plain text so it's readable but verifiable.
--detach-sign / -b	Create a separate .sig/.asc signature file.
--verify	Verify a signature.
--local-user / -u	Choose which of your keys to sign with.

tips

• Use --armor on exports and encrypted output — plain text survives copy/paste and email.

• Always verify a key's fingerprint out-of-band before trusting it for sensitive data.

• Set an expiry date on your keys and generate a revocation certificate right after key creation.

• For scripting: add --batch --yes to suppress interactive prompts.

safety & disclaimer

This is an educational tool. The commands it builds are real — they will do exactly what you tell them to. Some flags are destructive (deletion, overwriting, forced operations) and even non-destructive options can cause data loss or system trouble in the wrong circumstances.

• Always review the generated command before running it.
• Test on disposable files and directories first.
• If you do not understand what a flag does, look it up in the official manual page (man command).

The author of these pages is not responsible for any damage, data loss, or other consequences resulting from commands generated, copied, or run from this site. Use at your own risk.

⚠ These tools build real shell commands. Review every command before running it. The author is not responsible for any damage, data loss, or other consequences resulting from commands generated, copied, or run from this site. Use at your own risk.

Send comments and bug reports to chris@chrisspackman.com.

Version 0.3.0 — Last updated: 2026-05-26

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.

Public key	The key you share freely. Anyone can use it to encrypt a message to you, or verify your signature. Like your mailing address — safe to share.
Private key	The key only you have. Used to decrypt messages encrypted to you, and to sign things. Never share this. Protect it with a strong passphrase.
Key pair	A matched public + private key. What one encrypts, only the other can decrypt.
Key ID	A short identifier — often the last 8 or 16 hex characters of the fingerprint. E.g. 0xABCD1234.
Fingerprint	A 40-character unique identifier. The only reliable way to confirm you have the right key for someone. Always verify out-of-band.
Keyring	GPG's local database of keys on your computer.
Keyserver	A public server for distributing public keys. Common: keys.openpgp.org, keyserver.ubuntu.com.
Web of Trust	GPG's decentralized trust model: signing someone's key vouches for their identity. Others who trust you also trust keys you've signed.
Trust level	How much you trust a key owner to vouch for others' keys: unknown, none, marginal, full, ultimate.
Signature	Cryptographic proof that a private key signed this data. Verifying confirms authorship and integrity.
ASCII armor	Binary GPG data encoded as plain text. Produces blocks starting with -----BEGIN PGP MESSAGE-----. Safe to paste anywhere.
Passphrase	The password protecting your private key on disk. Even if someone steals the file, they can't use it without this.
Revocation certificate	A file generated at key creation. Publish it if your key is ever lost or compromised to tell everyone to stop trusting it.
Subkey	A key bound to a primary key for day-to-day use. Lets you keep the primary key offline.
UID (User ID)	The name and email attached to a key: "Alice Smith <alice@example.com>".
Symmetric encryption	Encryption using a shared passphrase (--symmetric) rather than a key pair.
Detached signature	A separate .sig/.asc file containing just the signature, not the data.
Clearsign	Signed plain text: the message is readable without GPG, but the embedded signature is verifiable.