gpg-sq - OpenPGP encryption and signing tool like gpg
gpg-sq [-s|--sign] [--clear-sign]
[-b|--detach-sign] [-e|--encrypt]
[-c|--symmetric] [-d|--decrypt]
[--verify] [-k|--list-keys] [--list-signatures]
[--check-signatures] [--fingerprint]
[-K|--list-secret-keys] [--generate-key]
[--quick-generate-key] [--quick-add-uid]
[--quick-revoke-uid] [--quick-set-expire]
[--full-generate-key] [--generate-revocation]
[--delete-keys] [--delete-secret-keys]
[--quick-sign-key] [--quick-lsign-key]
[--quick-revoke-sig] [--sign-key] [--lsign-key]
[--edit-key] [--change-passphrase] [--export]
[--send-keys] [--receive-keys] [--search-keys]
[--refresh-keys] [--import] [--update-trustdb]
[--print-md] [--server] [--tofu-policy]
[--x-sequoia-parcimonie] [-v|--verbose]
[-q|--quiet] [--options] [--log-file]
[--default-key] [--encrypt-to] [--group]
[--openpgp] [-n|--dry-run]
[-i|--interactive] [-a|--armor]
[-o|--output] [--textmode] [-z ]
[--auto-key-locate] [--auto-key-import]
[--include-key-block] [--disable-dirmngr]
[-r|--recipient] [-u|--local-user]
[--x-sequoia-autostart-parcimonie] [-h|--help]
[-V|--version] [ARGS]
This is a re-implementation and drop-in replacement of gpg using
the Sequoia OpenPGP implementation.
gpg-sq is not feature-complete. It currently implements a commonly
used subset of the signature creation and verification commands, the
encryption and decryption commands, the key listing commands, and some
miscellaneous commands.
Support for trust models is limited. Currently, the Web-of-Trust
("pgp") and always trust ("always") are implemented.
- -s, --sign
- make a signature
- --clear-sign
- make a clear text signature
- -b,
--detach-sign
- make a detached signature
- -e, --encrypt
- encrypt data
- -c,
--symmetric
- encryption only with symmetric cipher
- -d, --decrypt
- decrypt data (default)
- --verify
- verify a signature
- -k,
--list-keys
- list keys
- --list-signatures
- list keys and signatures
- --check-signatures
- list and check key signatures
- --fingerprint
- list keys and fingerprints
- -K,
--list-secret-keys
- list secret keys
- --generate-key
- generate a new key pair
- --quick-generate-key
- quickly generate a new key pair
- --quick-add-uid
- quickly add a new user-id
- --quick-revoke-uid
- quickly revoke a user-id
- --quick-set-expire
- quickly set a new expiration date
- --full-generate-key
- full featured key pair generation
- --generate-revocation
- generate a revocation certificate
- --delete-keys
- remove keys from the public keyring
- --delete-secret-keys
- remove keys from the secret keyring
- --quick-sign-key
- quickly sign a key
- --quick-lsign-key
- quickly sign a key locally
- --quick-revoke-sig
- quickly revoke a key signature
- --sign-key
- sign a key
- --lsign-key
- sign a key locally
- --edit-key
- sign or edit a key
- --change-passphrase
- change a passphrase
- --export
- export keys
- --send-keys
- export keys to a keyserver
- --receive-keys
- import keys from a keyserver
- --search-keys
- search for keys on a keyserver
- --refresh-keys
- update all keys from a keyserver
- --import
- import/merge keys
- --update-trustdb
- update the trust database
- --print-md
- print message digests
- --server
- run in server mode
- --tofu-policy=VALUE
- set the TOFU policy for a key
- --x-sequoia-parcimonie
- continuously update certificates
- -v, --verbose
- verbose
- -q, --quiet
- be somewhat more quiet
- --options=FILE
- read options from FILE
- --log-file=FILE
- write server mode logs to FILE
- --default-key=NAME
- use NAME as default secret key
- --encrypt-to=NAME
- encrypt to user ID NAME as well
- --group=SPEC
- set up email aliases
- --openpgp
- use strict OpenPGP behavior
- -n, --dry-run
- do not make any changes
- -i,
--interactive
- prompt before overwriting
- -a, --armor
- create ascii armored output
- -o,
--output=FILE
- write output to FILE
- --textmode
- use canonical text mode
- -z=N
- set compress level to N (0 disables)
- --auto-key-locate=MECHANISMS
- use MECHANISMS to locate keys by mail address
- --auto-key-import
- import missing key from a signature
- --include-key-block
- include the public key in signatures
- --disable-dirmngr
- disable all access to the dirmngr
- -r,
--recipient=USER-ID
- encrypt for USER-ID
- -u,
--local-user=USER-ID
- use USER-ID to sign or decrypt
- --x-sequoia-autostart-parcimonie
- automatically start daemon to update certs
- -h, --help
- Print help (see a summary with '-h')
- -V, --version
- Print version
- [ARGS]
- Additional arguments. The semantics of the additional arguments, and if
there are any, and how many, is dependent on the selected command.
- GNUPGHOME
- If set, must contain an absolute path to a directory containing the GnuPG
state, i.e. the configuration files, the cert rings, the secret keys, and
the trust database. Can be overridden using the the option `--gnupghome`.
If unset, and the option `--gnupghome` is not given, defaults to
`$HOME/.gnupg`. In the FILES section below, `$GNUPGHOME` is the location
of the GnuPG state directory, independently on how it is set (i.e. unset,
set via `--gnupghome`, or set via `$GNUPGHOME).
- SEQUOIA_CRYPTO_POLICY
- If set, must contain an absolute path to a configuration file that changes
which cryptographic algorithms are acceptable. By default,
/etc/crypto-policies/back-ends/sequoia.config is read, which on Fedora
contains a reasonable policy set by the distribution. See
https://docs.rs/sequoia-policy-config/latest/sequoia_policy_config/#format
for a description of the file format.
- $GNUPGHOME/gpg.conf
- GnuPG's main configuration file.
- $GNUPGHOME/dirmngr.conf
- GnuPG's network configuration file. gpg-sq reads this and honors a subset
of the options given.
- $XDG_DATA_HOME/pgp.cert.d
- Default certificate store on POSIX systems if the default `GNUPGHOME` is
used. This location is read and written to.
- $HOME/Library/Application Support/pgp.cert.d
- Default certificate store on macOS if the default `GNUPGHOME` is used.
This location is read and written to.
- {FOLDERID_RoamingAppData}/pgp.cert.d
- Default certificate store on Windows if the default `GNUPGHOME` is used.
This location is read and written to.
- $GNUPGHOME/pubring.cert.d
- Certificate store if a non-default `GNUPGHOME` is used. This location is
read and written to.
- $GNUPGHOME/pubring.kbx
- GnuPG's default certificate store. This file is read and monitored for
changes, but never changed.
- $GNUPGHOME/pubring.gpg
- GnuPG's legacy certificate store. This file is read and monitored for
changes, but never changed.
- $GNUPGHOME/public-keys.d/pubring.db
- GnuPG 2.4.x's certificate store. This file is read and monitored for
changes, but never changed.
- $GNUPGHOME/secring.gpg
- GnuPG's legacy secret key store. gpg-sq does not use this file, except for
doing a migration from pre-2.1 state directories.
- $GNUPGHOME/.gpg-v21-migrated
- Indicates that the state directory has been migrated from a pre-2.1
release.
- $GNUPGHOME/trustdb.gpg
- GnuPG's trust database. This file is read and monitored for changes, but
never modified.
- /etc/crypto-policies/back-ends/sequoia.config
- Default cryptographic policy. On Fedora, this contains a reasonable policy
set by the distribution. Can be overridden using the SEQUOIA_POLICY_CONFIG
environment variable. See
https://docs.rs/sequoia-policy-config/latest/sequoia_policy_config/#format
for a description of the file format.