In Fedora, Gnu Privacy Guard comes in two flavors: GnuPG2 (command gpg2, package gnupg2) and GnuPG (command gpg, package gnupg). GnuPG2 is the "modern" branch of GNU Privacy Guard, and GnuPG is the "classic" branch:
-> gpg2 --version | head -2 gpg (GnuPG) 2.1.7 libgcrypt 1.6.3 -> gpg --version | head -1 gpg (GnuPG) 1.4.19
The main additions to GnuPG2 include support for S/MIME and smart cards, gpg-agent, and a modular build. The two flavors look to be otherwise interchangeable with respect to invocation.
To list the public keys in your keyring:
-> gpg --list-keys /home/ray/.gnupg/pubring.gpg ---------------------------- ⋮ pub 4096R/57BBCCBA 2009-07-29 uid Fedora (12) <firstname.lastname@example.org> pub 4096R/E8E40FDE 2010-01-19 uid Fedora (13) &email@example.com> ⋮
To delete a public key:
-> gpg --delete-key E8E40FDE ⋮ pub 4096R/E8E40FDE 2010-01-19 Fedora (13) <firstname.lastname@example.org> Delete this key from the keyring? (y/N) y
You can omit the interactive confirmation like so:
-> gpg --batch --yes --delete-key "Fedora (12) <email@example.com>" ->
To change the passphrase protecting your private key, use the passwd command from within the key editor:
gpg --edit-key Test ⋮ Secret key is available. pub 2048R/4549D949 created: 2011-12-13 expires: never usage: SC trust: ultimate validity: ultimate sub 2048R/4B121B1A created: 2011-12-13 expires: never usage: E [ultimate] (1). Test Key (A key for testing and trying GnuPG.) gpg> passwd Key is protected. You need a passphrase to unlock the secret key for ... ⋮ Enter the new passphrase for this secret key. ... gpg> quit Save changes? (y/N) y
GnuPG2's gpg-agent, a daemon, remembers a private key's passphrase during a login session. When gpg2 first needs a private key, gpg-agent prompts for the key. If another gpg2 process subsequently needs this key, gpg-agent quietly supplies the passphrase without additional prompting. For symmetric encryption, gpg-agent also handles prompting the user for a passphrase, but it does not record the passphrase.
gpg-agent's configuration file is ~/.gnupg/gpg-agent.conf.
Users don't start gpg-agent themselves (typically): If a GnuPG2 command needs the services of gpg-agent when the latter is not running, the command automatically starts the agent. (See: Invoking GPG-AGENT)
Package gnupg2 provides gpg-agent.
There are several related auto-start files (.desktop) in /etc/xdg/autostart with prefix "gnome-keyring-"; e.g., gnome-keyring-ssh.desktop.
The simple string "abc" (without enclosing quotation marks) is a convenient input to informally compare digest utilities (cf. NSRL Test Data):
-> echo -n abc > abc.txt -> wc --bytes abc.txt 3 abc.txt
Be careful to use option -n so that echo excludes a trailing newline, which it would append by default:
-> echo abc | wc --bytes 4
You can use shasum (package perl-Digest-SHA) to compute SHA digests of a file or input stream, or Secure Hash Algorithm digests. It offers SHA-1, SHA-224, SHA-256, SHA-384, SHA-512, SHA-512224, and SHA-512256. For example:
-> shasum abc.txt a9993e364706816aba3e25717850c26c9cd0d89d abc.txt -> shasum --algorithm 1 abc.txt a9993e364706816aba3e25717850c26c9cd0d89d abc.txt -> shasum --algorithm 256 abc.txt ba7816bf8f01cfea414140de5dae2223b00361a396177a9cb410ff61f20015ad abc.txt
You can similarly use GNU's sh1sum, sh224sum, sh256sum, sh384sum, and sh512 (package coreutils) instead:
-> sha1sum abc.txt a9993e364706816aba3e25717850c26c9cd0d89d abc.txt -> sha256sum abc.txt ba7816bf8f01cfea414140de5dae2223b00361a396177a9cb410ff61f20015ad abc.txt
You can typically use these tool kits interchangeably because they produce the same output format when computing digests and expect the same input format when checking digests. For example:
-> shasum -a 512 abc.txt xyz.txt > abc-xyz.sha512 -> sha512sum --check abc-xyz.sha512 abc.txt: OK xyz.txt: OK
There are potential subtleties to be aware of, however. shasum offers a Universal Newlines mode and a BITS mode, but the GNU commands do not support these modes. And the GNU commands can optionally write and check the BSD-style formats, which shasum spurns.
You can use md5sum (package coreutils) to compute or check the MD5 digest of a file's contents:
-> md5sum abc.txt 900150983cd24fb0d6963f7d28e17f72 abc.txt -> md5sum abc.txt > abc.md5 -> md5sum --check abc.md5 abc.txt: OK
Wikipedia's MD5 article notes that MD5 hashes are no longer secure and should be replaced by SHA-2 hashes.
You can use OpenSSL's command dgst to compute various digests as well:
-> openssl dgst abc.txt MD5(abc.txt)= 900150983cd24fb0d6963f7d28e17f72 -> openssl dgst -md5 abc.txt MD5(abc.txt)= 900150983cd24fb0d6963f7d28e17f72 -> openssl dgst -sha1 abc.txt SHA1(abc.txt)= a9993e364706816aba3e25717850c26c9cd0d89d
See man page dgst for yet more digests. Add option -r to get the output format that the GNU digests write:
-> openssl dgst -sha1 -r abc.txt a9993e364706816aba3e25717850c26c9cd0d89d *abc.txt
The asterisk indicates binary-mode format, in particular.
GUI GtkHash displays multiple digests for a file; it offers over two-dozen algorithms. Open it with command gtkhash for GTK+2 (package gtkhash) or gtkhash3 for GTK+3 (package gtkhash3). There is no man page. Plugins for Nautilus (package gtkhash-nautilus) and Thunar (gtkhash-thunar) add a Digests tab to a file's dialog.