Create ASCII armored output. The default is to create the binary OpenPGP format.
Assume the input data is not in ASCII armored format.
Write output to file. To write to stdout use
- as the
This option sets a limit on the number of bytes that will be generated when processing a file. Since OpenPGP supports various levels of compression, it is possible that the plaintext of a given message may be significantly larger than the original OpenPGP message. While GnuPG works properly with such messages, there is often a desire to set a maximum file size that will be generated before processing is forced to stop by the OS limits. Defaults to 0, which means "no limit".
The AEAD encryption mode encrypts the data in chunks so that a receiving side can check for transmission errors or tampering at the end of each chunk and does not need to delay this until all data has been received. The used chunk size is 2^n byte. The lowest allowed value for n is 6 (64 byte) and the largest is the default of 22 which creates chunks not larger than 4 MiB.
This option can be used to tell GPG the size of the input data in bytes. n must be a positive base-10 number. This option is only useful if the input is not taken from a file. GPG may use this hint to optimize its buffer allocation strategy. It is also used by the --status-fd line “PROGRESS” to provide a value for “total” if that is not available by other means.
gpg can track the origin of a key. Certain origins are implicitly known (e.g. keyserver, web key directory) and set. For a standard import the origin of the keys imported can be set with this option. To list the possible values use "help" for string. Some origins can store an optional url argument. That URL can appended to string after a comma.
This is a space or comma delimited string that gives options for importing keys. Options can be prepended with a ‘no-’ to give the opposite meaning. The options are:
Allow importing key signatures marked as "local". This is not generally useful unless a shared keyring scheme is being used. Defaults to no.
Normally possible still existing ownertrust values of a key are cleared if a key is imported. This is in general desirable so that a formerly deleted key does not automatically gain an ownertrust values merely due to import. On the other hand it is sometimes necessary to re-import a trusted set of keys again but keeping already assigned ownertrust values. This can be achieved by using this option.
During import, attempt to repair the damage caused by the PKS keyserver bug (pre version 0.9.6) that mangles keys with multiple subkeys. Note that this cannot completely repair the damaged key as some crucial data is removed by the keyserver, but it does at least give you back one subkey. Defaults to no for regular --import and to yes for keyserver --receive-keys.
Show a listing of the key as imported right before it is stored. This can be combined with the option --dry-run to only look at keys; the option show-only is a shortcut for this combination. The command --show-keys is another shortcut for this. Note that suffixes like ’#’ for "sec" and "sbb" lines may or may not be printed.
Run the entire import code but instead of storing the key to the local keyring write it to the output. The export option export-dane affect the output. This option can for example be used to remove all invalid parts from a key without the need to store it.
During import, allow key updates to existing keys, but do not allow any new keys to be imported. Defaults to no.
After import, compact (remove all signatures except the self-signature) any user IDs from the new key that are not usable. Then, remove any signatures from the new key that are not usable. This includes signatures that were issued by keys that are not present on the keyring. This option is the same as running the --edit-key command "clean" after import. Defaults to no.
Accept only self-signatures while importing a key. All other key
signatures are skipped at an early import stage. This option can be
keyserver-options to mitigate attempts to flood a
key with bogus signatures from a keyserver. The drawback is that
all other valid key signatures, as required by the Web of Trust are
also not imported. Note that when using this option along with
import-clean it suppresses the final clean step after merging the
imported key into the existing key.
After import, fix various problems with the keys. For example, this reorders signatures, and strips duplicate signatures. Defaults to yes.
When used the keyboxd (option use-keyboxd in common.conf) does the import within a single transaction.
Import the smallest key possible. This removes all signatures except the most recent self-signature on each user ID. This option is the same as running the --edit-key command "minimize" after import. Defaults to no.
Import in key restore mode. This imports all data which is usually skipped during import; including all GnuPG specific data. All other contradicting options are overridden.
These options define an import/export filter which are applied to the imported/exported keyblock right before it will be stored/written. name defines the type of filter to use, expr the expression to evaluate. The option can be used several times which then appends more expression to the same name.
The available filter types are:
This filter will keep a user id packet and its dependent packets in the keyblock if the expression evaluates to true.
This filter drops the selected subkeys. Currently only implemented for –export-filter.
This filter drops the selected key signatures on user ids. Self-signatures are not considered. Currently only implemented for –import-filter.
This filter is only implemented by --list-filter. All property names may be used.
For the syntax of the expression see the chapter "FILTER EXPRESSIONS". The property names for the expressions depend on the actual filter type and are indicated in the following table. Note that all property names may also be used by --list-filter.
Property names may be prefix with a scope delimited by a slash. Valid scopes are "pub" for public and secret primary keys, "sub" for public and secret subkeys, "uid" for for user-ID packets, and "sig" for signature packets. Invalid scopes are currently ignored.
The available properties are:
A string with the user id. (keep-uid)
The addr-spec part of a user id with mailbox or the empty string. (keep-uid)
A string with the key algorithm description. For example "rsa3072" or "ed25519".
A number with the public key algorithm of a key or subkey packet. (drop-subkey)
A number with the effective key size of a key or subkey packet. (drop-subkey)
The first is the timestamp a public key or subkey packet was created. The second is the same but given as an ISO string, e.g. "2016-08-17". (drop-subkey)
The hexified fingerprint of the current subkey or primary key. (drop-subkey)
Boolean indicating whether the user id is the primary one. (keep-uid)
Boolean indicating whether a user id (keep-uid), a key (drop-subkey), or a signature (drop-sig) expired.
Boolean indicating whether a user id (keep-uid) or a key (drop-subkey) has been revoked.
Boolean indicating whether a primary key is disabled.
Boolean indicating whether a key or subkey is a secret one. (drop-subkey)
A string indicating the usage flags for the subkey, from the sequence “ecsa?”. For example, a subkey capable of just signing and authentication would be an exact match for “sa”. (drop-subkey)
The first is the timestamp a signature packet was created. The second is the same but given as an ISO date string, e.g. "2016-08-17". (drop-sig)
A number with the public key algorithm of a signature packet. (drop-sig)
A number with the digest algorithm of a signature packet. (drop-sig)
A string with the key origin or a question mark. For example the string “wkd” is used if a key originated from a Web Key Directory lookup.
The timestamp the key was last updated from a keyserver or the Web Key Directory.
A string with the the URL associated wit the last key lookup.
This is a space or comma delimited string that gives options for exporting keys. Options can be prepended with a ‘no-’ to give the opposite meaning. The options are:
Allow exporting key signatures marked as "local". This is not generally useful unless a shared keyring scheme is being used. Defaults to no.
Include attribute user IDs (photo IDs) while exporting. Not including attribute user IDs is useful to export keys that are going to be used by an OpenPGP program that does not accept attribute user IDs. Defaults to yes.
Include designated revoker information that was marked as "sensitive". Defaults to no.
Export for use as a backup. The exported data includes all data which is needed to restore the key or keys later with GnuPG. The format is basically the OpenPGP format but enhanced with GnuPG specific data. All other contradicting options are overridden.
Compact (remove all signatures from) user IDs on the key being exported if the user IDs are not usable. Also, do not export any signatures that are not usable. This includes signatures that were issued by keys that are not present on the keyring. This option is the same as running the --edit-key command "clean" before export except that the local copy of the key is not modified. Defaults to no.
Export the smallest key possible. This removes all signatures except the most recent self-signature on each user ID. This option is the same as running the --edit-key command "minimize" before export except that the local copy of the key is not modified. Defaults to no.
Export only standalone revocation certificates of the key. This option does not export revocations of 3rd party certificate revocations.
Instead of outputting the key material output OpenPGP DANE records suitable to put into DNS zone files. An ORIGIN line is printed before each record to allow diverting the records to the corresponding zone file.
Enable the use of a new secret key export format. This format avoids the re-encryption as required with the current OpenPGP format and also improves the security of the secret key if it has been protected with a passphrase. Note that an unprotected key is exported as-is and thus not secure; the general rule to convey secret keys in an OpenPGP encrypted file still applies with this mode. Versions of GnuPG before 2.4.0 are not able to import such a secret file.
Print key listings delimited by colons. Note that the output will be encoded in UTF-8 regardless of any --display-charset setting. This format is useful when GnuPG is called from scripts and other programs as it is easily machine parsed. The details of this format are documented in the file doc/DETAILS, which is included in the GnuPG source distribution.
Do not merge primary user ID and primary key in --with-colon listing mode and print all timestamps as seconds since 1970-01-01. Since GnuPG 2.0.10, this mode is always used and thus this option is obsolete; it does not harm to use it though.
Revert to the pre-2.1 public key list mode. This only affects the
human readable output and not the machine interface
--with-colons). Note that the legacy format does not
convey suitable information for elliptic curves.
Same as the command --fingerprint but changes only the format of the output and may be used together with another command.
If a fingerprint is printed for the primary key, this option forces printing of the fingerprint for all subkeys. This could also be achieved by using the --with-fingerprint twice but by using this option along with keyid-format "none" a compact fingerprint is printed.
Print the ICAO spelling of the fingerprint in addition to the hex digits.
Include the keygrip in the key listings. In
this is implicitly enable for secret keys.
Include the locally held information on the origin and last update of
a key in a key listing. In
--with-colons mode this is always
printed. This data is currently experimental and shall not be
considered part of the stable API.
Print a Web Key Directory identifier along with each user ID in key listings. This is an experimental feature and semantics may change.
Include info about the presence of a secret key in public key listings