# sha256sum is the current recommended hash
sha256sum filename [filename2] ... > filename.sha256
# verify
sha256sum -c filename.sha256

### common options
-a --armor      # armor, for text files, .asc extension
-e --enrypt     # encrypt
-d --decrypt    # decrypt
-o --output file    # output file
-r --recipient usr-id   # recipient, use -R is better to hide id
-R --hidden-recipient   # when decrypt, gpg will try all secret keys
--throw-keyids  # same as -R but hide all recipients
--default-recipient-self    # self
-s --sign       # sign a file
-q --quiet      # quiet mode

--edit-key usr-id   # edit a key
--list-keys, --list-secret-keys

--import key.file   # import public or private keys
--export usr-id     # export public key, use with -a
--export-secret-keys usr-id  # export private key, use with -a
--gen-revoke -a -o revcert.asc usr-id   # gen revocation certificate

### examples
gpg -o output -a -R name1 -R name2 -e file  # -o first, -e/d last
gpg -r name -e -a > encrypted.asc   # this will take prompt, use ^D to complete
gpg -dq file.asc 2> /dev/null

### generating key pair
gpg --full-generate-key # 3072 key size is sufficient

### share a public key
gpg --output key.pub --armor --export usr-id
gpg --send-keys --keyserver pgp.mit.edu fingerprint

### receive and import a public key
gpg --import public.key # import someone's public key
gpg --keyserver pgp.mit.edu --search-keys email@domain.com
gpg --fingerprint email@domain.com # generate fingerprint to verify public key
gpg --sign-key email@domain.com # verify public key

### enrypt a file and sign
gpg --encrypt --sign --armor -r email@domain /path/to/file
gpg -e -R "Name" /path/to/plain # recipient Name
gpg -e -u "Sender" -R "Recipient" /path/to/file
### use -R or --hidden-recipient rather than -r
# to avoid trying all secrect keys, use --try-secret-key during decryption
gpg --try-secret-key keyID -d file  # alternatively, set up default-key in conf file
gpg -e -a --default-recipient-self /path/to/file # encrypt with self user-id

## decrypt a file
gpg --decrypt -o /path/to/decrypted /path/to/encrypted
gpg -d /path/to/encrypted > /path/to/decrypted
gpg -dq /path/to/encrypted # quiet output
source "gpg -dq /path/to/encrypted |" # will source into the file

### refresh a key
gpg --keyserver pgp.mit.edu --refresh-keys

### password way
gpg -c /path/to/plain/file # encode with symmetric cipher AES128, --cipher-algo to choose 
gpg -d /path/to/plain/file # enter password to decode

### keep password in a separate file
### --passphrase-fd take passphrase from a File Descriptor, 0 is STDIN
cat /secret/location/passwdfile | gpg --batch -c --passphrase-fd 0 backup-file-to-encrypt.gz
r-- --- --- root root /secret/location/passwdfile
cat /secret/location/passwdfile | gpg --batch -d --passphrase-fd 0 backup-file-to-encrypt.gz.gpg > file
gpg --batch --passphrase-file /path/to/pwdfile -c /path/to/file-to-encrypt > /path/to/output
gpg --batch --passphrase-file /path/to/pwdfile -d /path/to/file-to-decrypt > /path/to/output

### export and import
gpg -a --export-secret-keys -o key user-id
gpg -o key -a --export user-id
gpg --import /path/to/key

## others
gpg -k  # --list-keys
gpg -K  # --list-secret-keys
gpg -k --with-subkey-fingerprint
gpg --delete-secret-keys keyID
gpg --delete-keys keyID

# SC is the primary key
# E is typically created, and only one is needed
# S subkey can have multiple, use addkey

# the primary pub key will contain all public subkeys
gpg -a --export -o public.key user-id

# create subkey
gpg --edit-key user-id
addkey  # choose E or S only

# export subkey
gpg -a --export-secret-subkey subkeyID! > /tmp/subkey.asc

# Use temp folder to change passphrase
gpg --homedir /tmp/gpg --import /tmp/subkey.asc
gpg --homedir /tmp/gpg --edit-key user-id
> passwd
> save
# multiple subkeyID can be exported at once, use !
gpg --homedir /tmp/gpg -a --export-secret-subkey subkeyID! > /tmp/subkey.newpwd.asc

# import a subkey to another machine
gpg --import subkey.newpwd.asc

# remove primary key
gpg -k --with-keygrip
rm ~/.gnupg/private-keys-v1.d/KEYGRIP.key
# alternatively, export all subkeys, then --delete-secret-keys, then reimport
gpg -K  # sec should have a # sign

# delete a subkey
gpg --edit-key keyID
> key No. # count from the top, without primary key
> delkey    # revkey will revoke the key immediately
> save

## Use Private Key to sign, and recipient will need public key to verify signature
gpg --sign doc # compressed and signed into binary format, or -a for armored, commonly used with -e

gpg --clearsign doc    # signed into ASCII-armored signature but not encrypted
gpg --verify doc.asc    # only verify
gpg --decrypt doc.asc   # verify and recover original

gpg --detached-sig doc # -b, a separate sig file, use -a for armored
gpg --verify doc.sig doc    # both files are needed for verification

### Ownership correction
chown -R $(whoami) ~/.gnupg/
find ~/.gnupg -type f -exec chmod 600 {} \;
find ~/.gnupg -type d -exec chmod 700 {} \;

# default enabled by systemd User
gpg-connect-agent reloadagent /bye

# ~/.gnupg/gpg-agent.conf
allow-preset-passphrase
defaul-cache-ttl 34560000   # 400 days
max-cache-ttl 34560000

# feed passphrase
/usr/lib/gnupg/gpg-preset-passphrase --preset $keygrip
/usr/lib/gnupg/gpg-preset-passphrase --forget $keygrip