A compilation of documentation   { en , fr }

How to import or download a key with GnuPG

Created on:
Xavier Béguin

Importing the key from a file

Importing a key from a previously acquired file, is as simple as using the option --import and specifying the filename:

gpg --import someones.key

Downloading the key from a key server

Another possibility to import a key is to download it from a public server offering a service of distribution and discovery of OpenPGP-compatible keys, commonly referred to as a key server. The key must obviously have been uploaded beforehand by its owner on one of the GnuPG public keyservers.

The gpg command allows to download keys using its option --receive-keys (or its shorter option --recv-keys) that will contact a configured keyserver to download the designated key. With this option, the key must be designated using the key identifier:

$ gpg --receive-keys DA87E80D6294BE9B
gpg: key DA87E80D6294BE9B: public key "Debian CD signing key <debian-cd@lists.debian.org>" imported
gpg: Total number processed: 1
gpg:               imported: 1

The keyserver to use can also be specified using the option --keyserver and an URL to the keyserver:

gpg --keyserver hkps://keyserver.ubuntu.com --receive-keys DA87E80D6294BE9B

A public key can also be searched and downloaded using either its key ID or the associated User ID or its email address part (although this is not always possible due to privacy reasons) using the option --search-keys :

~$ gpg --search-keys herschel.krustofski@example.org
gpg: data source: https://keys.openpgp.org:443
(1) Herschel Krustofski <herschel.krustofski@example.org>
      4096 bit RSA key 4D823A13C895AC5E, created : 2022-09-29
Keys 1-1 of 1 for "herschel.krustofski@example.org".  Enter number(s), N)ext, or Q)uit >

Note that, if no keyserver is specified, GnuPG will by default use hkps://keyserver.ubuntu.com when using a vanilla GnuPG installation, or https://keys.openpgp.org when using GnuPG from the Debian package gnupg. According to the Debian bug #1009311, the former could send you a high volume of useless data, while the latter does not distribute public keys until their owner follows the process to validate the publication of the User ID.

Verifying a key is present in the primary keyring

The option --list-keys (or the short option -k) can then be used to display the public keys present in your primary public keyring. Called without argument, the command will display all the keys in the keyring:

gpg -k

You can specify an argument that will be taken by default as a partial match on the User ID of the key:

~$ gpg -k krusty
pub   rsa3072 2023-11-17 [SC] [expires: 2025-11-16]
uid          [  ultime ] Herschel Krustofski <krusty@example.org>
sub   rsa3072 2023-11-17 [E]

This partial match on the User ID is the default match type. It can also be obtained by prefixing the argument with *. The above command could thus be written gpg -k *krusty.

You can also use different types of matches depending on the prefix (and sometimes matching suffix) used in the argument. You can also search:

  • for an exact User ID by prefixing the argument with =:
    gpg -k "=Herschel Krustofski <krusty@example.org>"
  • by exact match on an email address using <>:
    gpg -k "<krusty@example.org>"
  • by partial match on an email address using @ as a prefix:
    gpg -k "@krusty"
    gpg -k "@example"