PGP® Command Line 10.0
User's Guide
Version Information
PGP Command Line User's Guide. PGP Command Line Version 10.0.0. Released March 2010.
Copyright Information
Copyright © 1991-2010 by PGP Corporation. All Rights Reserved. No part of this document can be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without the express written permission of PGP Corporation.
Trademark Information
PGP, Pretty Good Privacy, and the PGP logo are registered trademarks of PGP Corporation in the US and other countries. IDEA is a trademark of Ascom Tech AG. Windows and ActiveX are registered trademarks of Microsoft Corporation. AOL is a registered trademark, and AOL Instant Messenger is a trademark, of America Online, Inc. Red Hat and Red Hat Linux are trademarks or registered trademarks of Red Hat, Inc. Linux is a registered trademark of Linus Torvalds. Solaris is a trademark or registered trademark of Sun Microsystems, Inc. AIX is a trademark or registered trademark of International Business Machines Corporation. HP-UX is a trademark or registered trademark of Hewlett-Packard Company. SSH and Secure Shell are trademarks of SSH Communications Security, Inc. Rendezvous and Mac OS X are trademarks or registered trademarks of Apple Computer, Inc. All other registered and unregistered trademarks in this document are the sole property of their respective owners.
Licensing and Patent Information
The IDEA cryptographic cipher described in U.S. patent number 5,214,703 is licensed from Ascom Tech AG. The CAST-128 encryption algorithm, implemented from RFC 2144, is available worldwide on a royalty-free basis for commercial and non-commercial uses. PGP Corporation has secured a license to the patent rights contained in the patent application Serial Number 10/655,563 by The Regents of the University of California, entitled Block Cipher Mode of Operation for Constructing a Wide-blocksize block Cipher from a Conventional Block Cipher. Some third-party software included in PGP Universal Server is licensed under the GNU General Public License (GPL). PGP Universal Server as a whole is not licensed under the GPL. If you would like a copy of the source code for the GPL software included in PGP Universal Server, contact PGP Support (https://support.pgp.com). PGP Corporation may have patents and/or pending patent applications covering subject matter in this software or its documentation; the furnishing of this software or documentation does not give you any license to these patents.
Acknowledgments
This product includes or may include:
-- The Zip and ZLib compression code, created by Mark Adler and Jean-Loup Gailly, is used with permission from the free Info-ZIP implementation, developed by zlib (http://www.zlib.net). -- Libxml2, the XML C parser and toolkit developed for the Gnome project and distributed and copyrighted under the MIT License found at http://www.opensource.org/licenses/mit-license.html. Copyright © 2007 by the Open Source Initiative. -- bzip2 1.0, a freely available high-quality data compressor, is copyrighted by Julian Seward, © 1996-2005. -- Application server (http://jakarta.apache.org/), web server (http://www.apache.org/), Jakarta Commons (http://jakarta.apache.org/commons/license.html) and log4j, a Java-based library used to parse HTML, developed by the Apache Software Foundation. The license is at www.apache.org/licenses/LICENSE-2.0.txt. -- Castor, an open-source, data-binding framework for moving data from XML to Java programming language objects and from Java to databases, is released by the ExoLab Group under an Apache 2.0-style license, available at http://www.castor.org/license.html. -- Xalan, an open-source software library from the Apache Software Foundation that implements the XSLT XML transformation language and the XPath XML query language, is released under the Apache Software License, version 1.1, available at http://xml.apache.org/xalan-j/#license1.1. -- Apache Axis is an implementation of the SOAP ("Simple Object Access Protocol") used for communications between various PGP products is provided under the Apache license found at http://www.apache.org/licenses/LICENSE-2.0.txt. -- mx4j, an open-source implementation of the Java Management Extensions (JMX), is released under an Apache-style license, available at http://mx4j.sourceforge.net/docs/ch01s06.html. -- jpeglib version 6a is based in part on the work of the Independent JPEG Group. (http://www.ijg.org/) -- libxslt the XSLT C library developed for the GNOME project and used for XML transformations is distributed under the MIT License http://www.opensource.org/licenses/mit-license.html. -- PCRE Perl regular expression compiler, copyrighted and distributed by University of Cambridge. ©1997-2006. The license agreement is at http://www.pcre.org/license.txt. -- BIND Balanced Binary Tree Library and Domain Name System (DNS) protocols developed and copyrighted by Internet Systems Consortium, Inc. (http://www.isc.org) -- Free BSD implementation of daemon developed by The FreeBSD Project, © 1994-2006. -- Simple Network Management Protocol Library developed and copyrighted by Carnegie Mellon University © 1989, 1991, 1992, Networks Associates Technology, Inc, © 20012003, Cambridge Broadband Ltd. © 20012003, Sun Microsystems, Inc., © 2003, Sparta, Inc, © 2003-2006, Cisco, Inc and Information Network Center of Beijing University of Posts and Telecommunications, © 2004. The license agreement for these is at http://net-snmp.sourceforge.net/about/license.html. -- NTP version 4.2 developed by Network Time Protocol and copyrighted to various contributors. -- Lightweight Directory Access Protocol developed and copyrighted by OpenLDAP Foundation. OpenLDAP is an open-source implementation of the Lightweight Directory Access Protocol (LDAP). Copyright © 1999-2003, The OpenLDAP Foundation. The license agreement is at http://www.openldap.org/software/release/license.html. Secure shell OpenSSH developed by OpenBSD project is released by the OpenBSD Project under a BSD-style license, available at http://www.openbsd.org/cgibin/cvsweb/src/usr.bin/ssh/LICENCE?rev=HEAD. -- PC/SC Lite is a free implementation of PC/SC, a specification for SmartCard integration is released under the BSD license. -- Postfix, an open source mail transfer agent (MTA), is released under the IBM Public License 1.0, available at http://www.opensource.org/licenses/ibmpl.php. -- PostgreSQL, a free software object-relational database management system, is released under a BSD-style license, available at http://www.postgresql.org/about/licence. -- PostgreSQL JDBC driver, a free Java program used to connect to a PostgreSQL database using standard, database independent Java code, (c) 1997-2005, PostgreSQL Global Development Group, is released under a BSD-style license, available at http://jdbc.postgresql.org/license.html. -- PostgreSQL Regular Expression Library, a free software object-relational database management system, is released under a BSD-style license, available at http://www.postgresql.org/about/licence. -- 21.vixie-cron is the Vixie version of cron, a standard UNIX daemon that runs specified programs at scheduled times. Copyright © 1993, 1994 by Paul Vixie; used by permission. - - JacORB, a Java object used to facilitate communication between processes written in Java and the data layer, is open source licensed under the GNU Library General Public License (LGPL) available at http://www.jacorb.org/lgpl.html. Copyright © 2006 The JacORB Project. -- TAO (The ACE ORB) is an open-source implementation of a CORBA Object Request Broker (ORB), and is used for communication between processes written in C/C++ and the data layer. Copyright (c) 1993-2006 by Douglas C. Schmidt and his research group at Washington University, University of California, Irvine, and Vanderbilt University. The open source software license is available at http://www.cs.wustl.edu/~schmidt/ACE-copying.html. -- libcURL, a library for downloading files via common network services, is open source software provided under a MIT/X derivate license available at http://curl.haxx.se/docs/copyright.html. Copyright (c) 1996 - 2007, Daniel Stenberg. -- libuuid, a library used to generate unique identifiers, is released under a BSD-style license, available at http://thunk.org/hg/e2fsprogs/?file/fe55db3e508c/lib/uuid/COPYING. Copyright (C) 1996, 1997 Theodore Ts'o. -- libpopt, a library that parses command line options, is released under the terms of the GNU Free Documentation License available at http://directory.fsf.org/libs/COPYING.DOC. Copyright © 2000-2003 Free Software Foundation, Inc. -- gSOAP, a development tool for Windows clients to communicate with the Intel Corporation AMT chipset on a motherboard, is distributed under the gSOAP Public License version 1.3b, available at
http://www.cs.fsu.edu/~engelen/license.html. -- Windows Template Library (WTL) is used for developing user interface components and is distributed under the Common Public License v1.0 found at http://opensource.org/licenses/cpl1.0.php. -- The Perl Kit provides several independent utilities used to automate a variety of maintenance functions and is provided under the Perl Artistic License, found at http://www.perl.com/pub/a/language/misc/Artistic.html. -- rEFIt - libeg, provides a graphical interface library for EFI, including image rendering, text rendering, and alpha blending, and is distributed under the license found at http://refit.svn.sourceforge.net/viewvc/*checkout*/refit/trunk/refit/LICENSE.txt?revision=288. Copyright (c) 2006 Christoph Pfisterer. All rights reserved. -- Java Radius Client, used to authenticate PGP Universal Web Messenger users via Radius, is distributed under the Lesser General Public License (LGPL) found at http://www.gnu.org/licenses/lgpl.html. -- Yahoo! User Interface (YUI) library version 2.5.2, a Web UI interface library for AJAX. Copyright (c) 2009, Yahoo! Inc. All rights reserved. Released under a BSD-style license, available at http://developer.yahoo.com/yui/license.html. -- JSON-lib version 2.2.1, a Java library used to convert Java objects to JSON (JavaScript Object Notation) objects for AJAX. Distributed under the Apache 2.0 license, available at http://json-lib.sourceforge.net/license.html. -- EZMorph, used by JSON-lib, is distributed under the Apache 2.0 license, available at http://ezmorph.sourceforge.net/license.html. -- Apache Commons Lang, used by JSON-lib, is distributed under the Apache 2.0 license, available at http://commons.apache.org/license.html. -- Apache Commons BeanUtils, used by JSON-lib, is distributed under the Apache 2.0 license, available at http://commons.apache.org/license.html. -- SimpleIni is an .ini format file parser and provides the ability to read and write .ini files, a common configuration file format used on Windows, on other platforms. Distributed under the MIT License found at http://www.opensource.org/licenses/mitlicense.html. Copyright 2006-2008, Brodie Thiesfield. -- uSTL provides a small fast implementation of common Standard Template Library functions and data structures and is distributed under the MIT License found at http://www.opensource.org/licenses/mit-license.html. Copyright (c) 2005-2009 by Mike Sharov <msharov@users.sourceforge.net>. -- Protocol Buffers (protobuf), Google's data interchange format, are used to serialize structure data in the PGP SDK. Distributed under the BSD license found at http://www.opensource.org/licenses/bsd-license.php. Copyright 2008 Google Inc. All rights reserved.
Additional acknowledgements and legal notices are included as part of the PGP Universal Server.
Export Information
Export of this software and documentation may be subject to compliance with the rules and regulations promulgated from time to time by the Bureau of Export Administration, United States Department of Commerce, which restricts the export and re-export of certain products and technical data.
Limitations
The software provided with this documentation is licensed to you for your individual use under the terms of the End User License Agreement provided with the software. The information in this document is subject to change without notice. PGP Corporation does not warrant that the information meets your requirements or that the information is free of errors. The information may include technical inaccuracies or typographical errors. Changes may be made to the information and incorporated in new editions of this document, if and when made available by PGP Corporation.
4
Contents
PGP Command Line Basics |
1 |
Important Concepts |
1 |
Getting Started |
2 |
Installation |
5 |
Overview |
5 |
System Requirements |
6 |
Windows 7 and Vista |
6 |
Windows Server 2003 |
7 |
Windows XP |
8 |
Windows 2000 |
9 |
IBM AIX |
10 |
HP-UX 11i |
10 |
Solaris 9 and 10 |
10 |
Red Hat Enterprise Linux and Fedora Core |
10 |
Mac OS X |
11 |
Installing on AIX |
11 |
Installing on AIX |
11 |
Changing the Home Directory on AIX |
12 |
Uninstalling on AIX |
13 |
Installing on HP-UX |
13 |
Installing on HP-UX |
13 |
Changing the Home Directory on HP-UX |
14 |
Installing to a Non-Default Directory on HP-UX |
14 |
Uninstalling on HP-UX |
15 |
Installing on Mac OS X |
15 |
Installing on Mac OS X |
15 |
Changing the Home Directory on Mac OS X |
16 |
Uninstalling on Mac OS X |
16 |
Installing on Red Hat Enterprise Linux or Fedora Core |
17 |
Installing on Red Hat Enterprise Linux or Fedora Core |
17 |
Changing the Home Directory on Linux or Fedora Core |
18 |
Uninstalling on Linux or Fedora Core |
18 |
Installing on Solaris |
19 |
Installing on Solaris |
19 |
Changing the Home Directory on Solaris |
20 |
Uninstalling on Solaris |
20 |
Installing on Windows |
21 |
PGP Command Line for Windows and PGP Desktop on the Same System |
21 |
To Install on Windows |
21 |
Changing the Home Directory on Windows |
22 |
Uninstalling on Windows |
23 |
i
PGP® Command Line 10.0 |
Contents |
Licensing |
25 |
Overview |
25 |
License Recovery |
26 |
Using a License Number |
27 |
Using a License Authorization |
28 |
Re-Licensing |
29 |
Through a Proxy Server |
30 |
The Command-Line Interface |
33 |
Overview |
33 |
Flags and Arguments |
35 |
Flags |
35 |
Arguments |
36 |
Configuration File |
38 |
Keyserver Configuration File Settings |
42 |
Environment Variables |
43 |
Standard Input, Output, and Error |
44 |
Redirecting an Existing File |
44 |
Entering Data |
45 |
Specifying a Key |
46 |
'Secure' Options |
46 |
Passphrases |
47 |
First Steps |
49 |
Overview |
49 |
Creating Your Keypair |
50 |
Protecting Your Private Key |
52 |
Distributing Your Public Key |
52 |
Posting Your Public Key to a Keyserver |
53 |
Exporting Your Public Key to a Text File |
54 |
Getting the Public Keys of Others |
54 |
Finding a Public Key on a Keyserver |
54 |
Importing a Public Key from a Keyserver |
55 |
Verifying Keys |
56 |
Cryptographic Operations |
59 |
Overview |
60 |
Commands |
60 |
--armor (-a) |
60 |
--clearsign |
62 |
--decrypt |
64 |
--detached (-b) |
66 |
--dump-packets, --list-packets |
67 |
ii
PGP® Command Line 10.0 |
Contents |
--encrypt (-e) |
68 |
--export-session-key |
72 |
--list-sda |
73 |
--list-archive |
73 |
--sign (-s) |
74 |
--symmetric (-c) |
76 |
--verify |
77 |
Key Listings |
79 |
Overview |
79 |
Commands |
80 |
--fingerprint |
80 |
--fingerprint-details |
81 |
--list-key-details |
82 |
--list-keys (-l) |
83 |
--list-keys-xml |
84 |
--list-sig-details |
85 |
--list-sigs |
86 |
--list-userids |
86 |
Working with Keyservers |
87 |
Overview |
87 |
Commands |
88 |
--keyserver-disable |
88 |
--keyserver-recv |
89 |
--keyserver-remove |
90 |
--keyserver-search |
90 |
--keyserver-send |
91 |
--keyserver-update |
92 |
Managing Keys |
95 |
Overview |
97 |
Commands |
97 |
--add-adk |
97 |
--add-photoid |
98 |
--add-preferred-cipher |
98 |
--add-preferred-compression-algorithm |
99 |
--add-preferred-email-encoding |
100 |
--add-preferred-hash |
100 |
--add-revoker |
101 |
--add-userid |
101 |
--cache-passphrase |
102 |
--change-passphrase |
103 |
--clear-key-flag |
104 |
--disable |
104 |
iii
PGP® Command Line 10.0 |
Contents |
--enable |
105 |
--export, --export-key-pair |
105 |
--export-photoid |
108 |
--gen-key |
108 |
--gen-revocation |
111 |
--gen-subkey |
111 |
--get-email-encoding |
112 |
--import |
113 |
--join-key |
114 |
--join-key-cache-only |
118 |
--key-recon-send |
119 |
--key-recon-recv-questions |
120 |
--key-recon-recv |
121 |
--remove |
122 |
--remove-adk |
122 |
--remove-all-adks |
123 |
--remove-all-photoids |
123 |
--remove-all-revokers |
124 |
--remove-expiration-date |
124 |
--remove-key-pair |
125 |
--remove-photoid |
125 |
--remove-preferred-cipher |
126 |
--remove-preferred-compression-algorithm |
126 |
--remove-preferred-email-encoding |
127 |
--remove-preferred-hash |
127 |
--remove-preferred-keyserver |
128 |
--remove-revoker |
128 |
--remove-sig |
129 |
--remove-subkey |
129 |
--remove-userid |
130 |
--revoke |
130 |
--revoke-sig |
131 |
--revoke-subkey |
132 |
--send-shares |
132 |
--set-expiration-date |
133 |
--set-key-flag |
133 |
--set-preferred-ciphers |
134 |
--set-preferred-compression-algorithms |
134 |
--set-preferred-email-encodings |
135 |
--set-preferred-hashes |
136 |
--set-preferred-keyserver |
136 |
--set-primary-userid |
137 |
--set-trust |
137 |
--sign-key |
138 |
--sign-userid |
139 |
--split-key |
140 |
iv
PGP® Command Line 10.0 |
Contents |
Working with Email |
145 |
Overview |
145 |
Encrypt Email |
147 |
Sign Email |
148 |
Decrypt Email |
148 |
Verify Email |
149 |
Annotate Email |
149 |
Working with a PGP Key Management Server |
151 |
Overview |
152 |
New Terms and Concepts |
152 |
Relationship with a PGP KMS |
153 |
Authentication for PGP KMS Operations |
153 |
--create-mak |
155 |
--import-mak |
156 |
--export-mak |
157 |
--export-mak-pair |
157 |
--request-cert |
158 |
--edit-mak |
159 |
--search-mak |
160 |
--delete-mak |
161 |
--create-mek-series |
161 |
--edit-mek-series |
162 |
--search-mek-series |
163 |
--delete-mek-series |
164 |
--create-mek |
165 |
--import-mek |
165 |
--export-mek |
166 |
--edit-mek |
167 |
--search-mek |
168 |
--create-msd |
168 |
--export-msd |
169 |
--edit-msd |
170 |
--search-msd |
171 |
--delete-msd |
172 |
--create-consumer |
172 |
--search-consumer |
173 |
Miscellaneous Commands |
175 |
Overview |
175 |
Commands |
176 |
--create-keyrings |
176 |
--help (-h) |
177 |
--license-authorize |
177 |
v
PGP® Command Line 10.0 |
Contents |
--purge-all-caches |
177 |
--purge-keyring-cache |
177 |
--purge-passphrase-cache |
178 |
--speed-test |
178 |
--version |
178 |
--wipe |
179 |
--check-sigs |
180 |
--check-userids |
180 |
Options |
183 |
Using Options |
183 |
Boolean Options |
184 |
--alternate-format |
184 |
--annotate |
184 |
--archive |
185 |
--banner |
186 |
--biometric |
186 |
--buffered-stdio |
186 |
--compress, --compression |
187 |
--details |
187 |
188 |
|
--encrypt-to-self |
188 |
--eyes-only |
188 |
--fast-key-gen |
189 |
--fips-mode, --fips |
189 |
--force (-f) |
189 |
--halt-on-error |
190 |
--keyring-cache |
190 |
--large-keyrings |
190 |
--license-recover |
191 |
--local-mode |
191 |
--marginal-as-valid |
191 |
--master-key |
192 |
--pass-through |
192 |
--passphrase-cache |
192 |
--photo |
192 |
--quiet (-q) |
193 |
--recursive |
193 |
--reverse-sort, --reverse |
193 |
--sda |
193 |
--skep |
194 |
--text-mode, --text (-t) |
194 |
--truncate-passphrase |
195 |
--verbose (-v) |
195 |
--warn-adk |
195 |
--wrapper-key |
196 |
--xml |
196 |
Integer Options |
197 |
vi
PGP® Command Line 10.0 |
Contents |
--3des |
197 |
--aes128, --aes192, --aes256 |
197 |
--bits, --encryption-bits |
198 |
--blowfish |
198 |
--bzip2 |
199 |
--cast5 |
199 |
--creation-days |
199 |
--expiration-days |
200 |
--idea |
200 |
--index |
200 |
--keyring-cache-timeout |
201 |
--keyserver-timeout |
201 |
--md5 |
202 |
--passphrase-cache-timeout |
202 |
--partitioned |
202 |
--pgp-mime |
203 |
--ripemd160 |
203 |
--sha, --sha256, --sha384, --sha512 |
204 |
--signing-bits |
205 |
--skep-timeout |
205 |
--threshold |
205 |
--trust-depth |
206 |
--twofish |
206 |
--wipe-input-passes |
206 |
--wipe-overwrite-passes |
207 |
--wipe-passes |
207 |
--wipe-temp-passes |
207 |
--zip |
207 |
--zlib |
208 |
Enumeration Options |
208 |
--auto-import-keys |
208 |
--cipher |
209 |
--compression-algorithm |
209 |
--compression-level |
210 |
--email-encoding |
210 |
--enforce-adk |
211 |
--export-format |
211 |
--hash |
212 |
--import-format |
213 |
--input-cleanup |
213 |
--key-flag |
214 |
--key-type |
215 |
--manual-import-key-pairs |
215 |
--manual-import-keys |
215 |
--overwrite |
216 |
--sig-type |
216 |
--sort-order, --sort |
216 |
--tar-cache-cleanup |
217 |
--target-platform |
218 |
vii
PGP® Command Line 10.0 |
Contents |
--temp-cleanup |
218 |
--trust |
218 |
String Options |
219 |
--city, --common-name, --contact-email, --country |
219 |
--comment |
219 |
--creation-date |
219 |
--default-key |
220 |
--expiration-date |
220 |
--export-passphrase |
221 |
--home-dir |
221 |
--local-user (-u), --user |
221 |
--license-name, --license-number, --license-organization, --license-email |
222 |
--new-passphrase |
223 |
--organization, --organizational-unit |
223 |
--output (-o) |
223 |
--output-file |
224 |
--passphrase |
224 |
--preferred-keyserver |
224 |
--private-keyring |
225 |
--proxy-passphrase, --proxy-server, --proxy-username |
225 |
--public-keyring |
226 |
--recon-server |
226 |
--regular-expression |
226 |
--random-seed |
227 |
--root-path |
227 |
--share-server |
227 |
--state |
227 |
--status-file |
228 |
--symmetric-passphrase |
228 |
--temp-dir |
229 |
List Options |
229 |
--additional-recipient |
229 |
--adk |
229 |
--input (-i) |
230 |
--question / --answer |
230 |
--keyserver |
231 |
--recipient (-r) |
231 |
--revoker |
232 |
--share |
232 |
File Descriptors |
233 |
--auth-passphrase-fd, auth-passphrase-fd8 |
233 |
--export-passphrase-fd, --export-passphrase-fd8 |
234 |
--new-passphrase-fd, --new-passphrase-fd8 |
234 |
--passphrase-fd, --passphrase-fd8 |
234 |
--proxy-passphrase-fd, --proxy-passphrase-fd8 |
234 |
--symmetric-passphrase-fd, --symmetric-passphrase-fd8 |
235 |
viii
PGP® Command Line 10.0 |
Contents |
Lists |
237 |
Basic Key List |
237 |
The Default Key Column |
238 |
The Algorithm Column |
238 |
The Type Column |
239 |
The Size/Type Column |
239 |
The Flags Column |
240 |
The Key ID Column |
241 |
The User ID Column |
242 |
Detailed Key List |
242 |
Main Key Details |
244 |
Subkey Details |
251 |
ADK Details |
253 |
Revoker Details |
253 |
Key List in XML Format |
254 |
Elements with fixed settings |
258 |
X.509 Signatures |
260 |
Detailed Signature List |
261 |
Usage Scenarios |
267 |
Secure Off-Site Backup |
267 |
PGP Command Line and PGP Desktop |
268 |
Compression Saves Money |
268 |
Surpasses Legal Requirements |
269 |
Quick Reference |
271 |
Commands |
271 |
Options |
275 |
Environment Variables |
280 |
Configuration File Variables |
280 |
Codes and Messages |
283 |
Messages Without Codes |
283 |
Messages With Codes |
284 |
Parser |
284 |
Keyrings |
285 |
Wipe |
286 |
Encrypt |
287 |
Sign |
287 |
Decrypt |
287 |
Speed Test |
288 |
Key edit |
288 |
Keyserver |
295 |
ix
PGP® Command Line 10.0 |
Contents |
Key Reconstruction |
296 |
Licensing |
297 |
PGP Universal Server |
298 |
General |
298 |
Exit Codes |
307 |
Frequently Asked Questions |
309 |
Key Used for Encryption |
309 |
"Invalid" Keys |
310 |
Maximum File Size |
311 |
Programming and Scripting Languages |
312 |
File Redirection |
312 |
Protecting Passphrases |
312 |
Searching for Data on a PGP KMS |
315 |
Overview |
315 |
Keyword Listing |
316 |
Example Searches |
318 |
More About Types |
319 |
Time Fields |
319 |
Boolean Values |
319 |
Open PGP Algorithms |
319 |
Open PGP Key Usage Flags |
320 |
Key Modes |
320 |
Index |
321 |
x
1 |
PGP Command Line Basics |
|
|
This chapter describes some important PGP Command Line concepts and gives |
|
|
you a high-level overview of the things you need to do to set up and use PGP |
|
|
Command Line. |
|
|
In This Chapter |
|
|
Important Concepts................................................................................... |
1 |
|
Getting Started .......................................................................................... |
2 |
Important Concepts
The following concepts are important for you to understand:
PGP Command Line: A software product from PGP Corporation that automates the processes of encrypting/signing, decrypting/verifying, and file wiping; it provides a command-line interface to PGP technology.
command-line interface: An interface where you type commands at a command prompt. PGP Command Line uses a command-line interface.
keyboard input: PGP Command Line was designed so that all relevant information can be entered at the command line, thus requiring no further input from the keyboard to implement the commands.
scripting: PGP Command Line commands can be easily inserted into scripts to be used for automating tasks. For example, if your company regularly copies a large database to an off-site backup and then stores it there, PGP Command Line commands can be added to the script that does this so that the database is encrypted before it is transmitted to the off-site location and then decrypted when it arrives. PGP Command Line commands are easily added to shell scripts or scripts written with scripting languages (such as Perl or Python, for example).
environment variables: Environment variables control various aspects of PGP Command Line behavior; for example, the location of the PGP Command Line home directory. Environment variables are established on the computer running PGP Command Line.
1
PGP® Command Line 10.0 |
PGP Command Line Basics |
configuration file variables: When PGP Command Line starts, it reads the configuration file, which includes special configuration variables and values for each variable. These settings affect how PGP Command Line operates. Configuration file variables can be changed permanently by editing the configuration file or overridden on a temporary basis by specifying a value for a configuration file variable on the command line.
Self-Decrypting Archives (SDAs): PGP Command Line lets you create SDAs, compressed and conventionally encrypted archives that require a passphrase to decrypt. SDAs contain an executable for the target platform, which means the recipient of an SDA does not need to have any PGP software installed to open the archive. You can thus securely transfer data to recipients with no PGP software installed. You will have to communicate the passphrase of the SDA to the recipient, however.
Additional Decryption Key (ADK): PGP Command Line supports the use of an ADK, which is an additional key to which files or messages are encrypted, thus allowing the keeper of the ADK to retrieve data or messages as well as the intended recipient. Use of an ADK ensures that your corporation has access to all its proprietary information even if employee keys are lost or become unavailable.
PGP Zip archives: The PGP Zip feature lets you encrypt/sign groups of files or entire directories into a single compressed archive file. The archive format is tar and the supported compression formats are Zip, BZip2, and Zlib.
Getting Started
Now that you know a little bit about PGP Command Line, let’s go deeper into what you need to do to get started using it:
1Install PGP Command Line. Specific instructions for installing PGP Command Line on the supported platforms are in Installation.
2License the software. PGP Command Line functionality is extremely limited until you license the software. Refer to Licensing for more information.
3Create your default key pair. Most PGP Command Line operations require a key pair (a private key and a public key). Refer to Creating Your Keypair for more information.
4Protect your private key. Because your private key can decrypt your protected data, it is important that you protect it. Do not write down or tell someone the passphrase. It is a good idea to keep your private key on a machine that only you can access, and in a directory that is not accessible from the network. Also, you should make a backup of the private key and store it in a secure location. Refer to Protecting Your Private Key for more information.
2
PGP® Command Line 10.0 |
PGP Command Line Basics |
5Exchange public keys with others. In order to encrypt data to someone you need their public key; and they need yours to encrypt data to you. Refer to Getting the Public Keys of Others for more information about how to obtain public keys.
6Verify the public keys you get from the keyserver. Once you have a copy of someone’s public key, you add it to your public keyring. When you get someone’s public key, you should make sure that it has not been tampered with and that it really belongs to the purported owner. You do this by comparing the unique fingerprint on your copy of someone’s public key to the fingerprint on that person’s original key. For more information about validity and trust, refer to An Introduction to Cryptography (it was put onto your computer during installation). For instructions how to verify someone’s public key, see --fingerprint (page 80).
7Start securing your data. After you have generated your key pair and have obtained public keys, you can begin encrypting, signing, decrypting, and verifying your data.
3
2 Installation
This chapter lists the system requirements for, and tells you how to install PGP Command Line onto, the six supported platforms: AIX, HP-UX, Mac OS X, Linux, Solaris, and Windows. It also includes uninstall instructions.
In This Chapter |
|
Overview.................................................................................................... |
5 |
System Requirements ............................................................................... |
6 |
Installing on AIX ....................................................................................... |
11 |
Installing on HP-UX .................................................................................. |
13 |
Installing on Mac OS X............................................................................. |
15 |
Installing on Red Hat Enterprise Linux or Fedora Core............................ |
17 |
Installing on Solaris .................................................................................. |
19 |
Installing on Windows.............................................................................. |
21 |
Overview
PGP Command Line can be installed on these platforms:
Windows 7 (32and 64-bit), Windows Vista (32and 64-bit), Windows Server 2003 (SP 1), Windows XP (32and 64-bit), Windows 2000 (SP 4)
HP-UX 11i and above (PA-RISC and Itanium)
IBM AIX 5.3 and 6.1
RedHat Enterprise Linux 3.0 and above (x86 only and x86_64)
Fedora Core 3 and above (x86_64 only)
Sun Solaris 9 (SPARC only) and Solaris 10 (SPARC, x86, and x86_64
Apple Mac OS X 10.5.x and 10.6.x (Intel-based systems only)
PGP Command Line uses a specific directory for the application data such as the configuration file, and a specific directory (called the home directory) for the files it creates, such as keyring files.
On any UNIX system, the application data and the home directory are identical and they are configured through the $HOME environment variable. For more information, refer to the installation instructions for the specific UNIX platform.
5
PGP® Command Line 10.0 |
Installation |
On Windows, the application data directory is used to store data such as the configuration file PGPprefs.xml. The home directory is called “My Documents” and is used to store keys. These two directories can be named differently, depending on the specific version on Windows. For more information, see To Install on Windows (on page 21).
Note: You can also use the --home-dir option on the command line to specify a different home directory. Using this option affects only the command it is used in and does not change the PGP_HOME_DIR environment variable.
Using --home-dir on the command line overrides the current setting of the
PGP_HOME_DIR environment variable.
System Requirements
In general, system requirements for PGP Command Line are the same as the system requirements for the host operating system.
In addition to the hard drive space required by the base operating system, PGP Command Line requires additional space for both the data on which cryptographic operations (such as encryption, decryption, signing, and verifying) will be applied and temporary files created in the process of performing those operations.
For a given file being encrypted or decrypted, PGP Command Line can require several times the size of the original file in free hard drive space (depending on how much the file was compressed), enough to hold both the original file or files and the final file resulting from the encryption or decryption operation.
In cases where PGP Zip functionality is used on a file, PGP Command Line may also require several times the size of the original file or files in free hard drive space, enough to hold the original file, a temporary file created when handling the archive, and the final file resulting from the encryption or decryption operation. Make sure you have adequate free hard drive space on your system before using PGP Command Line.
Windows 7 and Vista
|
Component |
Requirement |
|
|
Computer |
PC with 1 GHz 32-bit (x86) processor |
|
|
and |
|
|
|
processor |
|
|
|
|
|
|
|
Memory |
1 gigabyte (GB) of RAM or higher recommended (64 MB |
|
|
|
minimum supported; may limit performance and some |
|
|
|
features) |
|
|
|
|
|
|
|
|
|
|
|
6 |
|
PGP® Command Line 10.0 |
Installation |
Hard disk |
15 GB of available space |
Drive |
DVD-ROM drive |
|
|
Display |
Support for DirectX 9 graphics with WDDM driver, 128 MB of |
|
graphics memory (minimum), Pixel Shader 2.0 in hardware, 32 |
|
bits per pixel |
|
|
Windows Server 2003
PGP Command Line supports four editions of Windows Server 2003: Standard,
Datacenter, Enterprise, and Web.
Standard Edition
Component |
Requirement |
Computer |
PC with a 133-MHz processor required; 550-MHz or faster |
and |
processor recommended (Windows Server 2003 Standard |
processor |
Edition supports up to four processors on one server) |
|
|
Memory |
128 MB of RAM required; 256 MB or more recommended; 4 |
|
GB maximum |
|
|
Hard disk |
1.25 to 2 GB of available hard-disk space |
|
|
Drive |
CD-ROM or DVD-ROM drive |
|
|
Display |
VGA or hardware that supports console redirection required; |
|
Super VGA supporting 800 x 600 or higher-resolution monitor |
|
recommended |
|
|
Datacenter Edition
|
Component |
Requirement |
|
|
Computer |
Minimum: 400 MHz processor for x86-based computers |
|
|
and |
Recommended: 733 MHz processor |
|
|
processor |
|
|
|
|
|
|
|
Memory |
Minimum: 512 MB of RAM |
|
|
|
Recommended: 1 GB of RAM |
|
|
|
|
|
|
Hard disk |
1.5 GB hard-disk space for x86-based computers |
|
|
|
|
|
|
Other |
Minimum: 8-way capable multiprocessor machine required |
|
|
|
Maximum: 64-way capable multiprocessor machine supported |
|
|
|
|
|
|
|
|
|
|
|
7 |
|
PGP® Command Line 10.0 |
Installation |
Enterprise Edition
These system requirements apply only to the 32-bit version of Windows Server 2003 Enterprise Edition; 64-bit versions of Windows Server 2003 Enterprise Edition are not supported.
Component |
Requirement |
Computer |
133-MHz or faster processor for x86-based PCs; up to eight |
and |
processors supported on either the 32-bit |
processor |
|
|
|
Memory |
128 MB of RAM minimum required |
|
Maximum: 32 GB for x86-based PCs with the 32-bit version |
|
|
Hard disk |
1.5 GB of available hard-disk space for x86-based PCs; |
|
additional space is required if installing over a network |
|
|
Drive |
CD-ROM or DVD-ROM drive |
|
|
Display |
VGA or hardware that supports console redirection required |
|
|
Web Edition
Component |
Requirement |
Computer |
133-MHz processor (550 MHz recommended) |
and |
|
processor |
|
|
|
Memory |
128 MB of RAM (256 MB recommended; 2 GB maximum) |
|
|
Hard disk |
1.5 GB of available hard-disk space |
|
|
Windows XP
PGP Command Line supports the 32-bit and 64-bit versions of Windows XP.
8
PGP® Command Line 10.0 |
Installation |
32-bit Windows XP
Component |
Requirement |
Computer |
PC with 300 megahertz (MHz) or higher processor clock |
and |
speed recommended; 233-MHz minimum required; Intel |
processor |
Pentium/Celeron family, AMD K6/Athlon/Duron family, or |
|
compatible processor recommended |
|
|
Memory |
128 megabytes (MB) of RAM or higher recommended (64 MB |
|
minimum supported; may limit performance and some |
|
features) |
|
|
Hard disk |
1.5 gigabyte (GB) of available hard disk space |
|
|
Drive |
CD-ROM or DVD-ROM drive |
|
|
Display |
Super VGA (800 × 600) or higher resolution video adapter and |
|
monitor supporting 800 x 600 or higher-resolution monitor |
|
recommended |
|
|
64-bit Windows XP
Component |
Requirement |
Computer |
PC with AMD Athlon 64, AMD Opteron, Intel Xeon with Intel |
and |
EM64T support, Intel Pentium 4 with Intel EM64T support |
processor |
|
|
|
Memory |
256 megabytes (MB) of RAM or higher recommended |
|
|
Hard disk |
1.5 gigabyte (GB) of available hard disk space |
|
|
Drive |
CD-ROM or DVD-ROM drive |
|
|
Display |
Super VGA (800 × 600) or higher resolution video adapter and |
|
monitor supporting 800 x 600 or higher-resolution monitor |
|
recommended |
|
|
Windows 2000
|
Component |
Requirement |
|
|
Computer |
133 MHz or higher Pentium-compatible CPU |
|
|
and |
|
|
|
processor |
|
|
|
|
|
|
|
|
|
|
|
|
9 |
|
PGP® Command Line 10.0 |
Installation |
Memory |
At least 64 megabytes (MB) of RAM; more memory generally |
|
improves responsiveness |
|
|
Hard disk |
2 GB with 650 MB free space |
|
|
Drive |
CD-ROM or DVD-ROM drive |
|
|
Display |
VGA or higher resolution monitor |
|
|
IBM AIX
PGP Command Line runs on the range of IBM eServer p5, IBM eServer pSeries,
IBM eServer i5 and IBM RS/6000, as supported by IBM AIX 5.3 and 6.1.
HP-UX 11i
PGP Command Line runs on the list of PA-RISC workstation and servers supported by HP-UX 11i, as specified at http://docs.hp.com/ http://docs.hp.com/en/5187-2239/ch03s01.html.
Solaris 9 and 10
Component |
Requirement |
Computer |
SPARC (32and 64-bit) platforms |
and |
|
processor |
|
|
|
Memory |
64 MB minimum (128 MB recommended) |
|
|
Hard disk |
600 MB for desktops; one GB for servers |
|
|
Red Hat Enterprise Linux and Fedora Core
Component |
Requirement |
Computer |
x86 for Red Hat Enterprise Linux, x86_64 for Fedora Core; see |
and |
Red Hat or Fedora websites for hardware compatibility. |
processor |
|
|
|
Memory |
256 MB minimum |
|
|
Hard disk |
800 MB minimum |
|
|
10
PGP® Command Line 10.0 |
Installation |
Mac OS X
Component |
Requirement |
Computer |
Macintosh computer, Intel-based system only |
and |
|
processor |
|
|
|
Memory |
128 MB of physical RAM |
|
|
Installing on AIX
This section tells you how to install, change the home directory, and uninstall on
AIX.
Installing on AIX
You need to have root or administrator privileges on the machine on which you are installing PGP Command Line.
To install PGP Command Line on an AIX system:
1If you have an existing version of PGP Command Line installed on the computer, uninstall it.
2Download the installer application called PGPCommandLine10IX.tar to a known location on your system.
3Untar the package first. You will get the following file:
PGPCommandLine100AIX.rpm
4Type: rpm -ivh PGPCommandLine10IX.rpm
5Press Enter.
By default, the PGP Command Line application, pgp, is installed into the directory /opt/pgp/bin. You need to add this directory to your PATH environment variable in order for the application to be found.
For sh-based shells, use this syntax:
PATH=$PATH:/opt/pgp/bin
For csh-based shells, use this syntax:
set path = ($path /opt/pgp/bin)
Also, in order to access the PGP Command Line man page, you need to set the
MANPATH environment variable appropriately.
11
PGP® Command Line 10.0 |
Installation |
For sh-based shells, use this syntax:
MANPATH=$MANPATH:/opt/pgp/man; export MANPATH
For csh-based shells, use this syntax:
setenv MANPATH "/opt/pgp/man"
By adding the option --prefix to the rpm command, you can install PGP
Command Line to a location other than the default.
Type rpm --prefix=/usr/pgp -ivh PGPCommandLine10AIX.rpm and press Enter.
This command installs the application binary in the directory /usr/pgp/bin/pgp, libraries in /usr/pgp/lib, and so on.
You will need to edit the environmental variable LIBPATH to include the new library path (/usr/pgp/lib) so that PGP Command Line can function in a location other than the default.
By adding the option --prefix to the rpm command, you can install PGP
Command Line in a location other than the default:
1If you have an existing version of PGP Command Line installed on the computer, uninstall it.
2Download the installer application called PGPCommandLine10AIX.tar to a known location on your system.
3Untar the package first. You will get the following file:
PGPCommandLine10AIX.rpm
4 Type: rpm --prefix=/opt -ivh PGPCommandLine10AIX.rpm
5Press Enter.
This command will install the application binary, pgp, in the directory
/usr/pgp/bin/pgp, libraries in /usr/pgp/lib, and so on.
You will need to edit the environment variable LIBPATH to include the new library path (/usr/pgp/lib), so that PGP Command Line can function in any location other than the default.
Changing the Home Directory on AIX
The home directory is where PGP Command Line stores the files that it creates and uses; for example, keyring files.
By default, the PGP Command Line installer for AIX creates the PGP Command Line home directory at $HOME/.pgp. If this directory does not exist, it will be created. For example, if the value of $HOME for user "alice"is /usr/home/alice, PGP Command Line will attempt to create
/usr/home/alice/.pgp.
The PGP Command Line installer will not try to create any other part of the directory listed in the $HOME variable, only .pgp.
12
PGP® Command Line 10.0 |
Installation |
If you want the home directory changed on a permanent basis, you will need to create the $PGP_HOME_DIR environment variable and specify the path of the desired home directory.
Uninstalling on AIX
Uninstalling PGP Command Line on AIX requires root privileges, either through su or sudo.
To uninstall PGP Command Line on AIX
1Type the following command and press Enter: rpm -e pgpcmdln
2PGP Command Line is uninstalled.
Installing on HP-UX
This section tells you how to install, change the home directory, and uninstall on
HP-UX.
Installing on HP-UX
You need to have root or administrator privileges on the machine on which you are installing PGP Command Line.
To install PGP Command Line on an HP-UX system
1If you have an existing version of PGP Command Line installed on the computer, uninstall it.
2Download the installer file called PGPCommandLine10HPUX.tar to a known location on your system.
3Untar the package first. You will get the following file:
PGPCommandLine10HPUX.depot
4Type: swinstall -s /absolute/path/to/PGPCommandLine10HPUX.depot
5Press Enter.
By default, the PGP Command Line application, pgp, is installed into the directory /opt/pgp/bin. You need to add this directory to your PATH environment variable in order for the application to be found.
For sh-based shells, use this syntax:
13
PGP® Command Line 10.0 |
Installation |
PATH=$PATH:/opt/pgp/bin
For csh-based shells, use this syntax:
set path = ($path /opt/pgp/bin)
Also, in order to access the PGP Command Line man page, you need to set the
MANPATH environment variable appropriately.
For sh-based shells, use this syntax:
MANPATH=$MANPATH:/opt/pgp/man; export MANPATH
For csh-based shells, use this syntax:
setenv MANPATH "/opt/pgp/man"
Note: You may encounter an issue generating 2048or 4096-bit keys on HPUX systems running PGP Command Line if you have altered the maximum number of shared memory segments that can be attached to one process, as configured by the shmseg system parameter. if you encounter this issue, reset the shmseg system parameter to its default value of 120. Consult your HP-UX documentation for information about how to alter system parameters.
Changing the Home Directory on HP-UX
The home directory is where PGP Command Line stores the files that it creates and uses; for example, keyring files.
By default, the PGP Command Line installer for HP-UX creates the PGP Command Line home directory in $HOME/.pgp. If this directory does not exist, it will be created. For example, if the value of $HOME for user "alice" is /usr/home/alice, PGP Command Line will attempt to create
/usr/home/alice/.pgp.
The PGP Command Line installer will not try to create any other part of the directory listed in the $HOME variable, only .pgp.
If you want the PGP Command Line home directory changed on a permanent basis, you can define the $PGP_HOME_DIR environment variable and specify the path of the desired home directory.
Installing to a Non-Default Directory on HP-UX
This procedure describes how to install PGP Command Line for HP-UX into a non-default directory. The information provided is in addition to the information provided in Installing on HP-UX.
Note: This procedure uses /opt/pgp_alt as the non-default directory. Be sure to substitute the desired directory in place of /opt/pgp_alt.
14
PGP® Command Line 10.0 |
Installation |
To install PGP Command Line for HP-UX to a non-default directory
1Add the following extra argument to the swinstall command:
swinstall -s /path/to/pgpcmdln.depot pgpcmdln,l=/opt/pgp_alt
2Set all libraries to respect the SHLIB_PATH environment variable: chatr +s enable /opt/pgp_alt/lib/*
3Set the SHLIB_PATH environment variable to the new library directory when starting PGP Command Line:
export SHLIB_PATH=/opt/pgp_alt/lib
Uninstalling on HP-UX
Uninstalling PGP Command Line on HP-UX requires root privileges, either su or sudo.
To uninstall PGP Command Line on HP-UX:
1Type the following command and press Enter: swremove pgpcmdln
2PGP Command Line is uninstalled.
Installing on Mac OS X
This section tells you how to install, change the home directory, and uninstall on
Mac OS X.
Installing on Mac OS X
To install PGP Command Line on a Mac OS X system:
1Close all applications.
2Download the installer application, PGPCommandLine10MacOSX.tgz, to your desktop.
3Double-click on the file PGPCommandLine10MacOSX.tgz.
4If you have Stuffit Expander, it will automatically first uncompress this file into PGPCommandLine10MacOSX.tar, and then untar it into PGPCommandLine10MacOSX.pkg.
5Double-click on the file PGPCommandLine10MacOSX.pkg.
15
PGP® Command Line 10.0 |
Installation |
6Follow the on-screen instructions.
The Mac OS X PGP Command Line application, pgp, is installed into
/usr/bin/.
After you run PGP Command Line for the first time, its home directory will be created automatically in the directory $HOME/Documents/PGP. This directory may already exist if PGP Desktop for Mac OS X is already installed on the system.
Changing the Home Directory on Mac OS X
The home directory is where PGP Command Line stores the files that it creates and uses; for example, keyring files.
By default, the PGP Command Line installer for Mac OS X creates the PGP Command Line home directory at $HOME/Documents/PGP. If this directory does not exist, it will be created.
The PGP Command Line installer will not try to create any other part of directory listed in the $HOME variable, only .pgp.
If you want the home directory changed permanently, you need to create the $PGP_HOME_DIR environment variable and specify the path of the desired home directory.
Uninstalling on Mac OS X
Uninstalling PGP Command Line on Mac OS X requires administrative privileges.
Caution: If you have PGP Desktop for Mac OS X installed on the same system with PGP Command Line, do not uninstall PGP Command Line unless you also plan to uninstall PGP Desktop. Uninstalling PGP Command Line will delete files that PGP Desktop requires to operate; you will have to reinstall PGP Desktop to return to normal operation.
To uninstall PGP Command Line on Mac OS X:
1Using the Terminal application, enter the following commands: rm -rf /usr/bin/pgp
rm -rf /Library/Frameworks/PGP* rm -rf /Library/Receipts/PGP*
2PGP Command Line is uninstalled.
Preferences and keyrings are not removed when PGP Command Line is uninstalled.
16