PGP Command Line - 10.1 User’s Guide

Download

PGP® Command Line

User's Guide

Version Information

PGP Command Line User's Guide. Version 10.1. Released September 2010.

Copyright © 1991-2010 by PGP Corporation. All Rights Reserved. No part of this document can be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without the express written permission of PGP Corporation.

Trademark Information

PGP, Pretty Good Privacy, and the PGP logo are registered trademarks of PGP Corporation in the US and other countries. IDEA is a trademark of Ascom Tech AG. Windows and ActiveX are registered trademarks of Microsoft Corporation. AOL is a registered trademark, and AOL Instant Messenger is a trademark, of America Online, Inc. Red Hat and Red Hat Linux are trademarks or registered trademarks of Red Hat, Inc. Linux is a registered trademark of Linus Torvalds. Solaris is a trademark or registered trademark of Sun Microsystems, Inc. AIX is a trademark or registered trademark of International Business Machines Corporation. HP-UX is a trademark or registered trademark of Hewlett-Packard Company. SSH and Secure Shell are trademarks of SSH Communications Security, Inc. Rendezvous and Mac OS X are trademarks or registered trademarks of Apple Computer, Inc. All other registered and unregistered trademarks in this document are the sole property of their respective owners.

Licensing and Patent Information

The IDEA cryptographic cipher described in U.S. patent number 5,214,703 is licensed from Ascom Tech AG. The CAST-128 encryption algorithm, implemented from RFC 2144, is available worldwide on a royalty-free basis for commercial and non-commercial uses. PGP Corporation has secured a license to the patent rights contained in the patent application Serial Number 10/655,563 by The Regents of the University of California, entitled Block Cipher Mode of Operation for Constructing a Wide-blocksize block Cipher from a Conventional Block Cipher. Some third-party software included in PGP Universal Server is licensed under the GNU General Public License (GPL). PGP Universal Server as a whole is not licensed under the GPL. If you would like a copy of the source code for the GPL software included in PGP Universal Server, contact PGP Support ( may have patents and/or pending patent applications covering subject matter in this software or its documentation; the furnishing of this software or documentation does not give you any license to these patents.

https://support.pgp.com). PGP Corporation

Acknowledgments

This product includes or may include:

-- The Zip and ZLib compression code, created by Mark Adler and Jean-Loup Gailly, is used with permission from the free Info-ZIP implementation, developed by zlib ( under the MIT License found at freely available high-quality data compressor, is copyrighted by Julian Seward, © 1996-2005. -- Application server (

http://www.apache.org/), Jakarta Commons (http://jakarta.apache.org/commons/license.html) and log4j, a Java-based library used to parse

server ( HTML, developed by the Apache Software Foundation. The license is at binding framework for moving data from XML to Java programming language objects and from Java to databases, is released by the ExoLab Group under an Apache 2.0-style license, available at Foundation that implements the XSLT XML transformation language and the XPath XML query language, is released under the Apache Software License, version 1.1, available at Protocol") used for communications between various PGP products is provided under the Apache license found at

http://www.apache.org/licenses/LICENSE-2.0.txt. -- mx4j, an open-source implementation of the Java Management Extensions (JMX), is released

under an Apache-style license, available at Independent JPEG Group. ( distributed under the MIT License distributed by University of Cambridge. ©1997-2006. The license agreement is at and Domain Name System (DNS) protocols developed and copyrighted by Internet Systems Consortium, Inc. ( implementation of daemon developed by The FreeBSD Project, © 1994-2006. -- Simple Network Management Protocol Library developed and copyrighted by Carnegie Mellon University © 1989, 1991, 1992, Networks Associates Technology, Inc, © 2001- 2003, Cambridge Broadband Ltd. © 2001- 2003, Sun Microsystems, Inc., © 2003, Sparta, Inc, © 2003-2006, Cisco, Inc and Information Network Center of Beijing University of Posts and Telecommunications, © 2004. The license agreement for these is at by Network Time Protocol and copyrighted to various contributors. -- Lightweight Directory Access Protocol developed and copyrighted by OpenLDAP Foundation. OpenLDAP is an open-source implementation of the Lightweight Directory Access Protocol (LDAP). Copyright © 1999-2003, The OpenLDAP Foundation. The license agreement is at OpenBSD project is released by the OpenBSD Project under a BSD-style license, available at

bin/cvsweb/src/usr.bin/ssh/LICENCE?rev=HEAD. -- PC/SC Lite is a free implementation of PC/SC, a specification for SmartCard integration is released

under the BSD license. -- Postfix, an open source mail transfer agent (MTA), is released under the IBM Public License 1.0, available at

http://www.opensource.org/licenses/ibmpl.php. -- PostgreSQL, a free software object-relational database management system, is released under a

BSD-style license, available at PostgreSQL database using standard, database independent Java code, (c) 1997-2005, PostgreSQL Global Development Group, is released under a BSD-style license, available at database management system, is released under a BSD-style license, available at version of cron, a standard UNIX daemon that runs specified programs at scheduled times. Copyright © 1993, 1994 by Paul Vixie; used by permission. -

- JacORB, a Java object used to facilitate communication between processes written in Java and the data layer, is open source licensed under the GNU Library General Public License (LGPL) available at is an open-source implementation of a CORBA Object Request Broker (ORB), and is used for communication between processes written in C/C++ and the data layer. Copyright (c) 1993-2006 by Douglas C. Schmidt and his research group at Washington University, University of California, Irvine, and Vanderbilt University. The open source software license is available at downloading files via common network services, is open source software provided under a MIT/X derivate license available at

under a BSD-style license, available at libpopt, a library that parses command line options, is released under the terms of the GNU Free Documentation License available at

to communicate with the Intel Corporation AMT chipset on a motherboard, is distributed under the gSOAP Public License version 1.3b, available at

http://www.zlib.net). -- Libxml2, the XML C parser and toolkit developed for the Gnome project and distributed and copyrighted

http://jakarta.apache.org/), web

www.apache.org/licenses/LICENSE-2.0.txt. -- Castor, an open-source, data-

http://www.castor.org/license.html. -- Xalan, an open-source software library from the Apache Software

http://xml.apache.org/xalan-j/#license1.1. -- Apache Axis is an implementation of the SOAP ("Simple Object Access

http://mx4j.sourceforge.net/docs/ch01s06.html. -- jpeglib version 6a is based in part on the work of the

http://www.ijg.org/) -- libxslt the XSLT C library developed for the GNOME project and used for XML transformations is

http://www.opensource.org/licenses/mit-license.html. -- PCRE Perl regular expression compiler, copyrighted and

http://www.pcre.org/license.txt. -- BIND Balanced Binary Tree Library

http://www.isc.org) -- Free BSD

http://net-snmp.sourceforge.net/about/license.html. -- NTP version 4.2 developed

http://www.openldap.org/software/release/license.html. Secure shell OpenSSH developed by

http://www.openbsd.org/cgi-

http://www.postgresql.org/about/licence. -- PostgreSQL JDBC driver, a free Java program used to connect to a

http://jdbc.postgresql.org/license.html. -- PostgreSQL Regular Expression Library, a free software object-relational

http://www.postgresql.org/about/licence. -- 21.vixie-cron is the Vixie

http://www.cs.wustl.edu/~schmidt/ACE-copying.html. -- libcURL, a library for

http://www.cs.fsu.edu/~engelen/license.html. -- Windows Template Library (WTL) is used for developing user interface components and is distributed

under the Common Public License v1.0 found at automate a variety of maintenance functions and is provided under the Perl Artistic License, found at

http://www.perl.com/pub/a/language/misc/Artistic.html. -- rEFIt - libeg, provides a graphical interface library for EFI, including image rendering, text

rendering, and alpha blending, and is distributed under the license found at

reserved. -- Java Radius Client, used to authenticate PGP Universal Web Messenger users via Radius, is distributed under the Lesser General Public License (LGPL) found at Copyright (c) 2009, Yahoo! Inc. All rights reserved. Released under a BSD-style license, available at

JSON-lib version 2.2.1, a Java library used to convert Java objects to JSON (JavaScript Object Notation) objects for AJAX. Distributed under the

Apache 2.0 license, available at available at available at available at common configuration file format used on Windows, on other platforms. Distributed under the MIT License found at

Standard Template Library functions and data structures and is distributed under the MIT License found at

format, are used to serialize structure data in the PGP SDK. Distributed under the BSD license found at

Additional acknowledgements and legal notices are included as part of the PGP Universal Server.

http://ezmorph.sourceforge.net/license.html. -- Apache Commons Lang, used by JSON-lib, is distributed under the Apache 2.0 license, http://commons.apache.org/license.html. -- Apache Commons BeanUtils, used by JSON-lib, is distributed under the Apache 2.0 license, http://commons.apache.org/license.html. -- SimpleIni is an .ini format file parser and provides the ability to read and write .ini files, a

http://www.gnu.org/licenses/lgpl.html. -- Yahoo! User Interface (YUI) library version 2.5.2, a Web UI interface library for AJAX.

http://json-lib.sourceforge.net/license.html. -- EZMorph, used by JSON-lib, is distributed under the Apache 2.0 license,

http://opensource.org/licenses/cpl1.0.php. -- The Perl Kit provides several independent utilities used to

http://developer.yahoo.com/yui/license.html. --

http://www.opensource.org/licenses/mit-

http://www.opensource.org/licenses/bsd-

Export Information

Export of this software and documentation may be subject to compliance with the rules and regulations promulgated from time to time by the Bureau of Export Administration, United States Department of Commerce, which restricts the export and re-export of certain products and technical data.

Limitations

The software provided with this documentation is licensed to you for your individual use under the terms of the End User License Agreement provided with the software. The information in this document is subject to change without notice. PGP Corporation does not warrant that the information meets your requirements or that the information is free of errors. The information may include technical inaccuracies or typographical errors. Changes may be made to the information and incorporated in new editions of this document, if and when made available by PGP Corporation.

Unsupported Third Party Products

By utilizing third party products, software, drivers, or other components ("Unsupported Third Party Product") to interact with the PGP software and/or by utilizing any associated PGP command or code provided by to you by PGP at its sole discretion to interact with the Unsupported Third Party Product ("PGP Third Party Commands"), you acknowledge that the PGP software has not been designed for or formally tested with the Unsupported Third Party Product, and therefore PGP provides no support or warranties with respect to the PGP Third Party Commands or the PGP software's compatibility with Unsupported Third Party Products. THE PGP THIRD PARTY COMMANDS ARE PROVIDED "AS IS," WITH ALL FAULTS, AND THE ENTIRE RISK AS TO SATISFACTORY QUALITY, PERFORMANCE, ACCURACY, AND EFFORT IS WITH YOU. TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, PGP DISCLAIMS ALL REPRESENTATIONS, WARRANTIES, AND CONDITIONS, WHETHER EXPRESS OR IMPLIED, INCLUDING ANY WARRANTIES OR CONDITIONS OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE, NONINFRINGEMENT, QUIET ENJOYMENT, AND ACCURACY WITH RESPECT TO THE PGP THIRD PARTY COMMANDS OR THE PGP SOFTWARE'S COMPATIBILITY WITH THE UNSUPPORTED THIRD PARTY PRODUCT.

Contents

PGP Command Line Basics 1

Important Concepts 1 Getting Started 2

Installation 5

Overview 5 System Requirements 6

Windows 7 and Vista 6 Windows Server 2008 and 2003 7 Windows XP 9 Windows 2000 10 IBM AIX 10 HP-UX 11i 10 Solaris 9 and 10 10 Red Hat Enterprise Linux, SLES, and Fedora Core 11 Mac OS X 11

Installing on AIX 11

Installing on AIX 11 Changing the Home Directory on AIX 13 Uninstalling on AIX 13

Installing on HP-UX 14

Installing on HP-UX 14 Changing the Home Directory on HP-UX 15 Installing to a Non-Default Directory on HP-UX 15 Uninstalling on HP-UX 16

Installing on Mac OS X 16

Installing on Mac OS X 16 Changing the Home Directory on Mac OS X 17 Uninstalling on Mac OS X 17

Installing on Red Hat Enterprise Linux, SLES, or Fedora Core 18

Installing on Red Hat Enterprise Linux or Fedora Core 18 Changing the Home Directory on Linux or Fedora Core 19 Uninstalling on Linux or Fedora Core 19

Installing on Solaris 20

Installing on Solaris 20 Changing the Home Directory on Solaris 21 Uninstalling on Solaris 22

Installing on Windows 22

PGP Command Line for Windows and PGP Desktop on the Same System 22 To Install on Windows 22 Changing the Home Directory on Windows 23 Uninstalling on Windows 24

PGP® Command Line 10.1 Contents

Licensing 25

Overview 25 License Recovery 26 Using a License Number 27 Re-Licensing 28 Through a Proxy Server 29

The Command-Line Interface 31

Overview 31 Flags and Arguments 33

Flags 33 Arguments 34

Configuration File 36

Keyserver Configuration File Settings 40 Environment Variables 41 Standard Input, Output, and Error 42

Redirecting an Existing File 42

Entering Data 43 Specifying a Key 44 'Secure' Options 44 Passphrases 45

First Steps 47

Overview 47 Creating Your Keypair 48 Protecting Your Private Key 49 Distributing Your Public Key 50

Posting Your Public Key to a Keyserver 51

Exporting Your Public Key to a Text File 51 Getting the Public Keys of Others 52

Finding a Public Key on a Keyserver 52

Importing a Public Key from a Keyserver 53 Verifying Keys 54

Cryptographic Operations 57

Overview 57 Commands 58

--armor (-a) 58

--clearsign 60

--decrypt 62

--detached (-b) 64

--dump-packets, --list-packets 65

--encrypt (-e) 66

--export-session-key 70

PGP® Command Line 10.1 Contents

--list-sda 71

--list-archive 71

--sign (-s) 72

--symmetric (-c) 74

--verify 76

Key Listings 79

Overview 79 Commands 80

--fingerprint 80

--fingerprint-details 81

--list-key-details 82

--list-keys (-l) 84

--list-keys-xml 84

--list-sig-details 85

--list-sigs 86

--list-userids 86

Working with Keyservers 89

Overview 89 Commands 90

--keyserver-disable 90

--keyserver-recv 91

--keyserver-remove 92

--keyserver-search 92

--keyserver-send 93

--keyserver-update 94

Managing Keys 97

Overview 99 Commands 99

--add-adk 99

--add-photoid 100

--add-preferred-cipher 101

--add-preferred-compression-algorithm 101

--add-preferred-email-encoding 102

--add-preferred-hash 102

--add-revoker 103

--add-userid 103

--cache-passphrase 104

--change-passphrase 105

--clear-key-flag 106

--disable 106

--enable 107

--export, --export-key-pair 107

--export-photoid 110

iii

PGP® Command Line 10.1 Contents

--gen-key 111

--gen-revocation 113

--gen-subkey 114

--get-email-encoding 115

--import 115

--join-key 117

--join-key-cache-only 120

--key-recon-send 121

--key-recon-recv-questions 123

--key-recon-recv 124

--remove 124

--remove-adk 125

--remove-all-adks 125

--remove-all-photoids 126

--remove-all-revokers 126

--remove-expiration-date 127

--remove-key-pair 127

--remove-photoid 127

--remove-preferred-cipher 128

--remove-preferred-compression-algorithm 128

--remove-preferred-email-encoding 129

--remove-preferred-hash 129

--remove-preferred-keyserver 130

--remove-revoker 130

--remove-sig 131

--remove-subkey 132

--remove-userid 132

--revoke 133

--revoke-sig 133

--revoke-subkey 134

--send-shares 135

--set-expiration-date 135

--set-key-flag 136

--set-preferred-ciphers 136

--set-preferred-compression-algorithms 137

--set-preferred-email-encodings 137

--set-preferred-hashes 138

--set-preferred-keyserver 139

--set-primary-userid 139

--set-trust 140

--sign-key 140

--sign-userid 141

--split-key 142

Working with Email 147

Overview 147 Encrypt Email 149 Sign Email 150 Decrypt Email 150

PGP® Command Line 10.1 Contents

Verify Email 151 Annotate Email 151

Working with a PGP Key Management Server

Overview 154

New Terms and Concepts 154

Relationship with a PGP KMS 155

Authentication for PGP KMS Operations 155

--create-mak 157

--import-mak 158

--export-mak 159

--export-mak-pair 159

--request-cert 160

--edit-mak 161

--search-mak 162

--delete-mak 163

--create-mek-series 163

--edit-mek-series 164

--search-mek-series 165

--delete-mek-series 166

--create-mek 167

--import-mek 167

--export-mek 168

--edit-mek 168

--search-mek 169

--create-msd 170

--export-msd 171

--edit-msd 172

--search-msd 173

--delete-msd 174

--create-consumer 174

--search-consumer 175

153

Miscellaneous Commands

Overview 177 Commands 178

--create-keyrings 178

--help (-h) 179

--license-authorize 179

--purge-all-caches 179

--purge-keyring-cache 179

--purge-passphrase-cache 180

--speed-test 180

--version 180

--wipe 181

--check-sigs 182

--check-userids 182

177

PGP® Command Line 10.1 Contents

Options 185

Using Options 185 Boolean Options 186

--alternate-format 186

--annotate 186

--archive 187

--banner 188

--biometric 188

--buffered-stdio 188

--compress, --compression 189

--details 189

--email 190

--encrypt-to-self 190

--eyes-only 190

--fast-key-gen 191

--fips-mode, --fips 191

--force (-f) 191

--halt-on-error 192

--keyring-cache 192

--large-keyrings 193

--license-recover 193

--local-mode 194

--marginal-as-valid 194

--master-key 194

--pass-through 194

--passphrase-cache 195

--photo 195

--quiet (-q) 195

--recursive 195

--reverse-sort, --reverse 196

--sda 196

--skep 196

--text-mode, --text (-t) 197

--truncate-passphrase 197

--verbose (-v) 197

--warn-adk 198

--wrapper-key 198

--xml 198

Integer Options 200

--3des 200

--aes128, --aes192, --aes256 200

--bits, --encryption-bits 201

--blowfish 201

--bzip2 201

--cast5 202

--creation-days 202

--expiration-days 202

--idea 203

PGP® Command Line 10.1 Contents

--index 203

--keyring-cache-timeout 204

--keyserver-timeout 204

--md5 204

--passphrase-cache-timeout 205

--partitioned 205

--pgp-mime 205

--ripemd160 206

--sha, --sha256, --sha384, --sha512 206

--signing-bits 208

--skep-timeout 208

--threshold 208

--trust-depth 208

--twofish 209

--wipe-input-passes 209

--wipe-overwrite-passes 209

--wipe-passes 210

--wipe-temp-passes 210

--zip 210

--zlib 210

Enumeration Options 211

--auto-import-keys 211

--cipher 211

--compression-algorithm 212

--compression-level 213

--email-encoding 213

--enforce-adk 213

--export-format 214

--hash 215

--import-format 215

--input-cleanup 216

--key-flag 216

--key-type 217

--manual-import-key-pairs 218

--manual-import-keys 218

--overwrite 218

--sig-type 219

--sort-order, --sort 219

--tar-cache-cleanup 220

--target-platform 220

--temp-cleanup 221

--trust 221

String Options 221

--city, --common-name, --contact-email, --country 221

--comment 221

--creation-date 222

--default-key 222

--expiration-date 223

--export-passphrase 223

--home-dir 223

vii

PGP® Command Line 10.1 Contents

--local-user (-u), --user 224

--license-name, --license-number, --license-organization, --license-email 224

--new-passphrase 225

--organization, --organizational-unit 225

--output (-o) 225

--output-file 226

--passphrase 226

--preferred-keyserver 227

--private-keyring 227

--proxy-passphrase, --proxy-server, --proxy-username 228

--public-keyring 228

--recon-server 229

--regular-expression 229

--random-seed 229

--root-path 230

--share-server 230

--state 230

--status-file 230

--symmetric-passphrase 231

--temp-dir 231

List Options 232

--additional-recipient 232

--adk 232

--input (-i) 232

--question / --answer 233

--keyserver 233

--recipient (-r) 234

--revoker 234

--share 235

File Descriptors 236

--auth-passphrase-fd, auth-passphrase-fd8 236

--export-passphrase-fd, --export-passphrase-fd8 236

--new-passphrase-fd, --new-passphrase-fd8 237

--passphrase-fd, --passphrase-fd8 237

--proxy-passphrase-fd, --proxy-passphrase-fd8 237

--symmetric-passphrase-fd, --symmetric-passphrase-fd8 237

Lists

Basic Key List 239

The Default Key Column 240

The Algorithm Column 240

The Type Column 241

The Size/Type Column 241

The Flags Column 242

The Key ID Column 243

The User ID Column 244 Detailed Key List 244

Main Key Details 246

Subkey Details 253

viii

239

PGP® Command Line 10.1 Contents

ADK Details 255

Revoker Details 255 Key List in XML Format 256

Elements with fixed settings 260

X.509 Signatures 262 Detailed Signature List 263

Usage Scenarios

Secure Off-Site Backup 269 PGP Command Line and PGP Desktop 270 Compression Saves Money 270 Surpasses Legal Requirements 271

269

Quick Reference 273

Commands 273 Options 277 Environment Variables 281 Configuration File Variables 282

Codes and Messages 285

Messages Without Codes 285 Messages With Codes 286

Parser 286

Keyrings 287

Wipe 288

Encrypt 289

Sign 289

Decrypt 289

Speed Test 290

Key edit 290

Keyserver 296

Key Reconstruction 297

Licensing 298

PGP Universal Server 300

General 300 Exit Codes 309

Frequently Asked Questions 311

Key Used for Encryption 311 "Invalid" Keys 311 Maximum File Size 313 Programming and Scripting Languages 313 File Redirection 314 Protecting Passphrases 314

PGP® Command Line 10.1 Contents

Searching for Data on a PGP KMS 317

Overview 317 Keyword Listing 318 Example Searches 320 More About Types 320

Time Fields 320

Boolean Values 321

Open PGP Algorithms 321

Open PGP Key Usage Flags 321

Key Modes 322

Index

323

PGP Command Line Basics

This chapter describes some important PGP Command Line concepts and gives you a high-level overview of the things you need to do to set up and use PGP Command Line.

In This Chapter

Important Concepts....................................................................................1

Getting Started ...........................................................................................2

Important Concepts

The following concepts are important for you to understand:

 PGP Command Line: A software product from PGP Corporation that

automates the processes of encrypting/signing, decrypting/verifying, and file wiping; it provides a command-line interface to PGP technology.

 command-line interface: An interface where you type commands at a

command prompt. PGP Command Line uses a command-line interface.

 keyboard input: PGP Command Line was designed so that all relevant

information can be entered at the command line, thus requiring no further input from the keyboard to implement the commands.

 scripting: PGP Command Line commands can be easily inserted into

scripts to be used for automating tasks. For example, if your company regularly copies a large database to an off-site backup and then stores it there, PGP Command Line commands can be added to the script that does this so that the database is encrypted before it is transmitted to the off-site location and then decrypted when it arrives. PGP Command Line commands are easily added to shell scripts or scripts written with scripting languages (such as Perl or Python, for example).

 environment variables: Environment variables control various aspects of

PGP Command Line behavior; for example, the location of the PGP Command Line home directory. Environment variables are established on the computer running PGP Command Line.

PGP® Command Line 10.1 PGP Command Line Basics

 configuration file variables: When PGP Command Line starts, it reads the

configuration file, which includes special configuration variables and values for each variable. These settings affect how PGP Command Line operates. Configuration file variables can be changed permanently by editing the configuration file or overridden on a temporary basis by specifying a value for a configuration file variable on the command line.

 Self-Decrypting Archives (SDAs): PGP Command Line lets you create

SDAs, compressed and conventionally encrypted archives that require a passphrase to decrypt. SDAs contain an executable for the target platform, which means the recipient of an SDA does not need to have any PGP software installed to open the archive. You can thus securely transfer data to recipients with no PGP software installed. You will have to communicate the passphrase of the SDA to the recipient, however.

 Additional Decryption Key (ADK): PGP Command Line supports the use

of an ADK, which is an additional key to which files or messages are encrypted, thus allowing the keeper of the ADK to retrieve data or messages as well as the intended recipient. Use of an ADK ensures that your corporation has access to all its proprietary information even if employee keys are lost or become unavailable.

 PGP Zip archives: The PGP Zip feature lets you encrypt/sign groups of

Getting Started

Now that you know a little bit about PGP Command Line, let’s go deeper into what you need to do to get started using it:

1 Install PGP Command Line. Specific instructions for installing PGP

2 License the software. PGP Command Line functionality is extremely

3 Create your default key pair. Most PGP Command Line operations

4 Protect your private key. Because your private key can decrypt your

files or entire directories into a single compressed archive file. The archive format is tar and the supported compression formats are Zip, BZip2, and Zlib.

Command Line on the supported platforms are in Installation.

limited until you license the software. Refer to Licensing for more information.

require a key pair (a private key and a public key). Refer to Creating Your Keypair for more information.

protected data, it is important that you protect it. Do not write down or tell someone the passphrase. It is a good idea to keep your private key on a machine that only you can access, and in a directory that is not accessible from the network. Also, you should make a backup of the private key and store it in a secure location. Refer to Protecting Your Private Key for more information.

PGP® Command Line 10.1 PGP Command Line Basics

5 Exchange public keys with others. In order to encrypt data to someone

you need their public key; and they need yours to encrypt data to you. Refer to Getting the Public Keys of Others for more information about how to obtain public keys.

6 Verify the public keys you get from the keyserver. Once you have a

copy of someone’s public key, you add it to your public keyring. When you get someone’s public key, you should make sure that it has not been tampered with and that it really belongs to the purported owner. You do this by comparing the unique fingerprint on your copy of someone’s public key to the fingerprint on that person’s original key. For more information about validity and trust, refer to An Introduction to Cryptography (it was put onto your computer during installation). For instructions how to verify someone’s public key, see --fingerprint (page

80).

7 Start securing your data. After you have generated your key pair and

have obtained public keys, you can begin encrypting, signing, decrypting, and verifying your data.

Installation

This chapter lists the system requirements for, and tells you how to install PGP Command Line onto, the supported platforms: AIX, HP-UX, Mac OS X, Linux, Solaris, and Windows. It also includes uninstall instructions.

In This Chapter

Overview ................................................................................................... 5

System Requirements............................................................................... 6

Installing on AIX....................................................................................... 11

Installing on HP-UX.................................................................................. 13

Installing on Mac OS X ............................................................................ 16

Installing on Red Hat Enterprise Linux, SLES, or Fedora Core................ 17

Installing on Solaris.................................................................................. 20

Installing on Windows ............................................................................. 22

Overview

PGP Command Line can be installed on these platforms:

 Windows 7 (32- and 64-bit), Windows Server 2008, Windows Vista (32- and

64-bit) SP2, Windows Server 2003 (32- and 64-bit) SP2, Windows XP (32and 64-bit) SP3, Windows 2000 SP4

 HP-UX 11i and above (PA-RISC and Itanium)  IBM AIX 5.3 and 6.1  RedHat Enterprise Linux 5.0 (x86 and x86_64)  SLES (SUSE Linux Enterprise Server 9 SP4 and 10 SP2 (x86)  Fedora Core 6 (x86_64 only)  Sun Solaris 9 (SPARC) and Solaris 10 (SPARC, x86, and x86_64)  Apple Mac OS X 10.5.x and 10.6.x (Intel-based systems only)

PGP Command Line uses a specific directory for the application data such as the configuration file, and a specific directory (called the home directory) for the files it creates, such as keyring files.

PGP® Command Line 10.1 Installation

On any UNIX system, the application data and the home directory are identical and they are configured through the $HOME environment variable. For more information, refer to the installation instructions for the specific UNIX platform.

On Windows, the application data directory is used to store data such as the configuration file PGPprefs.xml. The home directory is called “My Documents” and is used to store keys. These two directories can be named differently, depending on the specific version on Windows. For more information, see To Install on Windows (on page

22).

Note: You can also use the --home-dir option on the command line to

specify a different home directory. Using this option affects only the command it is used in and does not change the PGP_HOME_DIR environment variable.

Using --home-dir on the command line overrides the current setting of the PGP_HOME_DIR environment variable.

System Requirements

In general, system requirements for PGP Command Line are the same as the system requirements for the host operating system.

In addition to the hard drive space required by the base operating system, PGP Command Line requires additional space for both the data on which cryptographic operations (such as encryption, decryption, signing, and verifying) will be applied and temporary files created in the process of performing those operations.

For a given file being encrypted or decrypted, PGP Command Line can require several times the size of the original file in free hard drive space (depending on how much the file was compressed), enough to hold both the original file or files and the final file resulting from the encryption or decryption operation.

In cases where PGP Zip functionality is used on a file, PGP Command Line may also require several times the size of the original file or files in free hard drive space, enough to hold the original file, a temporary file created when handling the archive, and the final file resulting from the encryption or decryption operation. Make sure you have adequate free hard drive space on your system before using PGP Command Line.

Windows 7 and Vista

Component Requirement

Computer and

PC with 1 GHz 32-bit (x86) processor

processor

Memory 1 gigabyte (GB) of RAM or higher recommended (64 MB

PGP® Command Line 10.1 Installation

minimum supported; may limit performance and some features)

Hard disk 15 GB of available space

Drive DVD-ROM drive

Display Support for DirectX 9 graphics with WDDM driver, 128 MB of

graphics memory (minimum), Pixel Shader 2.0 in hardware, 32 bits per pixel

Windows Server 2008 and 2003

PGP Command Line supports four editions of Windows Server 2008 and 2003: Standard, Datacenter, Enterprise, and Web.

Standard Edition

Component Requirement

Computer and processor

PC with a 133-MHz processor required; 550-MHz or faster processor recommended (Windows Server 2003 Standard Edition supports up to four processors on one server)

Memory 128 MB of RAM required; 256 MB or more recommended; 4

GB maximum

Hard disk 1.25 to 2 GB of available hard-disk space

Drive CD-ROM or DVD-ROM drive

Display VGA or hardware that supports console redirection required;

Super VGA supporting 800 x 600 or higher-resolution monitor recommended

Datacenter Edition

Component Requirement

Computer and processor

Memory Minimum: 512 MB of RAM

Minimum: 400 MHz processor for x86-based computers Recommended: 733 MHz processor

Recommended: 1 GB of RAM

Hard disk 1.5 GB hard-disk space for x86-based computers

PGP® Command Line 10.1 Installation

Other Minimum: 8-way capable multiprocessor machine required

Maximum: 64-way capable multiprocessor machine supported

Enterprise Edition

These system requirements apply only to the 32-bit version of Windows Server

2003 Enterprise Edition; 64-bit versions of Windows Server 2003 Enterprise Edition are not supported.

Component

Computer and processor

Requirement

133-MHz or faster processor for x86-based PCs; up to eight processors supported on either the 32-bit

Memory 128 MB of RAM minimum required

Maximum: 32 GB for x86-based PCs with the 32-bit version

Hard disk 1.5 GB of available hard-disk space for x86-based PCs;

additional space is required if installing over a network

Drive CD-ROM or DVD-ROM drive

Display VGA or hardware that supports console redirection required

Web Edition

Component Requirement

Computer and processor

Memory 128 MB of RAM (256 MB recommended; 2 GB maximum)

Hard disk 1.5 GB of available hard-disk space

133-MHz processor (550 MHz recommended)

PGP® Command Line 10.1 Installation

Windows XP

PGP Command Line supports the 32-bit and 64-bit versions of Windows XP.

32-bit Windows XP

Component Requirement

Computer and processor

PC with 300 megahertz (MHz) or higher processor clock speed recommended; 233-MHz minimum required; Intel Pentium/Celeron family, AMD K6/Athlon/Duron family, or compatible processor recommended

Memory 128 megabytes (MB) of RAM or higher recommended (64 MB

minimum supported; may limit performance and some features)

Hard disk 1.5 gigabyte (GB) of available hard disk space

Drive CD-ROM or DVD-ROM drive

Display Super VGA (800 × 600) or higher resolution video adapter and

monitor supporting 800 x 600 or higher-resolution monitor recommended

64-bit Windows XP

Component Requirement

Computer and processor

PC with AMD Athlon 64, AMD Opteron, Intel Xeon with Intel EM64T support, Intel Pentium 4 with Intel EM64T support

Memory 256 megabytes (MB) of RAM or higher recommended

Hard disk 1.5 gigabyte (GB) of available hard disk space

Drive CD-ROM or DVD-ROM drive

Display Super VGA (800 × 600) or higher resolution video adapter and

monitor supporting 800 x 600 or higher-resolution monitor recommended

PGP® Command Line 10.1 Installation

Windows 2000

Component Requirement

Computer and

133 MHz or higher Pentium-compatible CPU

processor

Memory At least 64 megabytes (MB) of RAM; more memory generally

improves responsiveness

Hard disk 2 GB with 650 MB free space

Drive CD-ROM or DVD-ROM drive

Display VGA or higher resolution monitor

IBM AIX

PGP Command Line runs on the range of IBM eServer p5, IBM eServer pSeries, IBM eServer i5 and IBM RS/6000, as supported by IBM AIX 5.3 and 6.1.

HP-UX 11i

PGP Command Line runs on the list of PA-RISC workstation and servers supported by HP-UX 11i, as specified at http://docs.hp.com/en/5187-2239/ch03s01.html.

http://docs.hp.com/

Solaris 9 and 10

Component Requirement

Computer and processor

Memory 64 MB minimum (128 MB recommended)

Hard disk 600 MB for desktops; one GB for servers

SPARC (32- and 64-bit) platforms

PGP® Command Line 10.1 Installation

Red Hat Enterprise Linux, SLES, and Fedora Core

Component Requirement

Computer and processor

x86 for Red Hat Enterprise Linux and SLES, x86_64 for Fedora Core; see Red Hat or Fedora websites for hardware compatibility.

Memory 256 MB minimum

Hard disk 800 MB minimum

Mac OS X

Component Requirement

Computer and

Macintosh computer, Intel-based system only

processor

Memory 128 MB of physical RAM

Installing on AIX

This section tells you how to install, change the home directory, and uninstall on AIX.

Installing on AIX

You need to have root or administrator privileges on the machine on which you are installing PGP Command Line.

 To install PGP Command Line on an AIX system:

1 If you have an existing version of PGP Command Line installed on the

computer, uninstall it.

2 Download the installer application called PGPCommandLine101AIX.tar

to a known location on your system.

3 Untar the package first. You will get the following file:

PGPCommandLine101AIX.rpm

4 Type: rpm -ivh PGPCommandLine101AIX.rpm

PGP® Command Line 10.1 Installation

5 Press Enter.

By default, the PGP Command Line application, pgp, is installed into the directory /opt/pgp/bin. You need to add this directory to your PATH environment variable in order for the application to be found.

For sh-based shells, use this syntax:

PATH=$PATH:/opt/pgp/bin

For csh-based shells, use this syntax:

set path = ($path /opt/pgp/bin)

Also, in order to access the PGP Command Line man page, you need to set the MANPATH environment variable appropriately.

For sh-based shells, use this syntax:

MANPATH=$MANPATH:/opt/pgp/man; export MANPATH

For csh-based shells, use this syntax:

setenv MANPATH "/opt/pgp/man"

By adding the option --prefix to the rpm command, you can install PGP Command Line to a location other than the default.

Type rpm --prefix=/usr/pgp -ivh PGPCommandLine101AIX.rpm and press Enter.

This command installs the application binary in the directory /usr/pgp/bin/pgp, libraries in /usr/pgp/lib, and so on.

You will need to edit the environmental variable LIBPATH to include the new library path (/usr/pgp/lib) so that PGP Command Line can function in a location other than the default.

By adding the option --prefix to the rpm command, you can install PGP Command Line in a location other than the default:

1 If you have an existing version of PGP Command Line installed on the

computer, uninstall it.

2 Download the installer application called PGPCommandLine101AIX.tar

to a known location on your system.

3 Untar the package first. You will get the following file:

PGPCommandLine10AIX.rpm

4 Type: rpm --prefix=/opt -ivh PGPCommandLine101AIX.rpm 5 Press Enter.

This command will install the application binary, pgp, in the directory /usr/pgp/bin/pgp, libraries in /usr/pgp/lib, and so on.

You will need to edit the environment variable LIBPATH to include the new library path (/usr/pgp/lib), so that PGP Command Line can function in any location other than the default.

PGP® Command Line 10.1 Installation

Changing the Home Directory on AIX

The home directory is where PGP Command Line stores the files that it creates and uses; for example, keyring files.

By default, the PGP Command Line installer for AIX creates the PGP Command Line home directory at $HOME/.pgp. If this directory does not exist, it will be created. For example, if the value of $HOME for user "alice"is

/usr/home/alice, PGP Command Line will attempt to create /usr/home/alice/.pgp.

The PGP Command Line installer will not try to create any other part of the directory listed in the $HOME variable, only .pgp.

If you want the home directory changed on a permanent basis, you will need to create the $PGP_HOME_DIR environment variable and specify the path of the desired home directory.

Uninstalling on AIX

Uninstalling PGP Command Line on AIX requires root privileges, either through su or sudo.

 To uninstall PGP Command Line on AIX

1 Type the following command and press Enter:

rpm -e pgpcmdln

2 PGP Command Line is uninstalled.

PGP® Command Line 10.1 Installation

Installing on HP-UX

This section tells you how to install, change the home directory, and uninstall on HP-UX.

Installing on HP-UX

You need to have root or administrator privileges on the machine on which you are installing PGP Command Line.

 To install PGP Command Line on an HP-UX system

1 If you have an existing version of PGP Command Line installed on the

computer, uninstall it.

2 Download the installer file called PGPCommandLine101HPUX.tar to a

known location on your system.

3 Untar the package first. You will get the following file:

PGPCommandLine101HPUX.depot

4 Type: swinstall -s

/absolute/path/to/PGPCommandLine101HPUX.depot

5 Press Enter.

For sh-based shells, use this syntax:

PATH=$PATH:/opt/pgp/bin

For csh-based shells, use this syntax:

set path = ($path /opt/pgp/bin)

Also, in order to access the PGP Command Line man page, you need to set the MANPATH environment variable appropriately.

For sh-based shells, use this syntax:

MANPATH=$MANPATH:/opt/pgp/man; export MANPATH

For csh-based shells, use this syntax:

setenv MANPATH "/opt/pgp/man"

PGP® Command Line 10.1 Installation

Note: You may encounter an issue generating 2048- or 4096-bit keys on HP-

UX systems running PGP Command Line if you have altered the maximum number of shared memory segments that can be attached to one process, as configured by the shmseg system parameter. if you encounter this issue, reset the shmseg system parameter to its default value of 120. Consult your HP-UX documentation for information about how to alter system parameters.

Changing the Home Directory on HP-UX

The home directory is where PGP Command Line stores the files that it creates and uses; for example, keyring files.

By default, the PGP Command Line installer for HP-UX creates the PGP Command Line home directory in $HOME/.pgp. If this directory does not exist, it will be created. For example, if the value of $HOME for user "alice" is

/usr/home/alice, PGP Command Line will attempt to create /usr/home/alice/.pgp.

The PGP Command Line installer will not try to create any other part of the directory listed in the $HOME variable, only .pgp.

If you want the PGP Command Line home directory changed on a permanent basis, you can define the $PGP_HOME_DIR environment variable and specify the path of the desired home directory.

Installing to a Non-Default Directory on HP-UX

This procedure describes how to install PGP Command Line for HP-UX into a non-default directory. The information provided is in addition to the information provided in Installing on HP-UX.

Note: This procedure uses /opt/pgp_alt as the non-default directory. Be sure

to substitute the desired directory in place of /opt/pgp_alt.

 To install PGP Command Line for HP-UX to a non-default directory

1 Add the following extra argument to the swinstall command:

swinstall -s /path/to/pgpcmdln.depot pgpcmdln,l=/opt/pgp_alt

2 Set all libraries to respect the SHLIB_PATH environment variable:

chatr +s enable /opt/pgp_alt/lib/*

3 Set the SHLIB_PATH environment variable to the new library directory

when starting PGP Command Line:

export SHLIB_PATH=/opt/pgp_alt/lib

PGP® Command Line 10.1 Installation

Uninstalling on HP-UX

Uninstalling PGP Command Line on HP-UX requires root privileges, either su or sudo.

 To uninstall PGP Command Line on HP-UX:

1 Type the following command and press Enter:

swremove pgpcmdln

2 PGP Command Line is uninstalled.

Installing on Mac OS X

This section tells you how to install, change the home directory, and uninstall on Mac OS X.

Installing on Mac OS X

 To install PGP Command Line on a Mac OS X system:

1 Close all applications. 2 Download the installer application, PGPCommandLine101MacOSX.tgz,

to your desktop.

3 Double-click on the file PGPCommandLine101MacOSX.tgz. 4 If you have Stuffit Expander, it will automatically first uncompress this file

into PGPCommandLine101MacOSX.tar, and then untar it into PGPCommandLine101MacOSX.pkg.

5 Double-click on the file PGPCommandLine101MacOSX.pkg. 6 Follow the on-screen instructions.

The Mac OS X PGP Command Line application, pgp, is installed into /usr/bin/.

After you run PGP Command Line for the first time, its home directory will be created automatically in the directory $HOME/Documents/PGP. This directory may already exist if PGP Desktop for Mac OS X is already installed on the system.

PGP® Command Line 10.1 Installation

Changing the Home Directory on Mac OS X

The home directory is where PGP Command Line stores the files that it creates and uses; for example, keyring files.

By default, the PGP Command Line installer for Mac OS X creates the PGP Command Line home directory at $HOME/Documents/PGP. If this directory does not exist, it will be created.

The PGP Command Line installer will not try to create any other part of directory listed in the $HOME variable, only .pgp.

If you want the home directory changed permanently, you need to create the $PGP_HOME_DIR environment variable and specify the path of the desired home directory.

Uninstalling on Mac OS X

Uninstalling PGP Command Line on Mac OS X requires administrative privileges.

Caution: If you have PGP Desktop for Mac OS X installed on the same

system with PGP Command Line, do not uninstall PGP Command Line unless

you also plan to uninstall PGP Desktop. Uninstalling PGP Command Line will delete files that PGP Desktop requires to operate; you will have to reinstall PGP Desktop to return to normal operation.

 To uninstall PGP Command Line on Mac OS X:

1 Using the Terminal application, enter the following commands:

rm -rf /usr/bin/pgp

rm -rf /Library/Frameworks/PGP*

rm -rf /Library/Receipts/PGP*

2 PGP Command Line is uninstalled.

Preferences and keyrings are not removed when PGP Command Line is

uninstalled.

PGP® Command Line 10.1 Installation

Installing on Red Hat Enterprise Linux, SLES, or Fedora Core

This section tells you how to install, change the home directory, and uninstall on a Linux or Fedora Core system.

Installing on Red Hat Enterprise Linux or Fedora Core

You need to have root or administrator privileges on the machine on which you are installing PGP Command Line.

Linux installations now default to /opt/pgp, which matches the default installation location on other UNIX platforms. To install PGP Command Line on Linux to the previous installation location (/usr/bin/), use the "--prefix=/usr" option.

If you have an existing Linux installation of PGP Command Line and do not install the new version using the "--prefix=/usr" option, you will need to update your path to include /opt/pgp/bin and you will need to update any scripts accordingly.

Caution: If you want to use the XML key list functionality in PGP Command

Line, you need to upgrade libxml2 to Version 2.6.8; the default is Version

2.5.10. If you attempt to use the XML key list functionality without upgrading, you will receive an error.

 To install PGP Command Line on a Linux system:

1 If you have an existing version of PGP Command Line installed on the

computer, uninstall it.

2 Download the installer file called PGPCommandLine101Linux.tar to a

known location on your system.

3 Untar the package first. You will get the following file:

PGPCommandLine101Linux.rpm

4 Type: rpm -ivh PGPCommandLine101Linux.rpm 5 Press Enter.

The PGP Command Line application, pgp, is installed by default into /opt/pgp/.

By adding the option --prefix to the rpm command, you can install PGP Command Line in a location other than the default.

PGP® Command Line 10.1 Installation

 To install PGP Command Line into a different directory:

1 If you have an existing version of PGP Command Line installed on the

computer, uninstall it.

2 Download the installer file called PGPCommandLine101Linux.tar to a

known location on your system.

3 Untar the package first. You will get the following file:

PGPCommandLine101Linux.rpm

4 Type: rpm --prefix=/opt -ivh PGPCommandLine101Linux.rpm 5 Press Enter.

This command will install the application binary in the directory /opt/bin/pgp, libraries in /opt/lib, etc. You will need to edit the environment variable LD_LIBRARY_PATH to include the new library path for the software to function in any location other than the default.

Changing the Home Directory on Linux or Fedora Core

The home directory is where PGP Command Line stores the files that it creates and uses; for example, keyring files.

By default, the PGP Command Line installer for Linux creates the PGP Command Line home directory at $HOME/.pgp. If this directory does not exist, it will be created. For example, if the value of $HOME for user "alice" is

/usr/home/alice, PGP Command Line will attempt to create /usr/home/alice/.pgp.

The PGP Command Line installer will not try to create any other part of the directory listed in the $HOME variable, only .pgp.

If you want the home directory changed on a permanent basis, you need to create the $PGP_HOME_DIR environment variable and specify the path of the desired home directory.

Uninstalling on Linux or Fedora Core

Uninstalling PGP Command Line on Linux requires root privileges, either su or sudo.

 To uninstall PGP Command Line on Linux or Fedora Core:

1 Type the following command and press Enter:

rpm -e pgpcmdln

2 PGP Command Line is uninstalled.

PGP® Command Line 10.1 Installation

Installing on Solaris

This section tells you how to install, change the home directory, and uninstall on Solaris.

Installing on Solaris

You need to have root or administrator privileges on the machine on which you are installing PGP Command Line.

 To install PGP Command Line onto a Solaris machine in the default

directory:

1 If you have an existing version of PGP Command Line installed on the

computer, uninstall it.

2 Download the installer file called PGPCommandLine101Solaris.tar to

a known location on your system.

3 Untar the package first. You will get the following file:

PGPCommandLine101Solaris.pkg

4 Type pkgadd -d PGPCommandLine101Solaris.pkg and press Enter. 5 At the first prompt, enter "1" or "all" to install the package.

If the directories /usr/bin and /usr/lib are not owned by root:bin, the install application pkgadd will ask if you want to change the ownership/group on these directories. It is not necessary to change them, but as an admin you may do so if you wish.

For sh-based shells, use this syntax:

PATH=$PATH:/opt/pgp/bin

For csh-based shells, use this syntax:

set path = ($path /opt/pgp/bin)

Also, in order to access the PGP Command Line man page, you need to set the MANPATH environment variable appropriately.

For sh-based shells, use this syntax:

MANPATH=$MANPATH:/opt/pgp/man; export MANPATH

For csh-based shells, use this syntax:

setenv MANPATH "/opt/pgp/man"

PGP® Command Line 10.1 Installation

 To install PGP Command Line onto a Solaris machine in another

directory:

1 If you have an existing version of PGP Command Line installed on the

computer, uninstall it.

2 Download the installer application PGPCommandLine101Solaris.tar to

a known location on your system.

3 Untar the package first. You will get the following file:

PGPCommandLine101Solaris.pkg

4 Type: pkgadd -a none -d PGPCommandLine101Solaris.pkg

(This will force an interactive installation).

5 Press Enter. 6 At the first prompt, enter “1” or “all” to install the package.

You will be asked to enter the path to the package’s base directory. If you enter /usr/pgp, the binary will be installed to /usr/pgp/bin/pgp, libraries will be installed to /usr/pgp/lib, and so on.

You need to edit the environment variable LD_LIBRARY_PATH to include the new library path (/usr/pgp/lib) so that PGP Command Line can function in this location.

Changing the Home Directory on Solaris

The home directory is where PGP Command Line stores the files that it creates and uses; for example, keyring files.

By default, the PGP Command Line installer for Solaris creates the PGP Command Line home directory in $HOME/.pgp. If this directory does not exist, it will be created. For example, if the value of $HOME for user "alice" is

/usr/home/alice, PGP Command Line will attempt to create /usr/home/alice/.pgp.

The PGP Command Line installer will not try to create any other part of the directory listed in the $HOME variable, only .pgp.

If you want the PGP Command Line home directory changed on a permanent basis, you can define the $PGP_HOME_DIR environment variable and specify the path of the desired home directory.

PGP® Command Line 10.1 Installation

Uninstalling on Solaris

Uninstalling PGP Command Line on Solaris requires root privileges, either su or sudo.

 To uninstall PGP Command Line on Solaris:

1 Type the following command and press Enter:

pkgrm PGPcmdln

To uninstall with no confirmation, use: pkgrm -n PGPcmdln

2 PGP Command Line is uninstalled.

Installing on Windows

This section tells you how to install, change the home directory, and uninstall on Windows.

PGP Command Line for Windows and PGP Desktop on the Same System

PGP Command Line and PGP Desktop can be installed on the same system at the same time.

To use PGP Command Line for Windows and PGP Desktop for Windows on the same 64-bit system, you must use the 64-bit version of PGP Desktop and the 32-bit version of PGP Command Line.

This ensures compatible versions of the PGP SDK are used. The PGP SDK for the 64-bit version of PGP Command Line for Windows includes functionality that makes it incompatible with PGP Desktop for Windows.

To Install on Windows

 To install PGP Command Line onto a Windows system:

1 Close all Windows applications. 2 Download the installer application, PGPCommandLine101Win.zip, to a

known location on your system.

3 Unzip the file PGPCommandLine101Win.zip. You will get the following

file: PGPCommandLine101Win.msi.

4 Double click on PGPCommandLine101Win.msi.

PGP® Command Line 10.1 Installation

5 Follow the on-screen instructions. 6 If prompted, restart your machine. A restart is needed only if other PGP

products are also installed on the same machine.

The Windows PGP Command Line application, pgp.exe, is installed into:

C:\Program Files\PGP Corporation\PGP Command Line\

After you run PGP Command Line for the first time, its home directory will be created automatically in the user’s home directory:

C:\Documents and Settings\<user>\My Documents\PGP\

Application data is stored in the directory:

C:\Documents and Settings\<user>\Application Data\PGP Corporation\PGP

Changing the Home Directory on Windows

The home directory is where PGP Command Line stores its keyring files. If a different PGP product has already created this directory, PGP Command Line will also use it (thus, PGP Command Line can automatically use existing PGP keys).

PGP Command Line data files, such as keys, are stored in the home directory: C:\Documents and Settings\<user>\My Documents\PGP\

PGP Command Line application files, such as the configuration file

PGPprefs.xml, are stored in:

C:\Documents and Settings\<user>\Application Data\PGP Corporation\PGP\

If you want the home directory changed on a permanent basis, you need to create the PGP_HOME_DIR environment variable and specify the path of the desired home directory.

 To create the PGP_HOME_DIR environment variable on a Windows

system:

1 Click Start, select Settings, select Control Panel, and then select

System.

Locations may be different for the different Windows versions.

The System Properties dialog appears.

2 Select the Advanced tab, then click Environment Variables.

The Environment Variables screen appears.

3 In the User Variables section, click New.

The New User Variable dialog appears.

4 In the Variable name field, enter PGP_HOME_DIR. In the Variable value

field, enter the path of the home directory you want to use. For example:

PGP® Command Line 10.1 Installation

C:\PGP\PGPhomedir\

5 Click OK.

The Environment Variables screen reappears. PGP_HOME_DIR appears in the list of user variables.

Uninstalling on Windows

 To remove PGP Command Line from a Windows system:

1 Navigate to the Add or Remove Programs Control Panel. 2 Select PGP Command Line from the list of installed programs. 3 Click Remove, then follow the on-screen instructions.

PGP Command Line is uninstalled.

Licensing

PGP Command Line requires a valid license to operate. This chapter describes how to license your copy of PGP Command Line.

In This Chapter

Overview ..................................................................................................25

License Recovery.....................................................................................26

Using a License Number..........................................................................27

Re-Licensing.............................................................................................27

Through a Proxy Server............................................................................29

Overview

PGP Command Line requires a valid license to support full functionality. If you use PGP Command Line without entering a license or after your license has expired, only basic functionality will be available. You will only be able to get help and version information; perform a speed test; list keys, user IDs, fingerprints, and signatures; export public keys and keypairs; and license PGP Command Line.

Note: As PGP Command Line will not operate normally until licensed, you

should license it immediately after installation.

When your license gets within 60 days of expiration, PGP Command Line begins issuing warnings that license expiration is nearing. There is no grace period once the license expiration date has been reached.

PGP Command Line supports the following licensing scenarios:

 Using a License Number (on page

license PGP Command Line. You must have your license number and a working connection to the Internet.

 Re-Licensing (on page

Line on a system but want to re-license it with a new license number (to support additional functionality, for example), use this method. You must have your new license number and a working connection to the Internet.

27). If you have already licensed PGP Command

27). This is the normal method to

PGP® Command Line 10.1 Licensing

 Through a Proxy Server (on page 29). If you connect to the Internet through

a proxy server, use this method to license PGP Command Line. You must have your license number and the appropriate proxy server information.

License Recovery

When you first enter your PGP Command Line license, one option is

--license-email, which takes a valid email address.

You are not required to use --license-email to license your copy of PGP Command Line, but it is required if you want to take advantage of the license recovery feature.

The license recovery feature provides an automated mechanism for retrieving your original licensing information for those occasions when you need to enter it again.

Here is how the license recovery feature works: When you first license your copy of PGP Command Line, you enter a License Name, License Organization, your License Number, and a License Email. The license authorizes, and you begin using PGP Command Line.

Several months pass. The hardware hosting PGP Command Line fails and it is no longer usable. You need to reinstall PGP Command Line on a new system. You still have your PGP Command Line license number, but you enter your company name differently in License Organization; you didn’t remember exactly how you entered it several months ago, and this time you picked a slightly different form (or maybe you even mis-typed it by mistake).

Not a big deal, you think; what difference could it make? But when you attempt to authorize the license, it does not work.

What happened is that when you re-license PGP Command Line, you must enter the same information exactly as you did the first time or it will not license correctly.

At this point the license recovery feature kicks in. When you attempt to relicense PGP Command Line, and you enter a valid license, but the License Name or License Organization you enter is different, the license recovery feature sends an email message to the License Email you entered the first time you licensed PGP Command Line.

The email message includes the License Name and License Organization you used when you first licensed PGP Command Line. You can now license PGP Command Line on the new system using the information in the message.

The key to the license recovery feature is entering a valid email address when you first license PGP Command Line. The license recovery feature will only use the email address you enter when you first license a specific PGP Command Line license. You cannot add or change the email address at a later time; if you don’t enter it the first time you license, the license recovery feature will not work for that particular PGP Command Line license.

PGP® Command Line 10.1 Licensing

If the license recovery feature is not available for a PGP Command Line license, but you need your original License Name or License Organization, contact PGP Support at

www.pgp.com/support/.

Using a License Number

If you have a license number and a working Internet connection, you can license your copy of PGP Command Line.

Use --license-authorize to license PGP Command Line.

The following options are required:

 --license-name <Name>

Where <Name> is your name or a descriptive name.

--license-organization <Org> Where <Org> is the name of your company.

--license-number <Number> Where <Number> is a valid license number.

The following option is not required but is recommended:

 --license-email <EmailAddress>

Where <EmailAddress> is a valid email address, generally the email address of the PGP Command Line administrator.

Before deciding not to enter a license email, be sure to refer to License Recovery (on page

26). Not entering a license email when you first license your copy of PGP Command Line negates the license recovery feature for your PGP Command Line license. If you decide not to enter a license email, you will see a warning message but your license will authorize.

For example:

pgp --license-authorize --license-name "Alice Cameron"

--license-organization "Example Corporation"

--license-number "aaaaa-bbbbb-ccccc-ddddd-eeeee-fff"

--license-email "

acameron@example.com"

(When entering this text, it all goes on a single line.)

PGP® Command Line 10.1 Licensing

Re-Licensing

If you have already licensed your copy of PGP Command Line on a system, but you need to re-license it on the same system (if you have purchased a new license with additional capabilities, for example), you must use the <force> option to override the existing license.

You can use a license number or a license authorization when you are relicensing.

Use --license-authorize to re-license PGP Command Line.

The following options are required:

 --license-name <Name>

Where <Name> is your name or a descriptive name.

--license-organization <Org> Where <Org> is the name of your company.

--license-number <Number> Where <Number> is a valid license number.

--force The following option is not required but is recommended:

 --license-email <EmailAddress>

Where <EmailAddress> is a valid email address, generally the email address of the PGP Command Line administrator.

The following option is optional:

 <LicenseAuthFilename>

Where <LicenseAuthFilename> is the name of the text file from PGP Corporation that includes license authorization information.

Before deciding not to enter a license email, be sure to refer to License Recovery (on page

For example:

pgp --license-authorize --license-name "Alice Cameron"

--license-organization "Example Corporation"

--license-number "aaaaa-bbbbb-ccccc-ddddd-eeeee-fff"

--license-email "

acameron@example.com" --force

(When entering this text, it all goes on a single line.)

PGP® Command Line 10.1 Licensing

Through a Proxy Server

If the Internet access of the system hosting PGP Command Line is via an HTTP proxy connection, you can still license your copy of PGP Command Line directly; you simply need to add the necessary proxy information.

Use --license-authorize to license PGP Command Line via a proxy server.

The following options are required:

 --license-name <Name>

Where <Name> is your name or a descriptive name.

--license-organization <Org> Where <Org> is the name of your company.

--license-number <Number> Where <Number> is a valid PGP Command Line license number.

 --proxy-server <Server>

Where <Server> is the IP address or fully qualified domain name of the proxy server PGP Command Line must go through to reach the Internet.

These options are needed when the proxy server requires authentication:

--proxy-username <Username> Where <Username> is a valid username on the proxy server.

--proxy-passphrase <Passphrase> Where <Passphrase> is the passphrase for the username you entered.

The following option is not required but is recommended:

 --license-email <EmailAddress>

Where <EmailAddress> is a valid email address, generally the email address of the PGP Command Line administrator.

Before deciding not to enter a license email, be sure to refer to License Recovery. Not entering a license email when you first license your copy of PGP Command Line negates the license recovery feature. If you decide not to enter a license email, you will see a warning message but your license will authorize.

For example:

pgp --license-authorize --license-name "Alice Cameron"

--license-organization "Example Corporation"

--license-number "aaaaa-bbbbb-ccccc-ddddd-eeeee-fff"

--proxy-server "proxyserver.example.com"

--proxy-username "acameron"

--proxy-passphrase 'a_cameron1492sailedblue'

--license-email "

acameron@example.com"

(When entering this text, it all goes on a single line.)

The Command-Line

Interface

This section describes the command-line interface of the PGP Command Line product.

In This Chapter

Overview ..................................................................................................31

Flags and Arguments ...............................................................................32

Configuration File .....................................................................................36

Environment Variables .............................................................................41

Standard Input, Output, and Error ............................................................42

Specifying a Key .......................................................................................43

'Secure' Options.......................................................................................44

Passphrases .............................................................................................45

Overview

PGP Command Line uses a command-line interface. You enter a valid command and press Enter. PGP Command Line responds appropriately based on what you entered (if you entered a valid command) or with an error message (if you entered an invalid or incorrectly structured command).

All PGP Command Line commands have a long form: the text “pgp”, a space, two hyphens "--", and then the command name. Some of the more common commands have a short form: one hyphen and then a single letter that substitutes for the command name.

The --version command, for example, tells you what version of PGP Command Line you are using. It does not have a short form:

%pgp --version [Enter]

From here on, the command prompt (% in this example) and [Enter] will not be shown.

The response is:

PGP Command Line 10.1

PGP® Command Line 10.1 The Command-Line Interface

The --help command tells you about the commands available in PGP Command Line. The long form is:

pgp --help

The short form is:

pgp -h

The response to either version of the --help command is:

PGP Command Line 10.1

Commands:

Generic:

-h --help this help message and so on.

Some more examples of the command line:

1 pgp --encrypt report.doc --recipient Alice

report.doc:encrypt (0:output file report.doc.pgp)

Encrypts a file (the output filename will be report.doc.pgp) to the recipient "Alice".

2 pgp -e report.doc -r Alice

report.doc:encrypt (0:output file report.doc.pgp)

Does the same as above, but using the short forms of the encrypt and the recipient flags.

3 pgp -er Alice report.doc

report.doc:encrypt (0:output file report.doc.pgp)

Combines multiple command short forms. "Alice" must come after the "r" because it is a required argument to --recipient.

4 pgp -er Alice report.doc --output NewReport.pgp

report.doc:encrypt (0:output file NewReport.pgp)

Changes the name of the file that is produced.

PGP® Command Line 10.1 The Command-Line Interface

Flags and Arguments

PGP Command Line uses flags, commands, options, and arguments:

 Flags come in two different types, commands and options. Commands

are flags that control what PGP Command Line does in its current invocation; they have no effect on subsequent invocations of PGP Command Line. Options change the behavior of the current command. Some options require an argument, described below, while others do not. The order in which flags are listed on the command line has no effect on their behavior.

 Arguments are required as the next parameter when an option flag is

used. Arguments must immediately follow their flags. Where the flag/argument pair are on the command line does not change what the flag/argument pair does. Except when setting lists, in which case the command is read left to right; so when searching keyservers, for example, the listed keyservers are searched in the order in which they are provided on the command line.

Flags

Flags and arguments must be separated by a space on the command line. Extra spaces are ignored. If a space between parts of an argument is required, the entire argument must be between quotes.

In some cases, there can be multiple names for a single flag.

For example:

--textmode and --text (same flag with two names)

It is also possible to provide an option that has no effect on the current operation. Flags that have no bearing on the current operation are ignored, unless they cause an error, in which case the command returns an error.

For example:

--list-keys Alice with the option --encrypt-to-self (the option --encrypt-to-self will be ignored)

As noted above, flags have both long and short forms. To combine multiple long forms, you simply write them out separated by a space. For example, to encrypt a file and armor the output:

pgp --encrypt ... --armor

You can, however, combine multiple short forms into a single flag. For example, to encrypt and sign at the same time:

pgp -es ...

PGP® Command Line 10.1 The Command-Line Interface

When combining short forms, if at any time an option is used in the list that requires an argument, the list must be terminated and followed by the argument. For example: -ear recipient.

Arguments

An argument is required as the next parameter when some option flags are used. There are several kinds of arguments, differentiated by how they are structured or what kind of information is provided.

The kinds of arguments are:

 Booleans  Integers  Enumerations  Strings  Lists  File descriptor

Booleans

Integers

 No parent

Booleans are a special kind of argument. They never take a direct argument themselves. Instead, the behavior changes by how the flag is specified. To disable a Boolean, specify it with the prefix "--no-" instead of the normal "--".

When the short form is used for a Boolean flag, there is no way to specify the disabled version of the flag.

For example:

--reverse-sort (activates reverse sorting)

--no-compress (deactivates compression, the reverse of --compress)

-t (activates text mode; to deactivate text mode, the long form must be

used, --no-text)

Integers are arguments that take a numeric value.

For example:

--wipe-passes 8 (sets the number of wipe passes to eight)

PGP® Command Line 10.1 The Command-Line Interface

Enumerations

Enumerations are arguments that take a string, which is then converted to the correct value by PGP Command Line. This string will be one of several possible for each flag.

For example:

--sort-order userid (sort by user ID)

--overwrite remove (sets the file overwrite behavior to remove files if

they exist)

Strings

String arguments take a string. If the string you want to use contains any spaces, the entire string must be in quotes (this indicates that all of the pieces belong to the same argument). In some cases, an empty string ("") can be passed as an argument.

On Windows systems, strings are read in as double-byte character strings and converted to UTF-8 for use by the PGP SDK or for output. On all other platforms, UTF-8 is used.

Lists

For example:

--default-key 0x8885BE88 (sets the key with this key ID as the default key)

--output "New File.txt.pgp" (sets the output filename to a filename with a space in it)

--passphrase "" (specifies a blank passphrase)

--expiration-date 2008-12-27 (specifies an expiration date of Dec.

27, 2008)

List arguments are the same as string arguments except you can supply more than one string.

For example:

--recipient bob --recipient bill (sets both Bob and Bill as recipients)

-r bob -r bill (same command using the short form of the flag)

PGP® Command Line 10.1 The Command-Line Interface

File descriptors

File descriptor arguments behave like integer arguments, but instead of storing the value of the descriptor, PGP Command Line reads a string value from the descriptor. These string values always have a string type counterpart.

If you need to specify the data in UTF-8 format on a Windows system, use the "8" versions of the file descriptor options.

For example:

--passphrase-fd 4 (read passphrase from fd 4 and use it as if

--passphrase had been supplied)

No parent

Arguments that have no parent flag behave like lists and follow the same rules. They are used in different ways, depending on the operation being performed, but they can occur anywhere in the command line except after a flag that has a required argument.

These arguments can represent users or represent files.

For example

Configuration File

Generally, the configuration file PGPprefs.xml cannot be changed by PGP Command Line itself: any changes need to be edited manually (on Mac OS X, the configuration file is com.pgp.desktop.plist, located in /user’s home directory/Library/Preferences/).

--passphrase-fd8 7 (read a UTF-8 passphrase from fd 7)

--list-keys Alice Bob Bill (list all keys that match any one of

these users)

--encrypt file1.txt file2.txt file3.txt (encrypt multiple files with the same command)

Starting with the PGP Command Line version 9.0, there is one operation that will change the configuration file: when you authorize a license, this information is saved in the file PGPprefs.xml for future use.

The configuration file PGPprefs.xml is located in the following locations:

 $HOME directory on any Unix platform  The exact location depends on the version of Windows, but it is always the

directory that holds the application data.

PGP® Command Line 10.1 The Command-Line Interface

By changing some of the settings in the PGPprefs.xml file, you will change how PGP Command Line works as long as this file is not replaced.

Note that those configuration file settings that do not begin with "CL" are shared among all PGP applications on the system.

Like arguments, the configuration file settings come in different types: Boolean, Integer, Enumeration, List, and String.

Boolean configuration file settings you can use with PGP Command Line are:

 ADK warning level (adkWarning). Enables warning messages for ADK

actions such as adding an ADK, skipping an ADK, or when an ADK is not found. Refer to --warn-adk (on page

198) for more information.

 Encrypt to self (encryptToSelf). When on, all files or messages you

encrypt to someone else are also encrypted to your key, which means you can decrypt those encrypted files/messages at a later time, if you wish. The default is off. See --encrypt-to-self (on page

190) for more information.

 Fast keygen (fastKeyGen). Establishes the setting for fast key

generation, on or off. The default is on. See --fast-key-gen (on page

191) for

more information.

 Halt on error (CLhaltOnError). When on, causes PGP Command Line to

halt operations when an error occurs. Does not apply to all operations. The default is off. See --halt-on-error (on page

192) for more information.

 Keyring cache (CLkeyringCache). When on, stores keyrings in memory

for each access. The default is off. See --keyring-cache (on page

192) for

more information.

 Large Keyrings (CLlargeKeyrings). Checks keyring signatures only

when necessary. See --large-keyrings (on page

193) for more information.

 Marginal is invalid (marginalIsInvalid). Establishes whether

marginally trusted keys are considered valid. The default is true, which means that marginally valid keys are not valid. See --marginal-as-valid (on page

194) for more information.

 Passphrase cache (CLpassphraseCache). When on, automatically saves

your passphrase in memory until you log off or purge the passphrase cache. The default is off. See --passphrase-cache (on page

194) for more

information.

Integer configuration file settings you can use with PGP Command Line are:

 Keyring cache timeout (CLkeyringCacheTimeout). Establishes the

number of seconds a keyring stays cached in memory. The default is 120 seconds. See --keyring-cache-timeout (on page

204) for more information.

 Keyserver timeout (CLkeyserverTimeout). Establishes the number of

seconds to wait before a keyserver operation times out. The default is 120

seconds. See --

KEYSERVER-TIMEOUT (SEE "INTEGER OPTIONS" ON PAGE 199) for more

information.

PGP® Command Line 10.1 The Command-Line Interface

 Number of wipe input passes (CLfileWipeInputPasses). Establishes

the number of wipe passes for input files. The default is 3 passes. See

--wipe-input-passes (on page

209) for more information.

 Number of wipe passes (fileWipePasses). Establishes the number of

passes used by the --wipe command. The default is 3 passes. See --wipe (on page

181) for more information.

 Number of wipe temp passes (CLfileWipeTempPasses). Establishes

the number of wipe passes for temporary files. The default is 3 passes. See --wipe-temp-passes (on page

210) for more information.

 Number of wipe overwrite passes (CLfileWipeOverwritePasses).

Establishes the number of wipe passes when overwriting an existing output file. The default is 3 passes. See --wipe-overwrite-passes

(ON PAGE

209) for more information.

 Passphrase cache timeout (CLpassphraseCacheTimeout). Establishes

the number of seconds a passphrase stays cached in memory. The default is 120 seconds. See --passphrase-cache-timeout (on page

205) for more

information.

Enumeration configuration file settings you can use with PGP Command Line are:

 Automatic import of keys (CLautoImportKeys). Establishes behavior

when keys are found during non-import operations. The default is all. See

--auto-import-keys (on page

211) for more information.

 Compression Level (CLcompressionLevel). Sets the compression level

for the current operation. The default is default. See --

213) for more information.

page

COMPRESSION-LEVEL (on

 Enforce ADK (CLenforceADK). Establishes the ADK enforcement policy.

The default is attempt. See --enforce-adk (on page

213) for more

information.

 Input cleanup (CLinputCleanup). Establishes what to do with input files

after they have been used. The default is off. See --input-cleanup (on page

216) for more information.

 Manual import of keys (CLmanualImportKeys). Establishes behavior

when keys are found during an import. The default is all. See --manual- import-key-pairs (on page

218) for more information.

 Manual import of key pairs (CLmanualImportKeyPairs). Establishes

behavior when key pairs are found during import. The default is pair. Refer to --manual-import-keys (on page

218) for more information.

 Sort order (CLsortOrder). Changes the sort order for writing key lists.

The default is any. See --sort-order, --sort (on page

219) for more

information.

 Overwrite (CLoverwrite). Establishes what to do when an operation

tries to create an output file but it already exists. The default is off. See

--overwrite (on page

218) for more information.

PGP® Command Line 10.1 The Command-Line Interface

List configuration file settings you can use with PGP Command Line are:

 Always encrypt to keys (alwaysEncryptToKeys). Specifies additional

recipients for encryption. Use the 32- or 64-bit key ID to specify the key(s) to use. Refer to --additional-recipient (on page

232) for more information.

 Default keyserver names and associated values (keyservers).

Specifies default keyservers. The default is ldap://keyserver.pgp.com:389/. If you supply a keyserver on the command line, those keyservers listed in the configuration file are ignored.

String configuration file settings you can use with PGP Command Line are:

 Comment (commentString). Specifies a comment string to be used in

armored output blocks. The default is not set. Refer to --comment (on page

221) for more information.

 Default signing key (CLdefaultKey). Specifies a key to be used by

default for signing. The default is not set. See --default-key (on page

222)

for more information.

 License Authorization (CLlicenseAuthorization). Specifies the

license authorization. The default is not set. See --license-name, --license- number, --license-organization, --license-email (on page

224) for more

information.

Caution: Because licensing information is stored somewhat differently,

PGP Corporation recommends that you do not directly edit the licenserelated configuration file settings; instead, use the license authorization commands described in Licensing (on page 25).

 License Name (CLlicenseName). Specifies the name of the licensee. The

default is not set. See --license-name, --license-number, --license- organization, --license-email (on page

224) for more information.

 License Number (CLlicenseNumber). Specifies the license number. The

default is not set. See --license-name, --license-number, --license- organization, --license-email (on page

224) for more information.

 License Organization (CLlicenseOrganization). Specifies the

organization of the licensee. The default is not set. See --license-name, -- license-number, --license-organization, --license-email (on page

224) for

more information.

 Output File (CLoutputFile). Specifies the output file (default is not set in

the configuration file; defaults to stdout). The output file is used for output messages. See --output-file (on page

226) for more information.

 Private keyring file (privateKeyringFile). The filename or path and

filename to the private keyring file. The default is secring.skr, located in the default PGP Command Line home directory. See --private-keyring (on page

227) for more information.

PGP® Command Line 10.1 The Command-Line Interface

 Public keyring file (publicKeyringFile). The filename or path and

filename to the public keyring file. The default is pubring.pkr, located in the default PGP Command Line home directory. See --public-keyring (on page

228) for more information.

 Random seed filename (rngSeedFile). Sets the location of the random

seed file. By default, the random seed file is located in the PGP Command Line data directory. See --random-seed (on page

229) for more information.

 Status File (CLstatusFile). Specifies the status file. The default is not

set in the configuration file; defaults to stderr. The status file is used for status messages, using a file name (with or without the path information). See --status-file (on page

230) for more information.

Keyserver Configuration File Settings

Here is the keyserver section of the PGPprefs.xml file, with brief explanations of specific settings:

<key>keyservers</key>

<array>

<dict>

<key>title</key>

<string>keyserver.example.com</string>(

(name of the keyserver)

<key>domain</key>

<key>hostname</key>

<string>keyserver.example.com</string>

(hostname of the keyserver)

<integer>389</integer> (keyserver port)

<key>protocol</key>

<integer>1</integer>(keyserver protocol: 1= LDAP, 2= HTTP, 3 = LDAPS and 4 = HTTPS

(currently not supported)

<integer>1</integer>(keyserver type: 1 = HTTP, 2 = HTTPS

(currently not supported)

<key>keyserverType</key>

<integer>100</integer>(keyserver type: 100 = PGPLDAP, 101 = PGPLDAPS, 102 = PGPVKD, 103 = X509LDAP, 104 = X509LDAPS, 105 = PGPHTTP)

PGP® Command Line 10.1 The Command-Line Interface

<key>baseDN</key>

<key>authKeyID</key>

<string></string> (not used)

<key>authAlgorithm</key>

<integer>0</integer> (not used)

<key>flags</key>

<integer>0</integer> (not used)

Environment Variables

PGP Command Line behavior can be changed using environment variables. For information about defining environment variables, refer to the section that describes the platform you are using in

Environment variables have the lowest priority compared to the command line and the configuration file. Settings for either will override environment variables. However, if a value for an item is not specified in either, the environment variable will be used. Environment variables cannot be disabled; if they are present, they are implemented. To disable an environment variable, remove it. Setting a Boolean environment variable will activate it, regardless of the value to which it is set.

Installation (on page 5).

Environment variables that can be implemented for PGP Command Line are:

 PGP_LOCAL_MODE. This is a Boolean environment variable that forces

PGP Command Line to run in local mode. The default is unset. See --local- mode (on page

194) for more information.

Usage: PGP_LOCAL_MODE=1

 PGP_NO_BANNER. This is a Boolean environment variable that turns off

the banner when a command is run. The default is unset. See --banner (on page

188) for more information.

Usage: PGP_NO_BANNER=1

 PGP_HOME_DIR. This is a string environment variable that overrides the

default home directory, pointing it to the path supplied in the variable. The default is unset. See --home-dir (on page

223) for more information.

Usage: PGP_HOME_DIR=/usr/bin/alice

 PGP_PASSPHRASE. This is a string environment variable that lets you set

your passphrase. The default is unset. For more information, See

--passphrase (on page

226) for more information.

Usage: PGP_PASSPHRASE="Now is the time for all good men"

PGP® Command Line 10.1 The Command-Line Interface

 PGP_NEW_PASSPHRASE. This is a string environment variable that lets

you set a new passphrase. The default is unset. See --new-passphrase (on

225) for more information.

page

Usage: PGP_NEW_PASSPHRASE="to come to the aid of their country."

 PGP_SYMMETRIC_PASSPHRASE. This is a string environment variable

that lets you set a passphrase for symmetric encryption. The default is unset. See --symmetric-passphrase (on page

Usage: PGP_SYMMETRIC_PASSPHRASE="Now is the time"

 PGP_EXPORT_PASSPHRASE. This is a string environment variable that

lets you set the export passphrase. The default is unset. See --export- passphrase (on page

Usage: PGP_EXPORT_PASSPHRASE="For All Good Men"

223) for more information.

231) for more information.

Standard Input, Output, and Error

PGP Command Line writes different data to several different places by default. Any user output generated by PGP Command Line is written to standard output (stdout), including version information, key list data, and so on. Any status information generated by PGP Command Line is sent to standard error (stderr).

When encrypting and decrypting, PGP Command Line reads and writes files by default. These files can be overridden with the special argument "-" to either

--input or --output. This behavior is set so that PGP Command Line does not have to wait for input if you forget something: it will generate an error you can detect.

The behavior of PGP Command Line changes depending on the operating system you are using, while the syntax changes depending on the shell.

When you work with PGP Command Line, you can use standard input (stdin) in two ways: by redirecting an existing file, or by typing (pasting in) data.

Redirecting an Existing File

You can use your shell to redirect input to PGP Command Line from an existing file.

The command looks like:

pgp -er user -i - -o file.pgp<file.txt

Example:

pgp -er " newnote.pgp<newnote.txt

bob@example.com" -i - -o

PGP® Command Line 10.1 The Command-Line Interface

stdin:encrypt (0:output file newnote.pgp)

In this case, the file newnote.txt was encrypted with Bob’s key and saved as

newnote.pgp.

Entering Data

Instead of redirecting an existing file, you can also type (or paste in) the data that needs to be encrypted. The command looks like:

pgp -er user -i - -o file.pgp

(type/paste in the data to be encrypted)

Example:

End-of-File

pgp -er "

bob@example.com" -i - -o newnote.pgp

(This text is the file newnote.txt, which will be signed by Bob.)

stdin:encrypt (0:output file newnote.pgp)

In addition to specifying the end of file, you also need to specify an output file name (such as "newnote.pgp"), since the input file name was not specified.

pgp --decrypt newnote.pgp --passphrase 'B0bsm1t4'

newnote.pgp:decrypt (0:output file newnote)

If you now decrypt newnote.pgp, the decrypted file newnote will not have an extension since the input was not in a file format.

On platforms where buffered standard input/output (I/O) is disabled by default, you cannot type or paste into stdin. Instead, you need to enable standard I/O using --buffered-stdio (see --buffered-stdio for details).

Depending on the shell you use, the end of file will be announced in different ways:

 On Windows, enter ^Z (ctrl-z) on a separate line.  On UNIX, enter ^D (ctrl-d) anywhere in the text. The end of file

character is shell-dependent and will vary on different systems.

PGP® Command Line 10.1 The Command-Line Interface

Specifying a Key

When you need to specify a key or keys as input for a PGP Command Line operation, there are two methods you can use:

 Match by user ID: To match by user ID, supply some of the text in the

user ID(s) you want to match. A case insensitive search of the user IDs of the keys on the local keyring is made. All keys that match the supplied text will be returned; for example, searching on ’ex’ would return all keys on the local keyring from the domain 'example.com', as well as a key whose user ID was 'dexter@pgp.com'. This is a convenience feature that makes it easy for you to match multiple keys on the local keyring.

Searching by user ID can return no keys, one key, or multiple keys, depending on the supplied text and the user IDs of the keys on the local keyring. Matching by user ID is best for operations where you want your search to return multiple keys; for example, the list operations (--list- keys, --fingerprint, and so on). Match by user ID can be used for operations that work only on a single key, but as it may return multiple keys, match by user ID may not be the best choice for these operations.

 Match by key ID: To match by key ID, supply the key ID of the specific key

'Secure' Options

The descriptions of some options in PGP Command Line mention that they are "secure," as in "This option is not secure" or "--auth-passphrase is secure".

In this context, "secure" means that the option’s argument is saved in nonpageable memory (when that option is available to applications). Options that are not "secure" are saved in normal system memory.

you want used for the operation (0xABCD1234, for example). The key IDs of the keys on the local keyring will be searched. If the key with the specified key ID is found on the local keyring, it will be used for the operation; if not, the operation will terminate.

Searching by key ID will return either no keys or one key. Matching by key ID is best for those cases where the search must exactly match one key (--default-key, for example) or where only a single key can be used for the operation; for example, most of the key edit operations (--split- key, --revoke, and so on).

PGP® Command Line 10.1 The Command-Line Interface

Passphrases

For consistency, all example passphrases in this guide are shown in single quotation marks ('). Putting passphrases between single quotation marks ensures that reserved characters and spaces are interpreted correctly.

If you do not use any reserved characters or spaces in your passphrases, then you do not have to enclose them in single quotation marks.

If you do enclose your passphrases in single quotation marks, and you have a single quotation mark as part of a passphrase on a *NIX system, you must escape the single quotation mark that is part of the passphrase. Escaping means you need to put another special character in front of the character; in this case, a backslash (\).

For example, if you enclose your passphrases in single quotation marks and you want to use

I can't believe it's not butter

as your passphrase, you would have to enter it as

'I can\'t believe it\'s not butter'

on the command line. You need the quotation marks at the beginning and end for the spaces and you need to escape each single quotation mark used in the passphrase with a backslash.

On Windows systems, if you have a space in a passphrase, you must enclose the passphrase in single or double quotation marks when you enter it. Also, double quotation marks (") as part of the passphrase must be escaped with a preceding double quotation mark.

For example, if you want to use

Thomas "Stonewall" Jackson

as your passphrase, you would have to enter it as

'Thomas ""Stonewall"" Jackson'

on the command line. You need the quotation marks at the beginning and end for the spaces and you need to escape each double quotation mark used in the passphrase with another double quotation mark.

Note: If you are having problems entering certain characters in your

passphrases, check the information about how to handle reserved characters for the operating system or shell interpreter you are using.

First Steps

This section describes the steps you need to take to get up and running with PGP Command Line.

In This Chapter

Overview ..................................................................................................47

Creating Your Keypair...............................................................................48

Protecting Your Private Key .....................................................................49

Distributing Your Public Key.....................................................................50

Getting the Public Keys of Others............................................................52

Verifying Keys...........................................................................................54

Overview

The first steps for getting up and running with PGP Command Line are:

1 Install PGP Command Line.

Installation for all supported platforms is fully described in Installation (on page

5).

2 License your copy of PGP Command Line.

Licensing is required for normal operation of PGP Command Line. Refer to Licensing (on page information about licensing PGP Command Line.

3 Create your key pair.

Most of the things you do with PGP Command Line require a key pair (a private key and a public key). How to create your key pair is described later in this chapter in Creating Your Keypair (on page

4 Protect your private key.

No one but you should know the passphrase or have access to your private key. How to protect your private key is described later in this chapter in Protecting Your Private Key (on page

5 Distribute your public key.

25) and --license-authorize (on page 179) for more

48).

49).

PGP® Command Line 10.1 First Steps

In order for others to verify your signature or encrypt data so that only you can decrypt it, they will need your public key.

One way to distribute your public key is to post it to a keyserver so that others can obtain it. The best way to do this is to post your public key to the PGP Global Directory (keyserver.pgp.com), a free, public keyserver hosted by PGP Corporation. It provides quick and easy access to the universe of PGP keys.

You can also export your public key to a file, which you can then distribute in any number of ways. For information about how to post your public key to a keyserver and extract your public key to a file, refer to Distributing Your Public Key (on page

50).

6 Obtain the public keys of others.

You need someone’s public key to be able to encrypt data so that only they can decrypt it. You can get public keys from a keyserver (as long as the key is posted, of course). And if you receive someone’s public key in a file, you can import it. For more information about how to get a public key from a keyserver and how to import a key, refer to Getting the Public Keys of Others (on page

52).

7 Verifying the public keys you get.

It is important to make sure the public keys you get actually belong to the person or organization they appear to be from. For instructions on how to verify a public key, refer to

8 Start securing your data.

Creating Your Keypair

The first thing you need to do after installing PGP Command Line is to make sure you have a usable PGP key pair, as most PGP Command Line operations require a key pair.

A key pair consists of two keys:

 Private key (stored in secring.skr) that only you have.  Public key (stored in pubring.pkr) that you can distribute freely to the

people you correspond with.

Keys are stored on keyrings. There’s one keyring for private keys (secring.skr), and one keyring for public keys (pubring.pkr).

Verifying Keys (on page 54).

If you are using a Windows or Mac OS X system, you may already have a key pair generated by PGP Desktop. If you do have an existing key pair you want to use with PGP Command Line and you distributed your public key to the people who will be encrypting data to you, you need to make sure the environment variable (PGP_HOME_DIR) is defined and points to the directory where your existing key pair is located.

PGP® Command Line 10.1 First Steps

Note: If you have PGP Desktop installed on the same Windows or Mac OS X

computer as PGP Command Line, and you installed PGP Desktop into the default directory, then PGP Command Line will automatically locate and use your existing keyrings.

If you do not have a PGP key pair, you will need to create one for use with PGP Command Line.

Use the --gen-key command to create a new key pair.

 To create a key pair:

1 On the command line, enter:

pgp --gen-key <user> --key-type <type> --encryptionbits <bits>

--passphrase <pass> [--signing-bits <bits>] [options]

where:

<user> is a user ID that people can use to locate your public key. A common user ID is your name and email address in the format: "Alice Cameron <

alice@example.com>". If your user ID contains spaces, you

must enclose it in quotation marks.

<type> means you are creating either an RSA or a DH key.

<bits> is the number of bits of the key (usually 1024 to 4096). Per FIPS

186-3, DSA keys can be 1024, 2048, or 3072 bits.

<passphrase> is a passphrase of your choice. If your passphrase includes spaces, enclose it in quotation marks.

For more information, refer to --gen-key (on page

2 Press Enter when the command is complete.

PGP Command Line responds by generating your key pair.

Note: The --gen-key command automatically creates your key pair and a

public and a private keyring in the home directory, then puts your new private and public keys onto their respective keyrings. You can create empty keyring files without generating a key pair at the same time using the --create- keyrings command.

Protecting Your Private Key

If someone gets your private key and manages to guess your passphrase or finds it written on a Post-it® note, they can impersonate you. They can open messages encrypted to you and they can sign messages, making them appear to be from you.

110).

PGP® Command Line 10.1 First Steps

Warning: It is very important to protect your private key! Do not let anyone

get a copy of it and do not ever give anyone the passphrase.

By default, all generated keys (private and public) are stored in the directory to which the environment variable points (which is PGP_HOME_DIR, if set).

Otherwise:

 UNIX: $HOME/.pgp  Windows: C:\Documents and Settings\<current user>\My

Documents\PGP

Mac OS X: $HOME/Documents/PGP You can locate your keyrings using the

--version (-v) command. Once the keys are generated, you can store them in any location you choose (provided you do not forget to adjust the environment variable to point to the new location). Moving your keys to a different location is one way to protect them from someone who might get access to your system.

It is also a good practice to make a backup copy of your keys. Make sure to be especially careful with your private key, storing it on a machine only you can access and in a directory that cannot be accessed via a network. You may also choose to implement additional security precautions.

Distributing Your Public Key

People need your public key to encrypt information that only you can decrypt and to verify your signature.

There are three main methods available to distribute your public key:

 Post your public key to the PGP Global Directory. The PGP Global

Directory is a free, publicly available keyserver hosted by PGP Corporation that provides quick and easy access to the universe of PGP keys. If you are

not in an email domain protected by a PGP Universal Server, the PGP Global Directory is your source for trusted keys.

 Post your public key to another keyserver. Once posted, people can get

a copy of your public key and use it to encrypt data that only your private key can decrypt. How to use PGP Command Line to post your public key to a keyserver is described below.

 Export your public key to a text file. Once exported to a text file, you can

distribute your public key however you like: attached to an email message, pasted into the body of an email message, or copied to a CD.

How to use PGP Command Line to extract your public key to a text file is described in

Exporting Your Public Key to a Text File (on page 51).

PGP® Command Line 10.1 First Steps

Posting Your Public Key to a Keyserver

You can post your public key to a private keyserver or a public keyserver; the procedure is the same in both cases.

Use the --keyserver-send command to post your public key to a keyserver.

 To post a public key to a keyserver:

1 On the command line, enter:

pgp --keyserver-send <input> --keyserver <ks>

where:

<input> is the user ID, portion of the user ID, or key ID of the public key you are posting.

<ks> is the name of the keyserver to which you are posting.

For example:

pgp --keyserver-send ldap://keyserver.example.com

If there are multiple keys with user IDs that match the input, all of them will be posted. To make sure only a specific key is posted, use the key ID as the input.

pgp --keyserver-send 0x12345678 --keyserver ldap://keyserver.pgp.com

Only the specified key will be posted to ldap://keyserver.pgp.com, a public keyserver.

2 Press Enter when the command is complete.

PGP Command Line responds by posting the public key(s) to the specified keyserver.

Once you have posted your public key to a keyserver, you should search the keyserver for your public key to make sure it was correctly posted.

How to search for a key on a keyserver is described in Finding a Public Key on a Keyserver.

Exporting Your Public Key to a Text File

Once you have extracted your public key to a text file, it is easy to distribute. You can attach it to an email message, paste it into the body of an email message, or copy it to a CD.

alice@example.com --keyserver

Use the --export command to export your public key.

PGP® Command Line 10.1 First Steps

 To export a public key:

1 On the command line, enter:

pgp --export <input>

where:

<input> is the user ID, portion of the user ID, or the key ID of the key you want to export.

By default, keys are exported as ASCII armor (.asc) files into the directory currently active on the command line.

For example:

pgp --export example

All keys with the string "example" anywhere in them would be exported into separate .asc files.

pgp --export "Alice C <

Only keys that exactly match this user ID would be exported. The filename would be Alice C.asc.

2 Press Enter when the command is complete.

PGP Command Line responds by creating the .asc file(s) in the appropriate directory.

Getting the Public Keys of Others

To encrypt data to a specific person, you need to encrypt it with their public key. Naturally, you have to get their public key onto your keyring first.

To get a public key onto your keyring, you must first find the public key on a keyserver and then import it from the keyserver onto your keyring.

Finding a Public Key on a Keyserver

In order to get a public key onto your keyring, you have to find the right key. In many cases, you can get the key you need from a keyserver. You use the same procedure for a public keyserver and a private keyserver.

acameron@example.com>"

Use the --keyserver-search command to search a keyserver for a key.

To search a keyserver for a key:

1 On the command line, enter:

pgp --keyserver-search <input> --keyserver <ks>

where:

PGP® Command Line 10.1 First Steps

<input> is the user ID, portion of the user ID, or the key ID of the key for which you are searching.

If you are searching by key ID, only an exact match will be found (you can find the key ID of your key using the --list-keys (-l) (page

83) command). If you are searching by user ID, any key whose user ID contains the user ID or portion of the user ID you enter will be found. So a search by user ID could return many matches, where a search by key ID will return only one key.

<ks> is the name of the keyserver you want to search.

You can enter more than one keyserver, separated by a space. Only results from the first keyserver where there is a match will be returned.

For example:

pgp --keyserver-search example.com --keyserver ldap://keyserver.pgp.com

This search would return keys that have "example.com" in the user ID and are on keyserver.pgp.com, a public keyserver.

2 Press Enter when the command is complete.

PGP Command Line responds by listing the key or keys that match the search criteria you specified in the following format:

Alg Type Size/Type Flags Key ID User ID

--- ---- --------- ----- --------- -------

DSS pub 2048/1024 [-----] 0x1234ABCD Alice C

ac@example.com>

Importing a Public Key from a Keyserver

Once you have found the key you want on the keyserver, you need to get the key from the keyserver onto your keyring.

Use the --keyserver-recv command to locate a key on a keyserver and import it onto your keyring.

 To import a key from a keyserver:

1 On the command line, enter:

pgp --keyserver-recv <input> --keyserver <ks>

where:

<input> is the user ID, portion of the user ID, or key ID of the key you want to get onto your keyring.

To get a specific key, use the key ID. To get one or more keys, use the user ID or portion of the user ID.

<ks> is the name of the keyserver you want to search.

PGP® Command Line 10.1 First Steps

You can enter more than one keyserver to search, separated by a space. Only results from the first keyserver where there is a match will be returned.

For example:

pgp --keyserver-recv 0xABCD1234 --keyserver ldap://keyserver.pgp.com

The key with the key ID shown would be imported if it were on the specified keyserver.

2 Press Enter when the command is complete.

PGP Command Line responds by listing the key(s) it found on the specified keyserver that matched the criteria you specified and that the key(s) was imported:

pgp:keyserver receive (2504:successful search on ldap://keyserver.pgp.com)

0xABCD1234:keyserver receive (0:key imported as Alice C

ac@example.com>.)

Note: If you want to make sure the key was imported onto your keyring, use

the --list-keys command (the short form is -l) to see what keys are currently on your keyring.

Verifying Keys

If you have information you want to send to someone privately, and you are going to the trouble to encrypt it so that it stays private, then it is probably also important that you make sure the public key you have obtained and are going to use to encrypt your important information is actually from the person or organization that you believe it to be from.

One way to do this is to compare the fingerprint of the public key you have with the fingerprint of the real key. You could, for example, call the person on the phone and ask them to read the fingerprint of their key.

Some people also put the fingerprint of their PGP key on their Web site or on their business card, making it easy to compare the fingerprint of the real key with the fingerprint of the public key you have.

Use the --fingerprint command to see the fingerprint of any of the keys currently on your keyring; refer to --fingerprint (page

80) for more information.

PGP® Command Line 10.1 First Steps

 To view the fingerprint of a key:

1 On the command line, enter:

pgp --fingerprint <input>

where:

<input> is the user ID, portion of the user ID, or key ID of the key whose fingerprint you want to see.

If you don’t enter any input, PGP Command Line will display the fingerprints of all keys on your keyrings.

For example:

pgp --fingerprint 0xABCD1234

The user ID and the fingerprint of the key with the key ID shown would display if it were on either keyring.

pgp --fingerprint

The user IDs and the fingerprints of all keys on both keyrings would display.

2 Press Enter when the command is complete.

PGP Command Line responds by listing the user ID of the key(s) it found that matched the criteria you specified and the fingerprint of that key using the following format:

Alice Cameron <

alice@example.com>

896A 4A96 9C3A 3BEC C87C EA8B 2CDB B87B 2CEB 53CC

Cryptographic Operations

This chapter describes the commands used in PGP Command Line that relate to cryptographic operations. These commands are:

 --armor (-a) (page  --clearsign (page  --decrypt (page  --detached (-b) (page  --dump-packets | --list-packets, which dumps the packets in a

PGP message.

 --encrypt (-e) (page  --export-session-key (page

was used to encrypt data to a separate file.

 --list-sda (page  --list-archive (page  --sign (-s) (page  --symmetric (-c) (page

cipher.

 --verify (page

output.

58), which converts a file to ASCII armor format.

60), which creates a clear signature.

62), which decrypts encrypted data.

64), which creates a detached signature.

66), which encrypts your data.

70), which exports the session key that

71), which lists the contents of an SDA.

71), which lists the contents of a PGP Zip archive.

72), which signs your data.

74), which encrypts data using a symmetric

75), which lets you verify data without creating any

Overview

In This Chapter

Overview ................................................................................................. 57

Commands .............................................................................................. 58

This chapter covers four of PGP Command Line’s most significant cryptographic operations: encrypting, signing, decrypting, and verifying:

PGP® Command Line 10.1 Cryptographic Operations

 Encrypt: A method of scrambling information to render it unreadable to

anyone except the intended recipient, who must decrypt it to read it. You use PGP Command Line to encrypt your important information so that if it is stolen from a hard drive or intercepted while in transit, it is of no value to the person who has taken it because they cannot decrypt it.

 Sign: When you sign a message or file, PGP Command Line uses your

private key to create a digital code that is unique to both the contents of the

message/file and your private key. Only your public key can be used to verify your signature.

 Decrypt: When you receive decrypted data, it’s of no value until you

decrypt it. To do this, you need to use the private key of the key pair that includes the public key that was used to encrypt the data.

 Verify: In addition to decrypting your data so that you can use it, you

should also verify the files you use with PGP Command Line, including data, signature, and key files, to make sure they have not been tampered with.

For more information about these cryptographic operations, refer to An Introduction to Cryptography, which was installed with PGP Command Line.

Commands

--armor (-a)

The commands that relate to encrypting and signing are described in the following sections.

Armors data, produces a PGP armored file, and changes the default file extension from .pgp or .sig to .asc. The resulting ASCII armored data format is used with email systems that only allow ASCII printable characters. It converts the plaintext by expanding groups of three binary 8-bit bytes into four (4) printable ASCII characters, and the resulting file expands in size by approximately 33 percent.

The usage format is:

pgp --armor <input> [<input2> ...] [options]

Where:

<input> is the file to be armored. It is either in the current directory, or its location has to be defined using a relative or absolute path. Multiple files can be armored.

[options] let you modify the command:

--comment. Saves a comment at the beginning of the file with the header

tag "Comment".

PGP® Command Line 10.1 Cryptographic Operations

--compress. Compresses the output file.

--compression-algorithm. Sets the compression algorithm. The

default for this option is zip.

--eyes-only. Text inputs that are processed using this option can only be decrypted to the screen.

--input-cleanup. This option will clean up the input file, depending on the arguments you specify: off (default), remove, or wipe.

--output. Lets you specify a different name for the armored file.

--overwrite. Sets the overwrite behavior when PGP Command Line

tries to create an output file with the same name that already exists in the directory. This option accepts the following arguments: off (default), remove, rename, or wipe.

--temp-cleanup. Cleans up the temporary file(s), depending on the arguments you specify: off, remove, or wipe (default). For large encryption jobs, this option should be set to remove to speed up the process.

--text. Forces the input to canonical text mode. Do not use with binary files. Automatic detection of file types is not supported.

-v|--verbose. Gives a verbose (detailed) report about the operation.

The option --compression-algorithm is allowed when --armor is the primary operation (armor only). When --armor is combined with --sign or

--encrypt operations, check these operations for details about setting the compression algorithm.

Examples:

1 pgp --armor report.txt --overwrite remove

The ASCII armored output file "report.txt.asc" replaced the existing file with the same name, which was removed by overwriting.

2 pgp -a report.txt --compression-algorithm zlib

The ASCII armored file "report.txt.asc" is compressed using the ZLIB compression algorithm.

Using --armor as an option with other commands to armor a file:

The usage format is:

pgp command1 input command2 user [--passphrase] pass

--armor

Examples:

1 pgp --sign report.txt --signer <

alice@example.com>

--passphrase 'cam3r0n' --armor

The output file is an armored file "report.txt.asc", which contains Alice’s signature.

PGP® Command Line 10.1 Cryptographic Operations

2 pgp -er "Bill Brown" report.txt --armor --comment

"Urgent"

Creates the ASCII armored file "report.txt.asc," which is encrypted for Bill and has the plaintext comment "Urgent" displayed on top of the encrypted file:

-----BEGIN PGP MESSAGE-----

Version: PGP Command Line v10.0 (OSX)

Comment: Urgent

qANQR1DBwEwDRB9gEpFtI3MBB/0UL7GQa1xr0LCp54FKg/FN4KZNlr+ DrD3IGi0P

e5xyNUQcYnQ2YqZYO2kDuFkOEJ1lE1HyixLs4m4ETYxhT3EH/VA+yIj qqBHOwl6k

MXzGN9fNFcp8SoQZGVlOm6bLWOtRY/5W2E90B0iB+f3Pv/VHiN5gDO/ FmvzREJke

--clearsign

Causes the document to be wrapped in an ASCII-armored signature but otherwise does not modify the document. The signed message can be verified to ensure that the original document has not been changed. To verify the signed message, use --verify.

The usage format is:

pgp --clearsign <input> [<input2> ...] --signer <user>

--passphrase <pass> [options]

Where:

<input> is the name of the file to be clear-signed. It is required. You can clear-sign multiple files by listing them, separated by a space.

<user> is the user ID, portion of the user ID, or the key ID of the clearsigner. The private key of the clear-signer must be on the keyring. If <user> is not specified, the default key is used.

<pass> is the passphrase of the private key of the clear-signer. It is required.

[options] let you modify the command. Options are:

--comment saves a comment at the beginning of the file with the header

tag "Comment".

--input-cleanup cleans up the input file, depending on the arguments you specify: off (default), remove, or wipe.

PGP® Command Line 10.1 Cryptographic Operations

--overwrite sets the overwrite behavior when PGP Command Line tries to create an output file with the same name that already exists in the directory. This option accepts the following arguments: off (default), remove, rename, or wipe.

--temp-cleanup cleans up the temporary file(s) depending on the arguments you specify: off, remove, or wipe (default). For large encryption jobs, this option should be set to remove to speed up the process.

--text forces the input to canonical text mode. Do not use with binary files (automatic detection of file types is not supported).

-v|--verbose gives a verbose (detailed) report about the operation.

Example:

pgp --clearsign newnote.txt --signer

bob@example.com

--passphrase 'B0bsm1t4'

newnote.txt:sign (0:output file newnote.txt.asc)

The resulting file "newnote.txt.asc" will have the unchanged text, "wrapped" between the header and the footer such as this:

-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA256

…

(the unchanged text in the file "new.note.asc")

-----BEGIN PGP SIGNATURE-----

Version: PGP Command Line v10.1 (Win32)

iQEVAwUBQZF+rbnA+IViRSc+AQiSpQgAnaGd+6/4iOoQ+bsawPB632c EE9Ypa6wL

/9DeSFgn2mmFIIIOaHljBGheJpIhax4BBDut2ngpOxIUywMEpMuD3Zw 05IUGD7n

r/+YseC6Hteb/S3j9ib0JCd97IxE54MA5DvSX07xTqAjc1ddBqkP8tK 28kTmlJGN

0QEFJ/zti/k6IYSKP8QSQ+x+aTto2pioibk6QXz4NDWttZ30g4BFefx QnwNwYPf7

+kbq2fY+VHn0nkIPPrN+8vHskNklO4rxEZccLKPFGdoRPWc9hEkIqDE BOXt7CWJf

016AaKwF7wWtz1yWAZJXzfr/EHXRqOBWZb9F/cMimqgnvCnQI/i9VA= =

=GE1E

-----END PGP SIGNATURE-----

PGP® Command Line 10.1 Cryptographic Operations

--decrypt

Decrypts encrypted data. If data being decrypted is also signed, the signature is automatically verified during the decryption process.

To decrypt with a MAK (managed asymmetric key) or a MEK on a PGP KMS, you must specify a PGP KMS on the command line as well as follow

--decrypt-with with a MAK or MEK identifier: either the name, prefix of a name, or UUID of a MAK or MEK. For example: --decrypt-with MAKid

--usp-server universal.example.com. An error results if PGP Command Line can match the identifier to more than one MAK or MEK on the PGP KMS.

The usage format is:

pgp --decrypt <input> [<input2> ...] [<inputd>...] [options]

Where:

<input> is the name of the file to be decrypted. It is required.

[options] let you modify the command. Options are:

--annotate adds annotations (information that PGP Command Line

processed the data in a certain way) when processing email messages.

--archive. When you decrypt archives, note the following:

 if you specify --archive, the contents of the archive are extracted  if you do not specify --archive, only the .tar file is extracted

<inputd>. Additional detached signature target files are allowed. Note that PGP Command does not write output when decrypting detached signature files.

--decrypt-with is required to decrypt with a MAK (managed asymmetric key) from a PGP KMS.

--email processes input data as an RFC 822-encoded email message, which means that MIME headers and CRLF line endings will be respected by PGP Command Line.

--eyes-only. Text inputs that are processed using this option can only be decrypted to the screen: the recipient must view the output on screen when decrypting a message. The default is off.

When decrypting data that is marked for your eyes only, PGP Command Line generates an error if the option --eyes-only is not specified.

--input-cleanup cleans up the input file, depending on the arguments you specify: off (default), remove, or wipe.

--output lets you specify a different name for the decrypted file.

PGP® Command Line 10.1 Cryptographic Operations

--overwrite sets the overwrite behavior when PGP Command Line tries to create an output file and it already exists. It accepts the following arguments: off (default), remove, rename, or wipe.

--passphrase is used for [asymmetrically] encrypted files

--sda. When decrypting SDAs, the option --sda must be specified or PGP

Command Line will not be able to find PGP data.

To decrypt an SDA, you need either --symmetric-passphrase or

--passphrase. Note that the symmetric passphrase cannot have an empty string (" "), while the asymmetric passphrase can have an empty string because such passphrase references a private key.

When decrypting SDAs or archives, files will be automatically overwritten. The option -o (output) can be used to specify the output directory; this directory will be created if it does not exist.

--symmetric-passphrase is used for symmetrically encrypted files.

--temp-cleanup cleans up the temporary file(s), depending on the

arguments you specify: off, remove, or wipe (default). For large encryption jobs, this option should be set to remove to speed up the process.

-v|--verbose gives a verbose (detailed) report about the operation.

Examples:

1 pgp --decrypt note.txt.pgp --symmetric-passphrase

'cam3r0n' --overwrite remove

Decrypts the file to "note.txt" and removes the existing file with the same name by overwriting it.

2 pgp --decrypt keyshares.exe --sda --symmetric-

passphrase 'B0bsm1t4'

keyshares.exe:decrypt (0:directory created successfully)

keyshares.exe:decrypt (0:output file keyshares\Alice Cameron-1-Bob Smith.shf)

keyshares.exe:decrypt (0:output file keyshares\Alice Cameron-2-John Jones.shf)

keyshares.exe:decrypt (0:output file keyshares\Alice Cameron-3-Bill Brown.shf)

keyshares.exe:decrypt (0:output file keyshares\pgp)

keyshares.exe:decrypt (0:SDA decoded successfully)

Decrypts a SDA.

3 pgp --decrypt keyshares.exe --symmetric-passphrase

'B0bsm1t4'

keyshares.exe:decrypt (3031:input does not contain PGP data)

PGP® Command Line 10.1 Cryptographic Operations

If you do not enter the option --sda. PGP Command Line will not recognize the SDA you want to decrypt and uncompress.

4 pgp --decrypt note.txt.sig --passphrase 'B0bsm1t4'

note.txt:decrypt (1082:detached signature target file)

note.txt.sig:decrypt (3038:signing key 0x6245273E Bob Smith <

bob@example.com>)

note.txt.sig:decrypt (3040:signature created 2005-1028T12:44:38-07:00)

note.txt.sig:decrypt (3035:good signature)

Decrypts the detached signature file "note.txt.sig". When decrypting detached signature files, you will get only a status message as output.

5 pgp --decrypt bobsarchive.pgp --passphrase 'B0bsm1t4'

bobsarchive.pgp:decrypt (0:output file bobsarchive.tar)

Decrypts the archive file into a tar file.

6 pgp --decrypt bobsarchive.pgp --passphrase 'B0bsm1t4' -

-archive

--detached (-b)

bobsarchive.pgp:decrypt (0:output file .\note.txt)

bobsarchive.pgp:decrypt (0:output file .\report.doc)

Decrypts the archive file into the actual archived files "note.txt" and report.doc, with their path information included.

Signs data and creates a detached signature. If you use this command to sign a document, both the document and detached signature are needed to verify the signature. To verify the signed message, use --verify.

The usage format is:

pgp --detached <input> [<input2> ...] --signer <user>

--passphrase <pass> [options]

Where:

<input> is the name of the file for which the detached signature is being created. It is required. You can create a detached signature for multiple files by listing them, separated by a space.

<user> is the user ID, portion of the user ID, or the key ID of the signer. It is required. The private key of the signer must be on the keyring.

<pass> is the passphrase of the private key of the signer. It is required.

[options] let you modify the command. Options are:

--armor armors the data and changes the file extension from .sig to .asc.

PGP® Command Line 10.1 Cryptographic Operations

--comment saves a comment at the beginning of the file with the header tag "Comment". It works only if --armor is specified as well.

--input-cleanup cleans up the input file, depending on the arguments you specify: off (default), remove, or wipe.

--output lets you specify a different name for the created file.

--overwrite sets the overwrite behavior when PGP Command Line tries

to create an output file that already exists. This option accepts the following arguments: off (default), remove, rename, or wipe.

--temp-cleanup cleans up the temporary file(s), depending on the arguments you specify: off, remove, or wipe (default). For large encryption jobs, this option should be set to remove to speed up the process.

--text forces the input to canonical text mode. Do not use this option with binary files (automatic detection of file types is not supported).

-v|--verbose gives a verbose (detailed) report about the operation.

Examples:

1 pgp -b note.txt --passphrase 'B0bsm1t4' --signer "Bob

Smith"

note.txt:sign (0:output file note.txt.sig)

Output is the file note.txt.sig, which contains Bob’s detached signature.

2 pgp --verify note.txt.sig

note.txt:verify (1082:detached signature target file)

note.txt.sig:verify (3038:signing key 0x6245273E Bob Smith <

bob@example.com>)

note.txt.sig:verify (3040:signature created 2005-1028T12:44:38-07:00)

note.txt.sig:verify (3035:good signature)

note.txt.sig:verify (0:verify complete)

The detached signature is verified.

--dump-packets, --list-packets

Dumps the packet information in a PGP message. Input is a list of files or standard input; output is always a standard output.

This command uses the normal output format for data blocks and displays hexadecimal values in the format "NN".

The usage format is:

pgp --dump-packets <input> [<input2> …] [options]

PGP® Command Line 10.1 Cryptographic Operations

Where:

<input> is a list of files or standard input.

<input2> are additional files.

[options] let you modify the command. Options are:

--buffered-stdio enables buffered stdio for stdin and stdout.

Example:

pgp --dump-packets TrainingDetails.msg

Processing file TrainingDetails.msg

New: unknown(tag 16)(4049 bytes)

Old: Trust Packet(tag 12)(46 bytes)

Trust - 00 30 00 5f 00 30 00 30 00 36 00 34 00 30 00 30 00 31 00 45 00 00 00 00 00 00 00 00

00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2a

Old: Reserved(tag 0)(2 bytes)

File TrainingDetails.msg complete

--encrypt (-e)

Encrypts a document to specified recipients. Input is either the standard input or a list of files. Output is either the standard output, a list of files, or an archive. If you use standard input, note that it cannot be combined with other inputs.

To encrypt to a MAK or MEK on a PGP KMS, a MAK or MEK ID and the PGP KMS must be specified on the command line. For example: MAKid | MEKid

--usp-server universal.example.com. The identifier can be either the name, prefix of a name, or UUID of the MAK or MEK. An error results if PGP Command Line can match the identifier to more than one MAK or MEK on the PGP KMS.

Note: The --encrypt command is not used for symmetric encryption;

instead, use the --symmetric command, described in --symmetric (-c) (page 74).

When encrypting, the preferred cipher and compression algorithms of the recipient is used. If there is more than one recipient, the most compatible algorithm is used. Note that you cannot specify a one-time cipher or compression algorithm with --encrypt.

The usage format is:

pgp --encrypt <input> [<input2> ...] --recipient <user> [-r <user2> ...] [options]

PGP® Command Line 10.1 Cryptographic Operations

Where:

<input> is the name of the file to be encrypted. It is required. You can encrypt multiple files by listing them, separated by a space. The default output filename for an encrypted file is <input filename>.pgp. Note that stdin can be used only by itself and cannot be combined with other inputs.

<user> is the user ID, portion of the user ID, or the key ID of the recipient. It is required. The public key of the recipient must be on the keyring. You must specify a recipient; you cannot encrypt to your own key by not specifying a recipient. You can encrypt the file to multiple recipients by listing them, separated by a space.

[options] let you modify the command. Options are:

--adk can be used only together with the option --sda. Note that if any of the keys used with the option --adk have ADKs, they will also be used.

--anonymize hides the key IDs of recipients. This allows you to encrypt

to multiple recipients without any of the recipients being able to see who else the data was encrypted to when they decrypt it.

--archive saves the output as an archive. It cannot be used with the options --text-mode or --sda. When using --archive, directories can be in the input file: without this option, the directories are skipped.

-a or --armor armors the encrypted file.

--cipher. If the option --cipher is used, the existing cipher will be

forcefully overridden and the key preferences and algorithm lists in the SDK will be ignored. This can create messages that don’t comply with the OpenPGP standard. This option must be used together with the option

--force.

--comment saves a comment at the beginning of the file with the header

tag "Comment". It works only if --armor is specified as well.

--compress toggles compression. If enabled, the preferred compression algorithm of the recipient is used.

--compression-algorithm. If the option --compressionalgorithm is used, the existing compression algorithm will be forcefully

overridden and the key preferences and algorithm lists in the SDK will be ignored. This can create messages that do not comply with the OpenPGP standard. This option must be used together with the option --force.

--email processes input data as an RFC 822-encoded email message, which means that MIME headers and CRLF line endings will be respected by PGP Command Line. The resulting file has a .pgp extension. Note that PGP Command Line does not send the resulting encrypted message, it only creates it.

--encrypt-to-self lets you encrypt to the default key in addition to any other specified keys. The default is off.

PGP® Command Line 10.1 Cryptographic Operations

--eyes-only. Text inputs that are processed using this option can only be decrypted to the screen.

--force required to use --compression-algorithm and --cipher.

--input-cleanup cleans up the input file, depending on the arguments

you specify: off (default), remove, or wipe.

--output lets you specify a different name for the encrypted file.

--overwrite sets the overwrite behavior when PGP Command Line tries

to create an output file that already exists. This option accepts the following arguments: off (default), remove, rename, or wipe.

--root-path can only be used with either --sda or --archive.

--sda cannot be used together with the command --sign (such as -es). For more information, refer to the option --sda.

--sign lets you sign the encrypted file.

--temp-cleanup cleans up the temporary file(s) depending on the

arguments you specify: off, remove, or wipe (default). For large encryption jobs, this option should be set to remove to speed up the process.

--text forces the input to canonical text mode. Do not use with binary files (automatic detection of file types is not supported).

-v |--verbose gives a verbose (detailed) report about the operation.

Refer to the descriptions of these options or to the man page for information about how to use these options.

Examples:

1 pgp --encrypt report.txt README.rtf -r "Bill Brown" -r

"Mary Smith" -r "Bob Smith"

The files "report.txt" and "README.rtf" are encrypted to multiple recipients.

2 pgp -er "Bob Smith" report.txt --eyes-only

The output file "readme.txt.pgp" is encrypted for Bob’s "eyes only", which means that he can read the file only on the screen.

3 pgp -e report.doc -r "Bob Smith" --output newreport.pgp

-v

The output file is "newreport.pgp", and the on-screen message contains the following detailed information about the performed operation:

pgp:encrypt (3157:current local time 2005-1105T12:13:09-08:00)

/Users/bobsmith/.pgp/pubring.pkr:open keyrings (1006:public keyring)

/Users/bobsmith/.pgp/secring.skr:open keyrings (1007:private keyring)

0x4A8C54B8:encrypt (1030:key added to recipient list)

PGP® Command Line 10.1 Cryptographic Operations

report.doc:encrypt (3048:data encrypted with cipher AES-128)

report.doc:encrypt (0:output file newreport.pgp)

4 pgp -er "Bob Smith" report.doc --output /Users

report.doc:encrypt (0:output file /Users/report.doc.pgp)

You have encrypted the file report.doc to the specified directory.

5 pgp -er "Bob Smith" *.doc

myreport.doc:encrypt (0:output file myreport.doc.pgp)

report.doc:encrypt (0:output file report.doc.pgp)

Both files with the extension .doc were encrypted for the user Bob.

6 pgp -er "Bob Smith" *.doc -output /Users

myreport.doc:encrypt (0:output file /Users/myreport.doc.pgp)

report.doc:encrypt (0:output file /Users/report.doc.pgp)

You have encrypted all files with the extension .doc to another directory.

7 pgp -er "Bob Smith" *.doc --output archive.pgp

pgp:encrypt (3028:multiple inputs cannot be sent to a single output file)

Nothing happened because archive mode was not enabled.

8 pgp -er "Bob Smith" *.doc --output archive.pgp

--archive

pgp00000.tmp:encrypt (3110:archive imported myreport.doc)

pgp00000.tmp:encrypt (3110:archive imported report.doc)

pgp00000.tmp:encrypt (0:output file archive.pgp)

With the option --archive added, the two doc files are encrypted into archive.pgp.

9 pgp -er "Bob Smith" /Users/note.txt

/Users/note.txt:encrypt (0:output file /Users/note.txt.pgp)

In this case, you have encrypted the file note.txt, which was located in another directory.

10 pgp -er "Bob Smith" /Users/*.txt -o MyNewArchive.pgp

--archive

pgp00000.tmp:encrypt (3110:archive imported /Users/note.txt)

PGP® Command Line 10.1 Cryptographic Operations

pgp00000.tmp:encrypt (3110:archive imported /Users/note2.txt)

pgp00000.tmp:encrypt (0:output file MyNewArchive.pgp)

In this case, you have encrypted multiple text files located in another directory into a new archive in your local directory.

11 pgp -er "Bob Smith" /Data/emailmessage.txt --email

In this case, you have encrypted the file emailmessage.txt, an RFC 822encoded email message. The encrypted file emailmessage.txt.pgp will result.

--export-session-key

Exports the session key of an encrypted message. This key is used to encrypt each set of data on a transaction basis, and a different session key is used for each communication session. Output of this command is a key file with the extension .key, which contains the key fingerprint of the key used during the session that produced the encrypted file.

Using the session key, it is possible to decrypt a document without the recipient’s private key and its passphrase. Therefore, it reveals only the content of a specific message without compromising the private recipient’s key (which would reveal all messages encrypted to that key). Note that a user cannot directly specify a session key during encryption.

The usage format is:

pgp --export-session-key <input> [<input2> ...]

--passphrase <pass> [--output]

Where:

<input> is the encrypted file whose session key is to be exported to a separate file. It is required. Multiple files can have their session key exported as well; each encrypted file must be listed, separated by a space.

--passphrase is needed for encrypted files (--symmetricpassphrase is used for conventionally encrypted files, but

--passphrase will also work)

--output lets you specify a different filename for the resulting file.

Refer to the descriptions of these options for information about how to use them.

Example:

1 pgp -e report.doc -r "Bob Smith" --output

BobsReport.pgp

report.doc:encrypt (0:output file BobsReport.pgp)

First, the file report.doc was encrypted into BobsReport.pgp.

PGP® Command Line 10.1 Cryptographic Operations

2 pgp --export-session-key BobsReport.pgp --passphrase

'B0bsm1t4'

BobsReport.pgp:export session key (0:output file report.doc.key)

Second, the key used for the encrypting session was exported into the file report.doc.key, which contains the fingerprint of the key used for the session, such as:

7:8F042E99E383FCD4921FD74A63C514D3

--list-sda

Lists the contents of a Self-Decrypting Archive (SDA). The entire SDA needs to be decrypted in order to list its contents, which could take up to several minutes (depending on the number and size of the files in the archive).

The usage format is:

pgp --list-sda <input> --passphrase <pass>

Where:

--list-archive

<input> is an SDA file, such as reports.exe. Output is always the standard output.

<pass> This is a passphrase or symmetric passphrase with which the SDA was encrypted.

Example:

pgp --list-sda reports.exe --symmetric-passphrase 'B0bsm1t4'

reports\

reports\README.rtf

reports\README.txt

reports\report.txt

reports.exe:list SDA (0:SDA decoded successfully)

The archive "reports.exe" was decrypted and listed.

Lists the contents of a PGP Zip archive, which lets you add any combination of files and folders to an encrypted, compressed, portable archive.

A PGP Zip archive is an excellent way to distribute files and folders securely or back them up. Refer to --archive for more information about PGP Zip archives.

The usage format is:

pgp --list-archive <input> [<input2> ...] --passphrase <pass>

PGP® Command Line 10.1 Cryptographic Operations

Where:

<input> is the PGP archive(s) whose files you want to list.

<pass> is the passphrase of the archive whose files you want to list.

Example:

pgp --list-archive archive.pgp --passphrase 'B0bsm1t4'

In this case, the archive is located in the local directory and no directory path is displayed.

report.txt

--sign (-s)

README.txt

Signs a document, without encrypting it. You can sign and encrypt a file at the same time using the command -es. Input is a standard input or a list of files; output is a standard output or a list of files.

To sign with a MAK on a PGP KMS, --signer, a MAK ID, and the PGP KMS must be specified on the command line. The identifier can be either the name, prefix of a name, or UUID of the MAK. An error results if PGP Command Line can match the identifier to more than one MAK.

The usage format is:

pgp --sign <input> [<input2> ...] --passphrase <pass> [--signer <user>] [options]

Where:

<input> is the name of the file to be signed. It is required. You can sign multiple files by listing them, separated by a space.

<pass> is the passphrase of the private key of the signer. It is required.

<user> is the user ID, portion of the user ID, or the key ID of the signer.

The private key of the signer must be on the keyring. If <user> is not specified, the default key is used to sign.

[options] let you modify the command. Options are:

--archive allows you to create an unencrypted signed tar file. You

cannot use this archive until it is decrypted (the signature is removed). Using the option --sign with --archive, you can create a signed tar file that anyone can open.

-a, --armor. Armors the signed file.

--comment saves a comment at the beginning of the file with the header

tag "Comment". It works only if --armor is specified as well.

--compress toggles compression.

PGP® Command Line 10.1 Cryptographic Operations

--compression-algorithm. You can select the compression algorithm in case you are creating an attached opaque signature only (that is not encrypted), or when you are creating a conventionally encrypted and signed output.

--email processes input data as an RFC 822-encoded email message, which means that MIME headers and CRLF line endings will be respected by PGP Command Line.

--eyes-only. Text inputs that are processed using this option can be decrypted only to the screen.

--force. Required to use --hash.

--hash. If you use this option, the existing hash algorithm will be

forcefully overridden. Note that the key preferences and algorithm lists in the SDK will be ignored, which can lead to the creation of messages that violate OpenPGP standard. You must use the option --force with

--hash.

--input-cleanup cleans up the input file, depending on the arguments

you specify: off (default), remove, or wipe.

--output lets you specify a different name for the signed file.

--overwrite sets the overwrite behavior when PGP Command Line tries

to create an output file that already exists. This option accepts the following arguments: off (default), remove, rename, or wipe.

--signer is required to sign with a MAK (managed asymmetric key).

--temp-cleanup cleans up the temporary file(s) depending on the

arguments you specify: off, remove, or wipe (default). For large encryption jobs, this option should be set to remove to speed up the process.

--text forces the input to canonical text mode. Do not use with binary files (automatic detection of file types is not supported).

-v|--verbose gives a verbose (detailed) report about the operation.

Refer to the descriptions of these options or to the man page for information about how to use these options.

Examples:

1 pgp -s report.txt --signer "Bob Smith" --passphrase

'B0bsm1t4'

report.txt:sign (0:output file report.txt.pgp)

Output is "report.txt.pgp" signed by Bob.

2 pgp -es report.txt -r

bob@example.com --passphrase

'cam3r0n'

This command produces "report.txt.pgp," which is encrypted for Bob and signed by Alice using her passphrase (we assume that her key is the default signing key and the option --signer is not used).

PGP® Command Line 10.1 Cryptographic Operations

3 pgp -s report.txt --signer "Bob Smith" --passphrase

'B0bsm1t4' --compression-algorithm zip

report.txt:sign (0:output file report.txt.pgp)

The file "report.txt.pgp" was signed by Bob and compressed using the Zip compression algorithm.

4 pgp -s report.doc note.txt --signer "Bob Smith"

--passphrase 'B0bsm1t4' -o NewArchive.pgp --archive

pgp00001.tmp:sign (3110:archive imported report.doc)

pgp00001.tmp:sign (3110:archive imported note.txt)

pgp00001.tmp:sign (0:output file NewArchive.pgp)

First, both files are signed and saved as a tar file NewArchive.pgp. This file cannot be used until the signature is removed by decrypting the file. This file is just opaquely signed, and you do not need a passphrase to verify the signature:

pgp --decrypt NewArchive.pgp

NewArchive.pgp:decrypt (3038:signing key 0x6245273E Bob Smith <

bob@example.com>)

--symmetric (-c)

NewArchive.pgp:decrypt (3040:signature created 2005-1111T16:40:42-08:00)

NewArchive.pgp:decrypt (3035:good signature)

NewArchive.pgp:decrypt (0:output file NewArchive.tar)

The resulting tar file can be uncompressed with utilities that are appropriate for your platform.

Encrypts data using symmetric encryption, not public-key encryption.

The usage format is:

pgp --symmetric <input> [<input2> ...] --symmetricpassphrase <pass> [options]

Where:

<input> is the name of the file to be symmetrically encrypted and it is required. You can encrypt multiple files by listing them, separated by a space. The default filename for an encrypted file is <input

filename>.pgp. You can modify the filename of the encrypted file using

--output.

<pass> is the passphrase you want to use for the symmetrically encrypted

file.

[options] let you modify the command. Options are:

--output lets you specify a different filename for the encrypted file.

PGP® Command Line 10.1 Cryptographic Operations

--sign lets you sign the encrypted file. If you use --sign with

--symmetric, you will need both --symmetric-passphrase for the encryption and --passphrase for the signature.

--armor armors the output file. File extension is changed to .asc.

--comment lets you specify a comment for armored data.

--text forces the <input> to supported.

--compress toggles compression.

--compression-algorithm specifies the compression algorithm to use

for the operation. The default is Zip.

--cipher specifies the cipher to use for the operation. The default is AES256.

--eyes-only prevents the decrypted output from being saved to disk; the decrypted output can only be displayed on-screen.

--encrypt-to-self lets you encrypt to the default key.

--archive lets you combine multiple files into a single .pgp file.

--overwrite lets you specify what to do if a file of the same name as the

output filename already exists.

--input-cleanup lets you specify what to do with <input> files when the operation is done. The default is off (leave them alone).

--temp-cleanup lets you specify how to handle temporary files. The default is to wipe them.

--verbose (-v) shows verbose results information.

Examples:

1 pgp --symmetric file.txt --symmetric-passphrase

'Bilbo$Frodo'

Encrypts a file, which will be called file.txt.pgp, using the passphrase "Bilbo$Frodo" without the quotes.

2 pgp -ec file.txt --symmetric-passphrase 'Bilbo$Frodo'

Same as above, using the short forms.

The important information about --encrypt also applies to --symmetric.

PGP® Command Line 10.1 Cryptographic Operations

--verify

Verifies that data was not tampered with and tests whether PGP Command Line can process the entire file.

It verifies data, signatures, and key files and works on all PGP Command Line data types. The command output describes what was verified.

To verify with a MAK (managed asymmetric key) on a PGP KMS, you must specify a PGP KMS on the command line as well as follow --verify-with with a MAK identifier: either the name, prefix of a name, or UUID of a MAK. For example: --verify-with MAKid --usp-server universal.example.com. An error results if PGP Command Line can match the MAK identifier to more than one MAK.

The usage format is:

pgp --verify <input> [<input2> ...] [options]

Where:

<input> is the file to be verified. It is required.

[options] let you modify the command. Options are:

--annotate adds annotations (information that PGP Command Line

processed the data in a certain way) when processing email messages.

--email processes input data as an RFC 822-encoded email message, which means that MIME headers and CRLF line endings will be respected by PGP Command Line.

--input-cleanup cleans up the input file, depending on the arguments you specify: off (default), remove, or wipe.

--passphrase | --symmetric-passphrase. This is the passphrase that is required for encrypted files.

-v | --verbose gives a verbose (detailed) report about the operation.

--verify-with is required to verify with a MAK (managed asymmetric

key) on a PGP KMS.

Refer to the descriptions of these options for information about how to use them.

PGP® Command Line 10.1 Cryptographic Operations

Example:

pgp --verify report.doc.pgp --passphrase 'B0bsm1t4'

report.doc.pgp:verify (3111:data is a PGP archive)

report.doc.pgp:verify (3042:suggested output file name report.doc.tar)

report.doc.pgp:verify (3038:signing key 0x6245273E Bob Smith <

bob@example.com>)

report.doc.pgp:verify (3040:signature created 2005-1110T13:58:07-08:00)

report.doc.pgp:verify (3035:good signature)

report.doc.pgp:verify (0:verify complete)

The file report.doc.pgp is verified.

Key Listings

This chapter describes the commands that list information about the PGP keys on keyrings.

These commands are:

 --fingerprint (page

in hexadecimal numbers or biometric words.

 --fingerprint-details (page

keyring and their subkeys, in hexadecimal numbers or biometric words.

 --list-key-details (page

detailed information about those keys.

 --list-keys (page  --list-keys-xml (page  --list-sig-details (page

signatures on a key.

 --list-sigs (page

and signatures on those keys.

 --list-userids (page

on those keys.

80), which lists the fingerprints of keys on your keyring,

81), which lists the fingerprints of keys on your

82), which lists the keys on the keyring and displays

83), which lists the keys on the keyring.

84), which lists keys in XML format.

85), which provides detailed information about

86), which lists the keys on the keyring and the user IDs

In This Chapter

Overview ................................................................................................. 79

Commands .............................................................................................. 80

Overview

At some point, you are going to need to know about the keys on your keyrings. The key listing commands provide those details. Using the commands in basic display mode gives you summary information about the keys on a keyring. Detailed display mode tells you everything there is to know about those keys.

Refer to Lists (on page signature lists show about a key.

239) for more information about what the key and

PGP® Command Line 10.1 Key Listings

Commands

The key listing commands are described in the following sections.

--fingerprint

Lists the fingerprints of keys on your keyring that match the supplied criteria. If you run the command with no user or key ID information, all key fingerprints will be displayed. If you enter any user or key ID information, only key fingerprints that match will be displayed.

The usage format is:

pgp --fingerprint [<user1> ...] [--biometric] [--verbose]

Where:

<user1> is the user ID, portion of a user ID, or the key ID of a key on your keyring. If you don’t supply a user ID, all fingerprints will be listed.

--biometric displays biometric words instead of hexadecimal numbers.

--verbose shows the key IDs under the primary user ID for each

fingerprint.

Examples:

pgp --fingerprint Alice

Displays the fingerprint in hexadecimal of any keys on the keyring that match "Alice" using the format:

Alice Cameron <

896A 4A96 9C3A 3BEC C87C EA8B 2CDB B87B 2CEB 53CC

pgp --fingerprint 0x12345678 --biometric

Displays the fingerprint in biometric words of the key with the specified key ID using the format:

Alice Cameron <

aimless photograph goldfish yesteryear

beeswax corporate crackdown millionaire

indoors upcoming choking sardonic

reward underfoot eyeglass amulet

sawdust holiness glitter therapist

alice@example.com>

1 key found

PGP® Command Line 10.1 Key Listings

--fingerprint-details

Lists the fingerprints and subkeys of keys on your keyring that match the supplied criteria. If you run the command with no user or key ID information, all key fingerprints will be displayed. If you enter any user or key ID information, only key fingerprints that match will be displayed.

Subkey fingerprints are displayed if found on the specified key. Hash names are the same as listed in the detailed key list mode.

Fingerprints are shown with one of the following prefixes:

 Key Fingerprint indicates that the following fingerprint is for a master key.  Subkey Fingerprint indicates that the following fingerprint is for a subkey.  X.509 <alg> Thumbprint indicates that the following thumbprint is for an

X.509 certificate, where <alg> is replaced by the hash algorithm used to create the thumbprint.

The usage format is:

pgp --fingerprint-details [<user1> ...] [--biometric]

Where:

<user1> is the user ID, portion of a user ID, or the key ID of a key on your keyring. If you do not supply a user ID, all fingerprints and subkeys will be listed.

--biometric displays biometric words instead of hexadecimal numbers.

Examples:

1 pgp --fingerprint-details Alice

Displays the fingerprint in hexadecimal of any keys on the keyring that match "Alice" using the format:

Alice Cameron <

alice@example.com>

Key Fingerprint: 0x6D2A476D (0x7B72AAE06D2A476D)

D2E0 23B2 53D0 49C9 6812 31AC 7B72 AAE0 6D2A 476D

Subkey Fingerprint: 0xB86FF2CF (0x0787EE48B86FF2CF)

DAB6 570B 9411 197D 5DDF A9B2 0787 EE48 B86F F2CF

2 pgp --fingerprint-details 0xF88C6910 --biometric

Displays the key and subkey fingerprints in biometric words of the key with the specified key ID using the format:

Alice Cameron <

alice@example.com>

Key Fingerprint: 0x6D2A476D (0x7B72AAE06D2A476D)

crucial performance ragtime adviser

PGP® Command Line 10.1 Key Listings

robust molasses stairway sardonic

beehive quantity spindle gravity

reform monument artist supportive

Vulcan megaton gazelle autopsy

Subkey Fingerprint: 0xB86FF2CF (0x0787EE48B86FF2CF)

chatter decimal snowcap caravan

breadline caravan pupil decimal

beeswax Wilmington tunnel nebula

bombast outfielder endorse Jupiter

--list-key-details

preclude Eskimo drainage sandalwood

Lists the keys on a keyring in detailed output mode. If you run the command with no user or key ID information, all keys on the keyring will be displayed. If you enter any user or key ID information, only keys that match will be displayed.

The usage format is:

pgp --list-key-details [<user1> ...]

Where:

<user1> is the user ID, portion of a user ID, or the key ID of a key on your keyring.

Example:

pgp --list-key-details Alice

Lists all of the keys on your keyrings using the format:

Key Details: Alice Cameron <

acameron@example.com>

Key ID: 0xB2726BDF (0xAAEB5E06B2726BDF)

Type: RSA (v4) key

Size: 2048

Validity: Complete

Trust: Implicit (Axiomatic)

Created: 2003-04-22

Expires: Never

Status: Active

Cipher: AES-192

Cipher: AES-128

Cipher: CAST5

PGP® Command Line 10.1 Key Listings

Cipher: TripleDES

Cipher: Twofish-256

Hash: SHA

Compress: Zip (Default)

Photo: No

Revocable: No

Token: No

Keyserver: keyserver.pgp.com

Default: No

Prop Flags: Sign user IDs

Prop Flags: Sign messages

Ksrv Flags: None

Feat Flags: Modification detection

Notations: 01 0x80000000

preferred-email-

encoding@pgp.com:pgp-mime

Subkey ID: 0x6F742FE6 (0x939BB8896F742FE6)

Type: ElGamal

Size: 2048

Created: 2003-04-22

Expires: Never

Status: Active

Revocable: No

Prop Flags: Encrypt communications

Prop Flags: Encrypt storage

ADK: None

Revoker: None

1 key found

PGP® Command Line 10.1 Key Listings

--list-keys (-l)

Lists the keys on a keyring in basic output mode. If you run the command with no user or key ID information, all keys on the keyring will be displayed. If you enter any user or key ID information, only keys that match will be displayed.

The usage format is:

pgp --list-keys [<user1> ...]

Where:

<user1> is the user ID, portion of a user ID, or the key ID of a key on your keyring.

Examples:

1 pgp --list-keys

Lists all of the keys on your keyrings using the format:

Alg Type Size/Type Flags Key ID User ID

--- ---- --------- ------- ---------- -----------------

-------

--list-keys-xml

DSS pub 2048/1024 [-----] 0xABCD1234 Alice C <

ac@example.com>

1 key found

2 pgp -l Alice Bob Jill

Uses the short form of the command; displays any key on the keyring with "Alice", "Bob", or "Jill" in the user ID.

3 pgp -l 0x12345678

Lists only the key with the specified key ID, if it is on the keyring.

When you choose to list a key in XML format, PGP Command Line will display all information including all user IDs and signatures. If you run the command with no user or key ID information, all keys on the keyring will be displayed. If you enter any user or key ID information, only keys that match will be displayed.

To list keys in XML format, you may use either the command --list-keys-

xml, or a key list operation with the added option --xml, such as --listkeys user1 --xml, or --list-keys --xml.

The usage format is:

pgp --list-keys-xml [<user1> …]

PGP® Command Line 10.1 Key Listings

Where:

<user1> is the name of the specific local user whose keys you want to check.

Example:

pgp --list-keys-xml "Jose Medina"

Here is an abbreviated key list in XML format.

<?xml version="1.0"?>

<key>

....

...

...

<adk>

--list-sig-details

...

</key>

</keyList>

Lists keys with their user IDs and signatures in detailed output mode.

The usage format is:

pgp --list-sig-details <user> [<user2> ...]

Where:

<user> is the user ID, portion of a user ID, or the key ID of a key on your keyring. You can list one or more users, with their names/IDs separated by a space. If you don’t specify a user, you will get an error message ("too many keys found").

Example:

pgp --list-sig-details Alice

Lists Alice’s key and shows details about her user IDs and signatures:

Signature Details: Alice Cameron <

alice@example.com>

Signed Key ID: 0xB2726BDF (0xAAEB5E06B2726BDF)

Signed User ID: Alice Cameron <

alice@example.com>

PGP® Command Line 10.1 Key Listings

Signer Key ID: 0xB2726BDF (0xAAEB5E06B2726BDF)

--list-sigs

Signer User ID: Alice Cameron <

Type: DSA signature

Exportable: Yes

Status: Active

Created: 2005-04-22

Expires: Never

Trust Depth: 0

Domain: None

1 signature found

Lists keys with their user IDs and signatures in basic output mode. If you run the command with no user or key ID information, all signatures on the keyring will be displayed. If you enter any user or key ID information, only signatures that match will be displayed.

The usage format is:

pgp --list-sigs [<user1> ...]

Where:

alice@example.com>

--list-userids

<user1> is the user ID, portion of a user ID, or the key ID of a key on the keyring.

Example:

pgp --list-sigs 0x12345678

Lists the user IDs and signatures on the key with the specified key ID, if it is on the keyring.

Lists keys and their user IDs in basic output mode. The command --list- users is the same as --list-userids.

The usage format is:

pgp --list-userids [<user1> ...]

Where:

<user1> is the user ID, portion of a user ID, or the key ID of a key on your keyring.

PGP Command Line - 10.1 User’s Guide

Specifications and Main Features

Frequently Asked Questions

User Manual

PGP Command Line Basics

Important Concepts

Getting Started

Installation

Overview

System Requirements

Windows 7 and Vista

Windows Server 2008 and 2003

Standard Edition

Datacenter Edition

Enterprise Edition

Web Edition

Windows XP

32-bit Windows XP

64-bit Windows XP

Windows 2000

IBM AIX

HP-UX 11i

Solaris 9 and 10

Red Hat Enterprise Linux, SLES, and Fedora Core

Mac OS X

Installing on AIX

Installing on AIX

Changing the Home Directory on AIX

Uninstalling on AIX

Installing on HP-UX

Installing on HP-UX

Changing the Home Directory on HP-UX

Installing to a Non-Default Directory on HP-UX

Uninstalling on HP-UX

Installing on Mac OS X

Installing on Mac OS X

Changing the Home Directory on Mac OS X

Uninstalling on Mac OS X

Installing on Red Hat Enterprise Linux, SLES, or Fedora Core

Installing on Red Hat Enterprise Linux or Fedora Core

Changing the Home Directory on Linux or Fedora Core

Uninstalling on Linux or Fedora Core

Installing on Solaris

Installing on Solaris

Changing the Home Directory on Solaris

Uninstalling on Solaris

Installing on Windows

PGP Command Line for Windows and PGP Desktop on the Same System

To Install on Windows

Changing the Home Directory on Windows

Uninstalling on Windows

Licensing

Overview

License Recovery

Using a License Number

Re-Licensing

Through a Proxy Server

Overview

Flags and Arguments

Flags

Arguments

Booleans

Integers

Enumerations

Strings

Lists

File descriptors

No parent

Configuration File

Keyserver Configuration File Settings

Environment Variables

Standard Input, Output, and Error

Redirecting an Existing File

Entering Data

End-of-File

Specifying a Key

'Secure' Options

Passphrases

First Steps

Overview