PGP Command Line - 6.5 Instruction Manual

PGP Command Line Guide

Version 6.5

Copyright © 1999 Network Associates Technology,Inc. All Rights Reserved. No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any language in any form or by any means without the written permission of Network Associates Technology, Inc., or its suppliers or affiliate c ompanies.

PGP*, V ersion 6.5.1 6-99. Printed i n the United States of America.

TRADEMARK ATTRIBUTIONS

* ActiveHelp, Bomb Shelter, Building a World of Trust, CipherLink, Clean-Up, Cloaking, Compass 7, CNX, CyberCop, CyberMedia, Data Security Letter, Discover, Distributed Sniffer System, Dr Solomon’s, Enterprise Secure Cast, First Aid , ForceField, Gauntlet, GMT, Hunter, ISDN Tel/ Scope, LM 1, LANGuru, Leading Help Desk Technology, Magic Solutions, MagicSpy, MagicTree, Magic University, MagicWin, MagicWord, McAfee Associates, McAfee, MoneyMagic, M ore Power To You, Multimedia Cloaking, NetCrypto, NetRoom, NetScan, Net Shield, NetShield, NetStalker, Net Tools, NetOctopus, NetStalker, Network Associates, Netw ork General, Network Uptime!, NetXRay, Nuts & Bolts, PC Medic, PCNotary, PGP, PGP (PrettyGood Privacy), PocketScope, PowerTelnet, Pretty Good Privacy, PrimeSupport, RecoverKey, RecoverKey -International, ReportMagic, RingFence, Router PM, Safe & Sound, SalesMagic, SecureCast, Service Level Manager, ServiceMagic, Site Meter, Sniffer, SniffMaster, SniffNet, Stalker, Statistical Information Re trieval (SIR), Sup portMagic, T-POD, TeleSniffer, TIS, TM ach, TMeg , Trusted Mach, Trusted Mail, Total Network Visibility, Total Virus Defense, Uninstaller, Virex, Virex-PC , Virus Fo rum, ViruScan, VirusScan, VShield, WebScan, WebShield, WebSniffer, WebStalker WebWall, and ZAC 2000 are registered trademarks of

Network A ssociates and/or its affiliates in the US and/or other countries. A ll other registered and unregistered trademarks inthis document are the sole property of their respective owners.

Portions of this software may use public key a lgorithms described in U.S. Patent numbers 4,200,770, 4,218,582,4,405,829, and 4,424,414, licensed exclusively by PublicKey Partners; the IDEA(tm) cryptographic cipher described in U.S. patent number 5,214,703, licensed from Ascom Tech AG; and the Northern Telecom Ltd., CAST Encryption Algorithm, licensed from Northern Telecom, Ltd. IDEA is a trademark of Ascom Tech AG. Network Associates Inc. may have patents and/or pending patent applications covering su bject matter in this software or its documentation; the furnishing of this software or documentation does not give you any license to these patents. The compression c ode in PGP is by Mark Adler and Jean-Loup Gailly, u sed with permission from the free Info-ZIP implementation. LDAP software provided courtesy University of Michigan at Ann Arbor, Copyright © 1992-1996 Regents of the University of Michigan. All rights reserved. This product includes software developed by the Ap a che Group for use in t he Apache HTTP server project (http://www.apache.org/). Copyright © 1995-1999 The Apache Group. All rights reserved. See text f iles included with the software or the PGP web site for further information.

LIMITED WARRANTY Limited Warranty. Network A ssociates warrants that for sixty (60) days from the date of

original purchasethe media (forexamp le diskettes) on which the Software is contained will be free from defects in materials and workmanship.

Customer Remedies. Network Associates' a nd its su ppliers'entire liabilityand your exclu sive remedy shall be, at Network Associates'option, either (i) return of the purchase price paid for the license, if any, or (ii)replacement of the defectivemedia in which the Software is contained with a copy on nondefective media. You must return the defective media to Network Associates at your expense with a copy of your receipt. This limited warranty is void if the defect has resulted from accident, abuse, or misapplication. Any replacement media will be warranted for the r emainder of the original warranty period. Outside the United States, this remedyis not availableto the extentNetworkAssociatesis subjectto restrictionsunder United States export c ontrol laws and regulations.

Warranty Disclaimer. To the maximum extent permitted by applicable law, and except fo r the limited warranty set forth herein, THE SOFTWARE IS PROVIDED ON AN "AS IS" BASIS WITHOUT WARRANTYOF ANY KIND, EXPRESS OR IMPL IED. W ITHOUTLIMITING THE FOREGOING PROVISIONS, YOU ASSUME RESPONSIBILITY FOR SELECTING THE SOFTWARE TO ACHIEVE YOUR INTENDED RES ULTS, AND FOR THE INSTALLATION OF, USE OF, AND RESULTS OBTAINED FROM THE SOFTWARE. W ITHOUT LIMITING THE FOREGOING PROVISIONS, NETWORK ASSOCIATES MAKES NO WARRANTY THATTHESOFTWAREWILLBEERROR-FREEORFREEFROMINTERRUPTIONSOR OTHER FAILURES OR T HAT THE SOFTWARE W ILL MEET YOUR REQUIREMENTS. T O THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, NETWORKASSOCIATES DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULARPURPOSE, AND NONINFRINGEMENTWITH RESPECT TO THE SOFTWARE AND THE ACCOMPANYING DOCUMENTATION. SOME STATES AND JURISDICTIONS DO NOT ALLOW LIMITATIONS ON IMPLIED WARRANTIES, SO THE ABOVE LIMITATION MAY NOT APPLY TO YOU. The foregoing provis ions shall be enforceable to the maximum extent permitted by applicable law.

LICENSE AGREEMENT

NOTICE TO ALL USERS: FOR THE SPECIFIC TERMS OF YOUR LICENSE TO USE THE SOFTWARE THAT THIS DOCUMENTATION DESCRIBES, CONSULT THE README.1ST, LICENSE.TXT, OR OTHER LICENSE DOCUMENT THAT ACCOMPANIES YOUR SOFTWARE,EITHER AS A TEXT FILE OR AS PART OF THE SOFTWARE PACKAGING. IF YOU DO NOT AGREE TO ALL OF THE TERMS SET FORTH THEREIN, DO NOT INSTALL THE SOFTWARE.IF APPLIC ABLE,YOU MAYRETURN THE PRODUCT TO THEPLACE OF PURCHASE FOR A FULL REFUND.

Export of this software and documentation may be subject to compliance with the rules and regulations promulgated fromtime to time by the Bureau of Export Administration, United States Department of Commerce, which restrict the export and re-export of certain products and technical data.

Network Associates, Inc. (408) 988-3832 main 3965 Freedom C ircle Santa Clara, CA 95054 http://www.nai.com

info@nai.com

* is sometimes used instead of the ® for registered trademarks to protect marks registered outside of the

U.S.

iv Product Name

Preface.....................................................ix

OrganizationofthisGuide........................................ ix

ConventionsusedinthisGuide ................................... ix

HowtocontactNetworkAssociates.................................x

Customerservice ............................................x

Technicalsupport ...........................................x

Year 2000 Compliance . . . .................................... xi

NetworkAssociatestraining.................................. xi

Commentsandfeedback..................................... xi

RecommendedReadings ....................................xii

Chapter1. IntroducingPGP ...................................1

UsingPGP ......................................................1

Aquickoverview.................................................1

BasicstepsforusingPGP ....................................2

Chapter2. GettingStarted ....................................5

StartingPGP ....................................................5

LocationofPGPfiles .............................................5

PGPPATH:SetthepathnameforPGP ...........................6

MakingPGPcompatiblewithPGP2.6.2 ..............................6

MakingandExchangingKeys ......................................7

Keyconcepts....................................................7

Makingakeypair ................................................8

Protectingyourkeys ............................................10

Distributingyourpublickey ......................................11

Summaryofkeyservercommands ................................11

Creating a passphrase that you will remember .......................12

PGP’scommandlineoptions .....................................13

EnteringPGPconfigurationparametersonthecommandline......15

User Guide v

Table of Contents

CommonPGPfunctions..........................................15

Creating,disabling,reenabling,andrevokingakey ..............15

Encryptinganddecryptingmessages ..........................16

Wipingyourdisk ...........................................17

Signingmessages ..........................................17

Specifyingfiletypes.........................................17

Keymaintenancecommands .................................18

Creatingsignaturecertificates ................................19

Summaryofcommands ..........................................20

Cancellinganoperation ..........................................20

Chapter3. AdvancedTopics..................................21

Identifyingyourhomedirectory:HOME.............................21

Using PGP non-interactively from UNIX shell scripts or MSDOS

batchfiles ...................................................21

Suppressing unnecessary questions: BATCHMODE ..............21

Eliminatingconfirmationquestions:FORCE ....................22

UnderstandingPGPexitstatuscodes..........................22

UsingPGPasaUNIX-stylefilter ...................................22

Encryptingandtransmittingbinarydata ............................23

Sending binary data files in ASCII-armored form at without

encryptionorsignature....................................23

DecryptingASCII-armoredmessages ..........................24

SendingapublickeyinASCII-armoredformat...................24

SendingASCIItextfilestodifferentmachineenvironments ............24

ManagingSignatureCertificates...................................25

Creatingseparatesignaturecertificateandtextfiles..............25

Receivingseparatesignaturecertificateandtextfiles ............25

FileManagementCommands .....................................26

Decrypting a message and vi ewing plaintext output on your screen . 26 Decrypting a message and renaming the plain text filenam e output . . 26 Decrypting a message and recovering the origi nal plaintext

filename ................................................26

Deletingakeyfromthekeyserver.............................26

Encryptingforviewingbyrecipientonly........................27

Storingsignedfiles:Signingafilewithoutencrypting ............27

Wipingyourdisk ...........................................27

vi PGP Command Line

Table of Contents

KeyManagementCommands .....................................28

Editing your user ID o r passphrase, or making an existing key

yourdefaultsigningkey ...................................28

Editingthetrustparametersforapublickey ....................28

Verifyingthecontentsofyourpublickeyring ...................29

Verifyingapublickeyoverthephone ..........................29

Selecting keys using the key ID . . .............................30

PGPPASS:Storeyourpassphrase.............................30

PGPPASSFD...............................................31

Chapter4. PGP’sConfigurationFile ...........................33

LearningaboutPGP’sconfigurationfile:pgp.cfg.....................33

ARMOR:ASCII-armoroutput .................................34

ARMORLINES:SizeofASCIIarmormultipartfiles ................34

CERT_DEPTH:Depthofintroducersbenested ..................35

CLEARSIG: Signed mess age readable with human eyes ..........35

COMMENT:ASCIIarmorcomment.............................36

COMPATIBLE: Enable user-interface compatibility with PGP 2.6.2 . . 36 COMPLETES_NEE D ED: Number of completely trusted

introducersneeded .......................................36

COMPRESS: Compressi on before encryption . . .................37

CIPHERNUM ...............................................37

ENCRYPTTOSELF: Encrypt to self .............................37

FASTKEYGEN:Fastkeygeneration............................37

HASHNUM .................................................37

INTERACTIVE:Confirmationforkeyadds ......................38

KEYSERVER_URL ..........................................38

MARGINALS_NEEDED: Number of marginally trusted

introducersneeded .......................................38

MYNAME:DefaultuserIDforsignatures........................38

PAGER:Shellcommandtodisplayplaintextoutput ..............39

PGP_MIME ................................................39

PGP_MIMEPARSE ..........................................39

PUBRING: Filename for your public keyring .....................39

RANDOMDEVICE . ..........................................40

RANDSEED: F ilename for random number seed .................40

UserGuide vii

Table of Contents

SECRING:Filenameforyoursecretkeyring .....................40

SHOWPASS:Echopassphrasetouser .........................40

TMP:Directorypathnamefortemporaryfiles ....................41

TEXTMODE:Assumeplaintextisatextfile......................41

TZFIX:Timezoneadjustment .................................41

VERBOSE:Quiet,normal,orverbosemessages .................42

AppendixA. ExitAndErrorCodes..............................43

Index.......................................................45

viii PGP Command Line

Preface

Organizat io n of this Guide

This Guide is divided into the following chapters:

• Chapter 1, “Introducing PGP” This chapter provides an introduction to

using PGP Command Line software.

• Chapter 2, “Getting Started” This chapter describes how to start and stop

PGP, how to make and exchange keys, and how to perform common PGP functions f rom the command line.

• Chapter 3, “Advanced Topics” This chapter describes how to use PGP

non-interactively from UNIX shell scripts and MSDOS batch files, how to use PGP as a UNIX-style filter, and how to encrypt and transmit binary data.

• Chapter 4, “PGP’s ConfigurationFile” This chapter introduces you to

PGP’s configuration file a nd the configuration parameters in that f ile .

Conventions used in this Guide

The following describes the conventions used in this guide:

Bold Menus, fields, options , and bu ttonsare in bold

typeface. An example follows: Select the Clear option from the Editmenu.

Sans-serif font

Keystrokes

Variables

Pathnames, filenames, icon names, screen text, and special keys on the key board are s how n in a sans-serif font.

Keystrokesthat you enter are shown in bold sans-serif type.

Command-linetextforwhichyoumustsupply a value is shown in italic sans-serif type.

User Guide ix

Preface

How to contact Network Associates

Customer service

To order products or obtain product information, contact the Network Associates C ustomer Care department at (408) 988-3832 or write to the following address:

Network Associates,Inc. McCandless Towers 3965 Freedom Circle Santa Clara, CA 95054-1203 U.S.A.

Technical sup port

Network Associates is famous for its dedicationto customer satisfaction. We have continued this t radition by making our site on the World Wide Web a valuable resource for answers to t echnical support issues. We encourage you to make this your first stop for answers to frequently asked questions, for updatestoNetworkAssociatessoftware,andforaccessto NetworkAssociates news and encryption information

World Wide Web http://www.nai.com

Technical Support for your PGP product is also available thr ough these channels:

Phone Email PGPSupport@pgp.com

To provide the answers you need quickly and efficiently, the Network Associates technical support staff needs some informationabout your computer and your s o ftware. Please have this information ready befo re you call:

If the automatedservices do not havethe answers you need, contactNetwork Associates at one of the following numbers Monday through Friday between 6:00

A.M. and 6:00 P.M. Pacifictime.

Phone (408) 988-3832

x PGP CommandLine

(408) 988-3832

• Product name and version number

• Computer brand and model

• Any additional hardware or peripherals connected to your computer

• Operating system type and version numbers

• Network type and version, if applicable

• Content of any status or error message displayed on screen, or appearing

in a log file (not all products produce log files)

• Email application and version (if theproblem involves using PGP with an

email product, for example, the E udora plug-in)

• Specific s teps to reproduce the problem

Year 2000 Compliance

Preface

InformationregardingNAI productsthat areYear 2000 compliant and its Year 2000 standards and testing models m ay be obtained from NAI’s website at

http://www.nai.com/y2k

. For further information, email y2k@nai.com.

Network Associates training

For informationabout schedulingon-sitetrainingfor any NetworkAssociates product, call (800) 338-8754.

Comments and feedback

Network A ssociates appreciates your comments and feedback, but incurs no obligation to you for information you submit. Please address your comments about PGP product documentation to: Network Associates, Inc., 3965 Freedom Circle Santa Clara, CA 95054-1203 U.S.A.. You can also e-mail comments to tns_documentation@nai.com.

User Guide xi

Preface

Using PGP

This command line version of PGP is designed for two broad types of applications: transferring information securely between batch servers and integration into automated processes.

• A fina ncialinstitution can usePGP to securely tr ansferfiles from one office

to another. Files are encrypted to the receiving server’s key and ftp to a directory on a remote server. The remote server periodically examines its receiving directory. When the remote server identifies newly transferred files, it decr ypts the files a nd sends them to their final destination.

• UNIX and Windows develop ers can use this product to secure financial

transactions that users make on the internet. For example, if you sell products o n your website, you c an include PGP in your scripts to automatically encrypt a customer’s order and credit card information for storage or transfer to a secure machine.

The term MSDOS batch files refers to a W indows NT commandprompt. The term MSDOS means the command prompt window that exists in Windows NT.

A quick overview

PGP is based on a widely accepted encryption technology known as public key cryptography in which two complementary keys, called a key pair,areusedto

maintain secure communications. One of the keys is d esignated as a private k ey to which only you have access and the other is a public k ey w hich you freely exchange with other PGP users. Both your private and your public keys are stored in keyring files.

For a comprehensive overview of PGP encryption technology, refer to “An Introduction to Cryptography,” which is included with the product.

User Guide 1

Introducing PGP

Basic steps for using PGP

This section takes a quick look at the procedures you normally follow in the course of using P GP . For details concerning any of these procedures, refer to the appropriate chapters in this book.

1. Install PGP on your computer. Refer to the documentation included with

PGP for complete installation instructions.

2. Create a private and public key pair.

Before you c a n begin using PGP, you need to generate a key pair. A PGP key pair is composed of a private key to which only you have access and a public key that y ou can copy and make freely available to everyone with whom you exchange information.

You can create a new key pa ir any time after you have finished the PGP installation procedure.

For more information about creating a private and public ke y pair, referto

“Making a key pair” on page 8

3. Exchange public keys with others.

Afteryou have createda key pair, youcan begin correspondingwith other PGP u sers. You will need a copy of their public key and they will need yours. Your public key is j ust a block of text, so it’s quiteeasy to trade keys with someone. You can include your publickey in an emailmessage, copy it to a file, or post it on a public or corporate key server where anyone can get a copy when they need it.

For more informationabout exchanging public keys, refer to and “Making

and Exchanging Keys”on page 7 and “Distributing your public key” on page 11.

4. V alidate public keys.

Once you have a copy of someone’s public key, you can add it to your public keyring. You should then check to m ake sure that the key has not been tampered with and that it really belongs to t he purpo rted owner. You do this by comparing the unique fingerprint on your copy of someone’s public key to the fingerprint on that person’s original key.

Youcan also ac cept a key as valid based onthe presence o f a signaturefrom a trusted introducer. PGP users often have other trusted users sign their public keys to further attest to their authenticity. For instance, you might send a trusted colleaguea copyof your publickey with a request that h e or she certify and return it so you can include the signature when you post your key on a public key server. Using PGP, when someone gets a copy of yourpublickey,theydon’thaveto check thekey’sauthenticitythemselves,

2 PGPCommand Line

Introducing PGP

but can instead rely on how well they trust the person(s) who signed your key. PGP provides themea ns for estab lishing thislevel of validityfor each of t he public keys you add to you r public keyring. This means that when you get a key from someone whose key is signed by a trusted introducer, you can be fairly sure that the key belongs to the purported user.

Your Security Officer c an act as a trusted introducer, and you may then trust any keys signed by the corporate key to be valid keys. If you wo rk for a large company with several locations, you may have regional introducers, and your Security Officer may be a meta-introducer, or a trusted introducer of trusted introducers.

When you are sur e that you have a valid public key, you sign it to indicate that you feel the key is safe to use. In addition, you can grant the owner of the key a level of trust indicating how much confidence you have in that person to vouch for the authenticity of someone else’s p ublic key.

5. Encrypt and sign your email and files .

After you have generated your key pair and have exchang ed public keys, you can begin encrypting and signing email messages and files.

6. Dec rypt and verify your email and files.

When someone sends you encrypted data, you can decrypt the contents and verify any appended signature to make sure that the data originated with the alleged sender and that it has not been altered.

7. Wipe files.

When you need to permanently delete a file, you can use the wipe command to ensure that the file is unrecoverable. The file is immediately overwritten so that it cannot be retrieved using disk recovery software.

User Guide 3

Introducing PGP

4 PGPCommand Line

2Getting Started

This chapter covers the following topics:

• Starting and quitting PGP

• Making and exchanging k ey pairs

• Perfor ming common PGP functions from the command line

• Viewing PGP’s online User Guide

Starting PGP

To start PGP, enter the following at the command line: pgp You can perform all PGP functions from the command line.

Location of PGP files

In UNIX:

The first time you start PGP, the software checks to see if the environment variable PGPPATH is defined. If PGPPATH is defined, the s oftware puts t he PGP preferences file, keyring files, pgp.cfg, and the randseed file in the %PGPPATH% directory.

If PGPPATH is not defined, the software checks to see if the environment variable USERPROFILE is defined. If USERPROFILE is d efined, the software puts the files in the %USERPROFILE%\Application Data\pgp directory.

If USERPROFILE is not defined,the softwareputs the files in %SYSTEMROOT%\pgp.

In Windows NT: The first time you start PGP, the software checks to see if the environment

variable PGPPATH is defined. If PGPPATH is defined, the s oftware puts t he pgp.cfg in the %P GP PATH% directory.

If PGPPATH is not defined, the software checks to see if the environment variable USERPROFILE is defined. If USERPROFILE is d efined, the software puts the pgp.cfg f ile in the %USERPROFILE%\Application Data\pgp directory.

User Guide 5

Getting Started

If USERPROFILE is not defined,the softwareputs the pgp.cfg file in %SYSTEMROOT%\pgp.

The preferencefile is placedin the %USERPROFILE%\App licationData\pgp directory, and the preference file identifies where the default keyrings are placed (normally in the same directory, %USER PROFILE%\Application Data\pgp).

The randseed file is always placed in the %SYSTEMROOT% directory.

PGPPATH: Set the pathname for PGP

This parameter identifies the location of specific PGP files: SET PGPPATH=<PGPpathname> For example: SET PGPPATH=C:\PGP PGP needs to know where the following files are located:

• Your key r ing files pubring.pkr and secring.skr

• The random number seed file randseed.rnd

• The PGP configuration file pgp.cfg (or .pgprc) These files can be kept in any directory. Use the PGPPATH parameter to

identify their location.

Making PGP compatible with PGP 2.6.2

This version of PGP includes a compatible switch that enables user -interface compatibility with PGP 2.6.2. You may require this feature for interoperation with scripts that parse the output or otherwise interact with PGP dialogues.

To activate this f eature, add the following line to the co nf iguration file, pgp.cfg:

COMPATIBLE=on

You can also enter +COMPATIBLE on the command line.

6 PGPCommand Line

Making and Exchanging Keys

Thissection describes howto generate the public and private key pair that you need to correspond with other PGP users. It also explains how to distribute your public key and obtain the public keys of others so that you can begin exchanging private and authenticated email.

Key concepts

PGP is based on a widely accepted and highly trusted public key encryption system,as shown in Figure 2-1, by which you and other PGP us e rs generate a key pair cons isting of a private ke y and a public key.As its nameimplies, only youhave access toy our private key, but in order to correspond with otherPGP users you need a copy of their pub lic key and they n eed a copy of your s. You useyour privatekey to sign the email messagesand fileattachmentsyou send to others and to decrypt the messages and files they send to you. Conversely, you use the public keys of others to send them encrypted email and to verify their digital signatures.

public key private key

Getting Started

decryptionencryption

plaintext ciphertext plaintext

Figure 2-1. Public Key Cryptography diagram

User Guide 7

Getting Started

Making a key pair

Unless you have alread y done so whileusing another versionof PGP,the first thing you need to do before sending or receiving encrypted and signed email is create a new key pair. A key pair consists of two keys: a private key that only you possess and a public key that you freely distribute to those with whom you correspond. You generate a new key pair from the PGP command line.



NOTE: If you are upgrading from an earlier version of PGP, you have probably already generated a private key and have distributed its matching public key to those with whom you correspond. In this case you don’t have to make a new key pair (as describedin the next section). Instead,use the PGPPATH environment variableto identifythe location of your existing keyrings.For more information, see "PGPPATH: Set the

pathname for PGP" on page 6.

To create a new key pair

1. Enter the following at the command line: pgp -kg

2. For DSS/DH enabled version, go to Step 4.

3. For DSS/DH enabled versions, select either a new signing key or add a

4. Select the key size you want to generate. A larger key size may take a

8 PGPCommand Line

For RSA enabled versions, choose the key type:

a. DSS/DH b. RSA

Go to Step 4.

new encryption subkey to an exist ing DSS key.

long time to generate, depending on t he speed of the computer you are using.

The key size corresponds to the num ber of bits used to construct your digitalkey.Alargerkey is stronger.However,whenyou use a larger key, it takes more time to encrypt and decrypt. Y o u need to strike a balance between the convenience of performing PGP functions quickly with a smaller key and the increased level of security provided by a larger key. Unless you are exchanging extremely sensitive information that is of enough interest that someone would be willing to mount an expensive and time-consumingcryptographicattack in order to readit, youare safe using a key composed of 1024 bits.

Getting Started

5. Enter your user ID. It’s not absolutely necessary to enter your real name or even your email address. However, using your real name m akes it easier for others to identify you as the owner of your public key. For example:

Robert M. Smith <rms@xyzcorp.com>

If you do not have an email address, use your phone number or some other unique information that would help e nsure that your us e r ID is unique.

6. For RSA enabled versions, go to Step 7. If you sele ct e d a new signing key, e nter y to create an encryption key,

then select the size. If you do not want to create an encryption key, entern to generatea new

signing key only.

7. Enter a passphrase, a string of characters or words you want to use to maintain exclusive access to your private key. For more information, see

"Creating a passphrase that you will remember" on page 12.



NOTE: Your passphrase sho uld contain multiple words and may include spaces, numbers,and punctuation characters. Choose something that you can remember easily but that others wo n’t be able to guess. The passphrase is case sensitive, meaning that it distinguishes between uppercase and lowercase letters. The longer your pass phrase, and the greater the variety of characters it contains, the more secure it is. Strong passphrases include upper and lowercase letters, numbers, punctuation, and spaces but are more likely forgotten.

8. The software asks you to enter some random text to help it accumulate somerandom bits to create thekeys. E nter k eystrokesthat are reasonably random in their timing.

9. The generated key pair is placed on your public and secret key rings. Use the -kx command option to copy your new public key from your

public key ring and place it in a separate public key f ile suitable for distribution to your friends. The public key file can be sent to your friends for inclusion in the ir public key rings. For more information, see

"Distributing your public key" on page 11

User Guide 9

Getting Started

Protecting your keys

Once you have generated a key pair, it is wise to put a c o py of them in a safe place in case something happens to the o riginals.

Your private keys and your public keys are stored in separate keyring files, which you can copy just like any other files to another location on your hard drive or to a floppy disk. By default, the private and public keyring s (pubring.pkr and secring.skr) are stored along wit h the othe r program files in the directory identified by the PGPPATH environment variable, but you can save your backups in any location you like. For more information, see

"PGPPATH: Set the pathname for PGP" on page 6.

Besides making backup copies of your keys, you should be especially careful about where you store your private key. Even though your private key is protected by a passphrase that only you should know, it is possiblethat someone could discover your passphrase and then use your private key to decipher your email or forge your digital signature. For instance, somebody couldlookover your shoulderandwatch thekeystrokesyouenter or intercept them on the network or even over the airwaves.

To prevent anyone who migh t happen to intercept your passphrase from being able to use your private key, you should store your private key only on your own computer. If your computer is attached to a network, you should also make s u re that your files arenot automatically includedin a s ystem-wide backup where others might gain access to your private key. Given the ease with which computers are accessible over networks, if you are working with extremely sensitive information, you may w ant to keep your private key on a floppy disk, which you can insert like an old-fashioned k ey whenever you want to read or sign private information.

As another security precaution, consider assigning a d ifferent name to your private keyring fil e and then storing it somewhere other than in the default PGPfolderwhereitwillnotbesoeasytolocate.

10 PGP Command Line

Distributing your public key

After you create your k eys, you need to make them available to others so that they can send you encrypted information and verify your d igital signature. You have three alternatives for distributing your public key:

• Make your public key available through a public key server.

• Include your public key in a n email message.

• Export your public key or copy it to a text file. Your public key is basically composed of a block of text, so it is quite easy to

make it available through a public key server, include it in an email message, or export or copy it to a file. The recipient c an then use whatever method is most convenient to add your public key to their public ke yring.

Summary of key server commands

To extract a key fromyour keyring and send it to thekey server:

pgp -kx <userid> <keyfile> <URL>

Getting Started

To get a key fromth ekey server and put the key on your keyring (requires two commands):

pgp -kx <userid> <keyfile> <URL> pgp -ka <keyfile>

To remove a key from your keyring or key server

pgp -kr <userid> <URL>

To display keys that match a specific userid on the key server:

pgp -kv <userid> <URL>

Note that the environment variable KEYSERVER_URL ide ntifies the URL of the default key server, for example, ldap://certserver.pgp.com.

User Guide 11

Getting Started

Creating a passphrase that you will remember

Encrypting a file and then finding yourself unable to decrypt it is a painful lesson in learning how to choose a passphrase you will remember. Most applicationsrequirea password bet w een three and eight letters.A singleword password is vulnerable to a dictionary attack, which consists of having a computertry all the words in the dictionary until it finds your password. T o protect against this manner of a ttack, it is widely recom mended that you create a word that includes a combination of upper and lowercase alphabetic letters, numbers, punctuation marks, and spaces. This results in a stronger password, but an obscure one that you are unlikely to r emembereasily. W e do not recommend that you use a single-word passphrase.

Apassphraseislessvulnerabletoadictionaryattack.Thisisaccomplished easily by using multiple words in your passphrase, rather than t rying to thwart a dictionary at tack by arbitrarilyinsert ing a lot of funnynon-alphabe tic characters, which has the effect of making your passphrase too easy to forget and could lead to a disastrous loss of information because you can’t decrypt your own files.However, unless the passphraseyou chooseis something that is easily committed to long-term memory, you are unlikely to remember it verbatim. Picking a phrase on the spur of the moment is likely to result in forgetting it entirely. Choose something that is already residingin your long-term memory. Perhaps a silly sa ying you heard years ago that has somehowstuckin your mind all thistime. It should n ot be somethingthatyou have repeated to others recen tly, nor a famous quotation, because you want it to be hard for a sophisticated attacker to guess. If it’s already deeply embedded in your long-term memory, you probably won’t forget it.

Of course, if you are reckless enough to write your passphrase down and t ape it to your monitor or to the inside of your desk drawer, it won't matter what you choose.

12 PGP Command Line

PGP’s command line options

The following table ide ntifiesand describes PGP’scommand lineoptions used to encrypt, decrypt, and manage files and keys. The next section, "Common

PGP functions" on page 1 5 tells you how to use these options from the

command line.

Option Description

-a When used with other options such as encryption or signing, converts a file to ASCII-armored format (creates a .asc file).

-c Encrypt conventionally.

-e Encrypt using public key encryption.

-f Use UNIX-style filter mode to read from standard input and write to standard output

-g Display help on group options. See table below for -g combinations.

-h Display summary of commands

Getting Started

-k Display help on key options. See table below for - k combinations.

-m Display plaintext output on your screen.

-o When used with other options such as encryption, decryption, checking signatures,and filter mode, specifies the output filename.

-p Recover the original plaintext filename.

-s Sign

-t Identifiesthe input file as a text file.

-u Identifiesthe key to use for signing.

-w Instructs PGP to wipe the file.

-z Identifies the passphrase on the command line.

The -k optiondisplayshelp on key options.It is als o used in combination with other option. The following table lists and describes these combinations.

User Guide 13

Getting Started

Options Description

-k Display help on key options

-kg Generate a key

-ka Add keys to the keyring

-kc Check signatures

-ke Edit userid or passphrase for your secret key, or make an existing key your default signing key

-kr Remove keys from the keyring or key server

-krs Remove signatures attached to keys on the keyring

-ks Signkeysonthekeyring

-kd Revoke or disable keys on the keyring

-kds Revoke signatures attached to keys on the keyring

-kx Extract keys from the keyring and send to key server

-kv View keys on the keyring

-kvc View the fingerprints of a set of keys

-kvv View keys and signatures on the k eyring

The -g option is always used in combination with another option. The following table lists these combinations and describes how they are used.

Options Description

-g Display help on group options.

-ga Add items t o a gr oup.

-gr Remove items from a group.

-gv View a gr oup.

-gvv View a group and the keys it contains. Defaultis view all groups and their constituent keys.

14 PGP Command Line

Getting Started

Entering PGP configuration parameters on the command line

Note that any of the PGP configuration parameters described in Chapter 4,

“PGP’s Configuration File” can be entered as long options on the command

line (for example, +fas tkeygen or +passthrough).

Common PGP functions

This section describes common PGP functions in the following categories:

• Crea ting, disabling, reenabling, and revoking a key

• Encryptingand decrypting messages

• Wiping out text

•Signingmessages

• Specifying file types

• Key maintena nce command s Note that [brackets] denote an optional field; do not type the brackets.

Creating, disab ling, reenabling, and revoki ng a key

Create a keypair

To create your own unique public and secret key pair, enter the following at the command line:

pgp -kg

Revokeyour key

To perma nently revoke your o wn key, issue a key re voc ation certificate: pgp -kd <your_userid>

Disableor reenablea key

To disable or reenable a public key on your own pub lic key ring: pgp -kd <userid>

User Guide 15

Getting Started

Encrypting and decrypting messages

Decrypt a message, or checkthe signature integrity ofa signed file

pgp <ciphertext_filename> [-o plaintext_filename]

Decrypt a message and recover the original plaintext filename

pgp -p <ciphertext_filename> For more information, see " Decrypting a message and recovering the original

plaintext filename" on page 26.

Decrypta message and view plaintextoutput on your screen

pgp -m <ciphertext_filename> Output is similar to the UNIX-style “more” command . Output is not written

to a file. For more information, see "Decrypting a message a nd viewing

plaintext output on your screen" on page 26.

Decrypt an ASCII-armored message

pgp <ASCII-armored_message> This command decrypts an ASCII-armored message. PGP converts the

message to binary, producing a ".pgp" ciphertext file in binary form, then creates the output file in plaintext. For more information, see "Decrypting

ASCII-armored messages" on page 24.

Decrypta message, read from standard input and write to standard output

pgp -feast <recipients_userid> <<input_filename> ><output_filename> For more information, see "Using PGP as a UNIX-style filter" on page 22.

Encrypt a plaintext file with conventional cryptography only

pgp -c <plaintext_filename>

Encrypt a plaintext file with the recipient’s public key

pgp -e <plaintext_filename> <recipients_userid>

Encrypta message for any number of recipients

pgp -e <textfile-filename> <useri d1> <userid2> <userid3>...

16 PGP Command Line

Encrypta message for viewing by recipient only

Use t his command to specify that therecipient’s decrypted plaintext be shown only on the recipient’s screen and cannot be saved to disk.

pgp -sem <message.txt> <recipients_userid> For more information, see "Encrypting for viewing by rec ipientonly" on pag e

27.

Wiping your disk

Wipe out original plaintext file

pgp -ew <message.txt> <recipients_userid> PGP wipes out the plaintext file after producing the ciphertext file.

• Add the -w (wipe) option when encrypting.

• Add the -m (more) option when decrypting. For more information, see "Wiping yo u r disk" on page 27.

Getting Started

Signing messages

Signaplaint ex tfi l ewithyou rsec retkeyandencryptitwiththerecipien t’spublic key

pgp -es <plaintext filename> <recipients_userid> [-u your_userid]

Signa plaint e xtfile with yoursecretkey

pgp -s <plaintext_filename> [-u your_userid]

Sign a plaintext ASCII text file

pgp -sta <plaintext_filename> [-u your_us e rid] PGP sig ns a plaintext AS CIItext file with your secret key, producing a signed

plaintext message suitable for email.

Specifying file types

Createa ciphe rt ext file in ASCII-armored- 64format

pgp -sea <plaintext_filename> <recipients_userid> or pgp -kxa <userid> <keyfile> [keyring]

User Guide 17

Getting Started

Theg enerated file can be uploaded into a text editor through 7-bit channels for transmission as normal email.

Add the -a option w hen encrypting or signing a message o r extracting a key. For more information, see "Encrypting and transmitting binary data" on page

23.

Create a plaintext ASCII file

pgp -seat <message.txt> <recipients_userid> The file is converted to the recipient’s local tex t line conventions. Add the -t (text) option to other options.

Key maintenance commands

Add a public or secret key file’s contents to your public or secret key ring

pgp -ka <keyfile> [keyring]

Copy a key from your public or se cr etkey ring

pgp -kx <userid> <keyfile> [keyring] or: pgp -kxa <userid> <keyfile> [keyring]

Get a key from the key server and put the key on your keyring(requires two commands)

pgp -kx <userid> <keyfile> <URL> pgp -ka <keyfile> An example of a URL: ldap://certserver.pgp.com

Displaythe contentsof your public key ring

pgp -kv[v] [userid] [keyring]

Displ ayall certif yin gsignatur esattache dto eachkey

pgp -kvv [userid] [keyring]

Displaythe fingerprin t of a public key

pgp -kvc [userid] [keyring] PGP displays the “fingerprint” of a public key, to help verify it over the

telephone with the key’s owner. To learn more about fingerprints, see

"Verifying a public key o ver the phone" on page 29.

18 PGP Command Line

Getting Started

Displaythe contentsof your publickey ring and checkthe certifyingsignatures

pgp -kc [your_userid] [keyring] To learn more, see "Verifying the contentsof your public key ring" on page 29.

Display all the key s in a specific keyring filename

pgp <keyring_filename> PGP displays all the keys in a specific key ring filename. When you use this

command,PGP lists all the keys in keyfile.pgp,and also attemptsto add them to your key ring if they are no t already on your key ring.

Edit the userid or passphrase for yoursecret key,orto make an existing key your default signing key

pgp -ke <userid> [keyring]

Edit the trust parameters for a public key

pgp -ke <userid> [keyring] To learn more, see "Editing the trust parameters for a public key" on page 28.

Remove a key or a userid from your public key ring

pgp -kr <userid> [keyring] If you specify a keyring file, PGP triesto open that file and the corresp onding

public or private keyring file. If the userid that you want to delete pertains to a key with both a public and private key, PGP asks you if you want to delete the private key as well. If you answer N o, PGP does not delete anything.

Remove selected signatures from a userid on a keyring

pgp -krs <userid> [keyring]

Sign and certify someone else’s public key on your public key ring

pgp -ks <recipients_userid> [-u yo ur_useri d] [keyring]

Creating signature certificates

Createa signaturecertificate that is detached from the document

pgp -sb <plaintext_filename> [-u your_userid] For more information, see "Creating separate signature certificate and text

files" on page 25.

User Guide 19

Getting Started

Summary of commands

To display a quick command usage summary of PGP, enter the following at the command line:

pgp -h

Cancelling an operation

To cancel the current operation, enter Ctrl-C at any prompt. To cancel a long running operation, enter Ctrl-C at any time.

20 PGP Command Line

3Advanced Topics

This chapter describes advanced PGP topics and commands:

• Identifying your home directory.

• Using PGP non-interactivelyfrom UNIX shell scripts or MSDOS batch files

• Using PGP as a UNIX-style filter

• Encrypting and transmitting binary data

• Sending ASCII files to different machine environments

Identifying your home directory: HOME

UNIX only. This environment variab le identifies the users home directory.

Using PGP non-interactively from UNIX shell scripts or MSDOS batch files

MSDOS r efers to the Windows NT command prompt.

Suppressing unnecessary questions: BATCHMODE

When the BATCHMODE flag is enabled on the command lin e,PGP does not ask any unnecessary questions or prompt for alternate filenames:

pgp +batchmode <ciphertext_filename>

This variable is usef ul whe n you run PGP f rom shell scripts or batch files. When BATCHMOD E is on, s o me key management commands still need user interaction, so shell scripts may need to avoid them.

You can also enable B ATCHMODE to check the validity of a signature on a file:

• If there was no signature on the file, the exit code is 1.

• If there was a good signature on the file, the e xit code is 0.

User Guide 21

Advanced Topics

Eliminating confirmation question s: FORCE

When you instruct PGP t o overwrite an existing file or remove a key from a keyring (the -kr command ) , PGP requires confirmation.

To run PGP non-interactively from a UNIX shell script or MSDOS batch file, use the FORCE option to instruct PGP to assume a “yes” response each time PGP requires confirmation:

pgp +force <ciphertext_filename> or: pgp -kr +force <your_userid>

Understandin g PGP exit status codes

When you run PGP in “batch” mode (for example, from a n MSDOS “.bat” file or from a UNIX shell script), PGP returns an error exit status to the shell.

• A zero exit status code signifies a no rmal exit.

• A non-zero exit status code tells you that an error occurred.Differenterror exit conditions return different exit status codes to the shell.

Using PGP as a UNIX-style filter

UNIX us es pipes to ma ke two applications work together. The output of one application can be directly fed through a pipe to be read as input to another application. For this to work, the applications must be capable of reading the raw material from “standard input” and writing the finished output to “standard output.”

To use P GP’s UNIX-style f ilter mode, reading from standa rd input an d writing to standard output, add the -f option:

pgp -feast <recipients_userid> <<input_filename> ><output_filename> This feature makes it easier to use PGP with email applications. When you use PGP’ s filter m odeto decrypt a ciphertext file, you may find the

PGPPASS environmental variable useful. This variable holds the passphrase so that PGP does not prompt you for this information. For more information, see "PGPPASS: Store your passphrase" on page 30.

22 PGP Command Line

Encrypting and transmitting binary data

Many emailsys temsonly allow messages that contain ASCII text. As a result, PGP supports an ASCII-armored format for ciphertext messages (similar t o MIME).

This format, which represents binary data using only printable ASCII characters, enables you to transmit binary encrypted data through 7-bit channels, or to send binary encrypted data as normal email text. PGP’s ASCII-armored format acts as a form of “transport armor,” protecting the message against corruption as it travels through intersystem gateways on the Internet. PGP also appends a CRC to detect transmission errors.

ASCII-armoredformat converts the plaintextby expandinggroupsof 3 binary 8-bit bytes into 4 prin table ASCII characters. As a result, the file expands by about 33%. However, this expansion is offset by the compression that occurs before encryption.

To produce an ASCII-armored formatted file, enter the following command: pgp -ea <plaintext_filename> <recipients_userid> This command instructs PGP to produce a ciphertext file in ASCII-armo red

format called message.asc. This file contains data in a MIME-like ASCII-armored format. You can upload thefile into a text editor through 7-bit channels and transmit as normal email.

Advanced Topics

Most email facilities prohibit messages that are more than 50000 or 65000 bytes. Larger messages are broken into smaller files. If you request ASCII-armored format f or a la rge file, PGP breaks the file into smaller files named with extensions “.as1”, “.as2”, “.as3”, and so on.

Sendingbinary data filesin ASCII-armoredformat without encryption or signature

Use PGP’s -a option to convert a file into ASCII-armored format. No encryption or signingisinvolved,soneithersenderor recipientrequiresa key. When you use the -a option, PGPbreaks big files u p into smallerfiles that can be sent via email, attempts to compress the data before converting it to ASCII-armored format, and appends a CRC error detection code to each of the smaller files. Use the command as follows :

pgp -a <binary_filename> This command instructs PGP to produce an ASCII-armored file called

“filename.asc”. The recipient uses the -p option to unwrap the message and restorethe sender’s original filename.

User Guide 23

Advanced Topics

Decrypting ASCII-armored messages

To decrypt an ASCII-armored message, enter the following command: pgp <ASCII-armored_filename> PGP recognizesthat t he file is inASCII-armored format,converts the fileback

to binary (creating a .pgp ciphertext file in binary form), and creates an output file in normal plaintext form.

If the original message was large and sent in a number of smaller files, you must concatenate the files in t heirproper order into one file before decrypting the message. When PGP is decrypting the message, it ignores an extraneous text in mail headers that are not enclosed in the ASCII-armored me ssage blocks.

Sending a public key in ASCII-armored format

To send a public key to someone else in ASCII-armoredfo rmat, add the -a option while extracting the key from your keyring.

If you forgot to use the -a option when you made a ciphertext file or extracted a key, you can convertthe binary file into ASCII-armored format by using the

-a option (do not specify encryption). PGP converts the file to a “.asc” file.

Sending ASCII text files to different machine envi r onments

PGP en crypts any plaintext file, binary 8-bit data, or A S CII text. T he most common use of PGP is for email, which is A SCII text.

ASCIItext isrepresented differentlyon differentmachines. For example, on an MSDOS system, all lines of ASCII text are terminated with a carriage return followed by a linefeed. On a UNIX system, all lines end with just a linefeed. On a Ma cintosh, all lines end with just a carriage return.

Normal unencrypted ASCII text messages are often automatically translated to some common “canonical” form when they are transmitted from one machine to another. Canonical text has a carr iage return and a linefeed at the endofeachlineoftext.

Encrypted text cannot be automatically converted by a communication protocol, because the plaintext is hidden by encipherment. To remedy this problem, PGP’s “t” o ption lets you specify that the plaintext be treated as ASCII text and converted to canonical text before encryption. When the message is received, the decrypted plaintext is automatically converted to the appropriate text form for the local environment.

24 PGP Command Line

Advanced Topics

Touse thisfeature,enter the “t” optionwhen encryptingorsigning a message: pgp -et <plaintext_filename> <recipients_userid> If PGP detect s non-text binary data in the plaintext file, PGP ignores the “t”

option. PGP includes an environment variable that corresponds to the “t” option,

TEXTMODE.If you consistentlyreceive pla intext files rather tha n b inarydata, set TEXTMODE=ON.

Managing Signature Certificates

Creating separate sign ature certificate and text fil es

In most cases, signature certificates are physically attached to the text they sign. This make s it convenient t o verify signatures. Yo u can,however, createa separate, detache d signature certificate file, and then send both files (the text file and the signature certificate file) to the recipient. This feature is useful when more than one party must sign a document such as a legal contract, without nesting signatures. E ach person’s s ign ature is independent.

To createa separate, detached signature certificate file,combine the ‘b’(break) option with the ‘s’ (sign) option. Enter the following command:

pgp -sb <plaintext_filename> [-u <your_userid>] This instructs PGP to produce an separate, detached signature certificate in a

file named letter.sig. Thecontents of letter.sig are not appended to <letter.txt>.

Receiving separate signature certificate and text files

When y ou attempt to process a signature certificate file, PGP asks you to identify the corresponding textfile. Oncethe text file is ident if ied,PGP checks the signature integrity.

If you know that a signature is detached from a text file, you can specify both filenames on the command line:

pgp <letter.sig> <letter.txt> or pgp <letter> <letter.txt>

User Guide 25

Advanced Topics

File Management Commands

Decrypting a messag e and viewing plaintext output on your screen

To view decrypted plaintext output on your screen (similar to theUNIX-style “more” command), without writing the output to a file, use the -m (more) option when you decrypt:

pgp -m <ciphertext_filename> This command instructs PGP to display the decrypted plaintext on your

screen, one screen at a time.

Decryptingamessageandrenamingtheplaintextfilename output

When PGP encrypts a plaintext file, it saves the original filena meand attaches it to the plaintext before it i s compressed and encrypted. When PGP decrypts the ciphert ext file, it names the plaintext output file with a name simila r to the input ciphertext filenam e,but drops the extension.

Use the -o option on the command line to specifya more meaningful plaintext filename for the output:

pgp -o <ciphertext_filename> <new_plaintext_filename>

Decrypting a message and recovering the original plaintext filename

As stated in the previous section, when PGP encry pts a plaintext file, it saves theoriginalfilenameandattachesittotheplaintextbeforeitiscompressed and encrypted. Use the “-p” option to instruct PGP to preserve the original plaintext filenam e anduse it as the nameof the decrypted plaintext output file:

pgp -p <ciphertext_filename>

Deleting a key from the key server

pgp -kr <userid> <URL> An example of a URL: ldap://certserver.pgp.com

26 PGP Command Line

Advanced Topics

Encryptin g for viewing by recipient only

To specify that the recipient’s decrypted plaintext be shown only on the recipient’s screen and not saved to disk, add the -m option:

pgp -sem <message.txt> <r ecipients_userid> When the recipient decrypts the ciphertext with their secret key and

passphrase,the plaintext is di splayed on the recipient’s screenbut is not saved to disk.The text is displayedas it would if the recipientused the UNIX “more” command, one screen at a time. If the recipient wants to read the message again, they must decrypt the c iphertext a second time.

This feature is the safest way for you to prevent your sensitive message from being inadvertently left on the recipient’s disk.

Note that this feature does not prevent a clever and d etermined person from finding a way to save the decrypted plaintext to disk -- it is designed to help prevent a casual us er from doing it inadvertently.

Storing signed files: Signing a file without encrypting

If you sign a plaintext file withoutspecifying encryption, PG P compresses the file after you sign it. This m akes the file unreadable to the casual human observer. This is a suitable way to store signed files in archival applications.

Wiping your disk

After PGP produces a ciph ertext file for you, you can request PGP to automatically overwrite and delete the plaintext file, leaving no trace of plaintext on the disk. Use the “w” when a plain text file contains sensitive information; it prevents someone from recovering the file with a disk block scanning utility.

Use the “w” option when you encrypt andsign a message: pgp -ew <message.txt> <recipients_userid> Thisinstructs PGP to c reate a ciphertext file“message.pgp”,and to destroy the

plaintext file “message.txt”. Note that this option will not wipe out any fragments of plaintext that your

word processor might have created on the disk while you were editing the message before running PGP. Most word processors c reate backup files, scratch files, or both.

PGP overwrites the file 26 times.

User Guide 27

Advanced Topics

Key Management Commands

Editing your user ID or passphrase, or making an existing key your default signing key

You m ay need to change your passphrase, perhaps because someone looked over your shoulder while you typed it on the keyboard. You may need t o change you r user ID, because you changed your name or your email addres s . You may need to add a second or third user ID to your key, because you are known by more than onename, emailadd ress,or job t itle.PGP lets you attach more than one user ID to your key, any one of which can be used to look up your key on the key ring. You may also need to make a n existing key your default signing key.

To edit your userid or passphrase fo r your secret key, or to make an existing key your default signing key, use the following command:

pgp -ke <your_u serid> [keyring] PGP pro mpts you for a new user ID or a new passphrase. Ifyou edityour userID, PGP actuallyadds a n ew user ID, withoutdeletingthe

old one. If you want to delete an old user ID, you must do that in a separate operation.

If you elect to use the key as an ultimately-trusted introducer, you can m ake the key your default signing key.

Theoptional [keyring] parameter, if specified,must be a publickeyring,not a secret keyring. The userid field must be your o wn userid, which PGP knows is yours because it appears on bo th your public keyr ing and your secret keyring. Both keyrings are updated, even tho ugh yo u only specified the public keyring.

Youcan alsouse the -ke command to edit the trustparametersfora publickey. For details, see "Editing the trust parameters for a public key" on page 28.

Editing the trust parameters for a public key

To edit thetrust parameters for a public key on yourpublic key ring, enterthe following command:

pgp -ke <userid> [keyring] Theoptional [keyring] parameter, if specified,must be a publickeyring,not a

secret keyring.

28 PGP Command Line

Verifyin g the contents of your public key ring

PGP automatically checks any new keys or signatures on yo ur public key ring and updates all the trust parameters and validity scores. In theory, it keeps all the key validitystatus information up-to-date as material is added to or deleted from your public key ring.

At some point,however, you may want to explicitly force PGP to perform a comprehensive analysis of your public key ring, checking all the certifying signatures,checkingthe trust parameters, updatingall the validityscores,and checking your own ultimately-trusted key against a backup copy on a write-protected floppy disk. It may be a good idea to do this hygienic maintenance periodically to make sure nothingis wrong withyou r publickey ring.

Toforce PGP to performa full analysisofyour publickey ring, use the -kc (key ring check) command:

pgp -kc You canalso use the following comma nd to make PGP checkall the signatures

for a single selected public key:

pgp -kc <your_userid> [keyring]

Advanced Topics

For information on how to check the backup copy of your own key, see

"CERT_DEPTH: Depth of introducers be nested" on page 35.

Verifyin g a public key over the phone

If you receive a public key from someone that is not certified by anyone you trust,how can you tell if it’s really theirkey? If you know the key’s owner and would recognize their voice on the phone, call them and verify the key’s fingerprint over the telephone. T o do so, both you and the key’sowner u se the

-kvd command to view the key’s fingerprint: pgp -kvc <userid> [keyring] This commandinstructsPGP to display the key with the 32charac ter digest of

the public key c omponents (Diffie-Hellman keys have 40 character fingerprints). Read the fingerprint to the key’s owner to see if the fingerprints match.

Using this procedure, you can verify a nd sign each other’s keys with confidence.Thisisasafeandconvenientwaytogetthekeytrustnetwork started for your circle of friends.

User Guide 29

Advanced Topics

Note that sending a key finge rprint via email is not the best way to verify the key, because email can be intercepted and modified. It is best to use a different channel thanthe one that was used to send the key itself. A good combination is t o send the key via email, and the key fingerprint via a voice telepho ne conversation. Some people distribute their key fingerprint on their business cards.

Selecting keys usin g the key ID

In most cases you enter a user ID or the fragment of a user ID to select a key. However, you can also use the hexadecimal key ID to select a key. To do so, enter the key ID, with a prefix of “0x”, instead of the user ID:

pgp -kv 0x67F796C2 This command instructsPGP to display all keys that have 67F796C2 in their

key IDs . Thisfeature is particularly useful if yo u hav e two different keys from the same

person, with the same user ID. You can pick the cor rect key by specifying the specific key ID.

PGPPASS: Store your passphrase

When P GP needs a passphrase to un lock a secret key, PGP prompts you to enter your passphrase. Use the PG PPASS env ironment variable, entered on thecommand line, to storeyour passphrase. When PG P requires a passphrase, it attempts to use the stored passphrase. If the stored passphrase is i ncorrect, PGP recov ers by prompting you for the correct passphrase.

SET PGPPASS=zaphod beeblebrox for president The above example w ould eliminate the prompt fo r the passphrase if the

passphrase was “zaphod beeblebrox for president”. This feature is convenient if you regularly receive a large number of incoming

messages addressed to your secret key,eliminating the need for you to repeatedly type in your passphrase.

The safest way to use this feature is to enter the command each time you boot your system, and erase it or turn o ff yo ur machine when youare done. Do not use this feature in an environment where som eone else m ay have access to your machine.

30 PGP Command Line

Passing your passphrase from another application

PGP includes a command line option, -z, that you can use to pa ss your passphrase into PGP from another application. This option is designed primarily to invoke PGP from inside an email package.

The passphrase fol lows the -z option on the command line. Use this feature with caution.

PGPPASSFD

The passphrase file descriptor. If this environment variable is set to zero (0), PGP uses the first text line from stdin as the password.

Advanced Topics

User Guide 31

Advanced Topics

32 PGP Command Line

4PGP’s Configuration File

Learning about PGP’s configuration file: pgp.cfg

PGP stores a num ber of user-defined parameters in the configuration text file, pgp.cfg. A configuration file enables you to define flags and parameters (also called environment variables) for PGP, eliminating the n eed to define these parameters in the PGP command line.

Use these configuration parameters to perform the following tasks as well as many others:

• Control where PGP stores its temporary scratch files.

• Adj ust PGP’s level of skepticism when it evaluates a key’s validity based

on the number of the key’s certifying signatures.

Configuration parameters may be assigned integer values, character string values, or on/off values; the type of values d epends o n the type of parameter. PGP includes a sample configurat ion file for your review.

The following rules apply to the configuration file:

• Blank lines are ignored.

• Characters that follow the comment character, #, are ignored.

• Keywords are n ot case-sensitive. The following is a short sample fragment of a t ypical configuration file:

# TMP is the directory for PGP scratch files, such as a RAM disk. TMP = "e:\" # Can be overridden by environment variable TMP. Armor = on # Use -a flag for ASCII armor whenever applicable. # CERT_DEPTH is how deeply introducers may introduce introducers. cert_depth = 3

Under the followingconditions, PGP uses default va lue s for the configura tion parameters:

• Configuration parameters are not defined.

• Configuration file does not exist.

• PGP cannot find the configuration file.

User Guide 33

PGP’s Configuration File

Note that it is also possibleto set these sameconfiguration parameters directly from the PGP command line, by preceding the parameter setting with a “+” (plus)character. For example, the following two PGP commands produce the same effect:

pgp -e +armor=on message.txt smith pgp -ea message.txt smith For the location of pgp.cfg, please r efer to "Location of PGP files" on page 5. The remainder of this chapter summarizes PGP’s configuration parameters.

Parameters appear in alphabetical order.

ARMOR: ASCII-armor output

Default setting: ARMOR = off The configurationparameter ARMOR is equivalent to the -a command line

option. If enabled, this parameter causes PGP to emit ciphertext or keys in ASCII-armored format suitable to transport through email channels. Output files are named with the ".asc" extension.

If you intend to use PGP primarily for email purposes, you should turn this parameter on (ARMOR=ON).

ARMORLINES: Size of ASCII armor multipart files

Default setting: ARMORLINE S = 0 Most email facilities prohibit messages that are more than 50000 or 65000

bytes.As a result,PGP restricts the number of lines to a file to 720. When PGP creates a large “.asc” ASCII-armored file, the file is broken into smaller multipart files so that it can be sent through email utilities. The smaller files are named with suffixes “.as1”, “.as2”, “.as3”, and so on.

The configuration parameter ARMORLINES specifies the maximum number of lines in each of the smallerfiles in a multipar t “.asc” file sequence.If you set ARMORLINES to zero, PGP does not break the large file into smaller files.

34 PGP Command Line

PGP’s Configuration File

CERT_DEPTH: Depth of introducers be nested

Default setting: CERT_DEPT H = 4 The configuration parameter CERT_DEPTH identifies how many levels deep

you can nest introducers to certify other introducers to certify public keys on your public key ring.

For example, If CERT_DEPTH is set to 1, there can only be one layer of introducers below y our own ultimately-trusted key. If that is the case, you are required to directly certify the public keys of all trusted introducers on your key ring. If you set CERT_DEPTH to 0, you could have no introducersat all, and you would h ave to directly certifyeach and every key on your public key ring to use it. The minimum CERT_DEPTH is 0, the maximum is 8.

CLEARSIG: Signed message readable with human eyes

Default s etting: CLEARS IG = on Use the CLEARSIG parameter to generate a signed message that can be read

with human eyes, without the aid of PGP. The recipient must still use PGP to verifythe signature.

Unencrypted PGP signed messages h ave a s ignature certificate prepended in binary form. The signed message is compressed, rendering the message unreadable to human eyes, even though the message is not encrypted.

To send this b inary data through a 7-bit email channel, PGP applies ASCII-armor (see the ARM OR parameter). Ev en if PGP did not co mpress the message, the ASCII armor renders the message unreadable to human eyes. The recipient must first use PGP to strip the armor off the message, and then decompress the message before reading it.

If the original plaintext message is in text, not binary form, you can use the CLEARSIG parameter to send a signed message through an email channel; the signed message is n ot compressed, and the ASCII armor is applied to the binary signature certificate, but not to the plaintext message. The CLEARSIG parameter makes it possible to generate a signed message that can be read with human eyes, without the aid of PGP (again, the recipient still needs PGP to verify the signature).

The CLEARSIG flag is preset to “on”. To enable the full CLEARSIG behavior, the ARMOR and TEXTMODE flags must also be turned on. Set ARMOR=ON (or use the -a option), and set TEXTMODE=ON (or use the -t option). If CLEARSIG is set to off in your conf iguration file, youcan turn it backon again directly on the command line:

pgp -sta +clearsig=on message.txt

User Guide 35

PGP’s Configuration File

Note that s ince thismethod only applies ASCII armor to the binary signature certificate, and not to the message text itself, there is some risk that the unarmoredmessage may suffer some accidental molestation while enroute. This can happen if it passes through an email gateway t hat performs character set conversions, or in some cases extra spaces may be added to or stripped from the ends of lines.If thisoccurs,the signature will failto verify,whichmay give a false indication of intentional tampering.

When PGP calculates the signature for text in CLEARSIG mode, trailing blanks are ignored on each line.

COMMENT: ASCI I armor comment

ASCII Armor Comment appears in all armored output as a Comment header just beneath the Version header.

COMPATIBLE: Enable user-interfa ce compatibility with PGP 2.6.2

Default s etting: COMPAT IBLE=off The con figuration parameter C O MPATIBLE enables user-interface

compatibility with PGP 2.6.2. You may require this feature for interoperation with scripts that parse the output or otherwise interact with PGP dialogues.

To activate this f eature, add the following line to the co nf iguration file, pgp.cfg:

COMPATIBLE=on

COMPLETES_NEEDE D: Number of complet ely tr ust ed introducers needed

Default s etting: COMPLETES_NEEDED = 1 Theconfigurationparameter COMPLETES_NEEDEDidentifiestheminimum

number of completely trusted introducersrequir edto fully certify a p u blickey on your public key ring.

36 PGP Command Line

COMPRESS: Compression before encryption

Default setting: COMPRESS = on The configurationparameter COMPRESS enables or disables data

compressionbeforeencryption.Itis usedmainlyto debugPGP. Undernormal circumstances,PGPattemptsto compressthe plaintextbeforeitencryptsit.Do not change this setting.

CIPHERNUM

Use to specify the symmetric cipher to use. Values areas follows:

kPGPCipherAlgorithm_IDEA = 1 kPGPCipherAlgorithm_3DES = 2 kPGPCipherAlgorithm_CAST5 = 3 This is specified so that the application does not need to know the values

coded into the SDK. There may be more algorithms added in future releases.

ENCRYPTTOSELF: Encrypt to self

PGP’s Configuration File

Default setting: E NCRYPTTOSELF = pff UsethisvariabletoinstructPGPtoaddMYNAMEtorecipients.

FASTKEYGEN: Fa st key generation

Default setting:FASTKEYGEN = on Use to specify fast key generation.

HASHNUM

A number that describes the hash algorithm used. Values are of type PGPHashAlgorithm:

kPGPHashAlgorithm_MD5 = 1 kPGPHashAlgorithm_SHA = 2 kPGPHashAlgorithm_RIPEMD160 = 3 This is specified so that the application does not need to know the values

coded into the SDK. There may be more algorithms added to future releases.

User Guide 37

PGP’s Configuration File

INTERACTIVE: Co nfirmation for key adds

Default Setting:INTERACTIVE = off UsethisvariabletoinstructPGPtoaskforconfirmationwhenyouaddakey

file with multiplekeys t o your key ring. Whenthis variable is s etto “on”, PGP asks for confirma tion for each key in the key file before adding it to your key ring.

KEYSERVER_URL

Default setting: KEYSERVER_URL = ““ Identifies the URL of the default key server, for example,

ldap://certserver.pgp.com.

MARGINALS_NEEDED: Number of marginally trusted introducers needed

Default s etting: MARG INALS_NEEDED = 2 The configuration parameter MARGINALS_NEEDED identifies the

minimumnumberof marginallytrustedintroducers requiredto fullycertifya public key on yo u r public key ring.

MYNAME: Default user ID for signatures

Default s etting: MYNAME = “” The configuration parameterMYNAME specifies thedefault user ID to use to

select the secret key for making signature s. If MYNAME is not defined, PGP usesthe most recentsecret key you installed on your secret k ey ring. You can override this setting by using the -u option to specify a user ID on the PGP command line.

38 PGP Command Line

PGP’s Configuration File

PAGER: Shell command to display plaintext output

Default setting: PAGER = “” PGP’s-m option lets you view decryptedplaintextoutputon your screen,one

screen at a time, without writing the output to a file. PGP includes a built-in page display utility. If you prefer to use a different

page display utility, use the PAGER parameter to identify the utility. The PAGER parameter specifies the shell c omma nd PGP uses to display a file.

Note that if the sender specified that a file is for your eyes only, PGP always uses its own built-in display function.

For furtherdetails, see "Decryptingamessageandviewingplaintextoutputon

your screen" on page 26.

PGP_MIME

Default setting:PGP_MIME = off Use to specify compatibility with PGP-MIME.

PGP_MI ME PAR S E

Default setting: PGP_MIMEPARSE = off Use to instruct PGP to try to parse MIME body parts.

PUBRING: Filename for your public keyring

Default setting: PUBRING = "%PGPPATH%/pubring.pkr" on U NIX %USERPROFILE%\Application Data\pgp\pubring.pkr on NT You m ay want to keep your public key ring in a directory separate from your

PGP configuration file (that is, the directory specified by your PGPPATH environment variable). Use the PUBRING parameter to identify the full path and filename for your public keyring.

You can also use this feature on the command line to specify an alternative keyring.

User Guide 39

PGP’s Configuration File

RANDOMDEVICE

Default s etting: RANDOMDEVICE = /dev/random on UNIX UNIX only. Identifies the system entropy pool, /dev/random. PGP tries to

open this device to acquireentropy, and if that fails, will try to ac quireentropy from user keystrokes. Not applicable to W indows NT.

RANDSEED: Filename for random number seed

Default s etting: RANDSEED = "% PGPPATH%/randseed.rnd" on UNIX

“%SYSTEMROOT% /randseed.rnd” on Windows NT The random numberseed file, randseed.rnd, is used to generate session keys.

You m ay want to keep your random number seed file in a more secure directory or device (this file generally residesin the directoryspecifiedby your PGPPATH environmental variable). Use the RANDSEED parameter to identify the full path and f ilename for your random seed file.

SECRING: Filename for your secret keyring

Default setting: SECRING = "%PGPPAT H %/secring.pgp" You may want to keep your secret keyring in a directory separate from your

PGP configuration file (that is, the directory specified by your PGPPATH environmentalvariable). Usethe PUB RING parameter to identify the full path and filename for your secret keyring.

SHOWPASS: Echo passphrase to user

Default setting:SHOWPASS = off PGP does not let you see your passphraseas you type it. This makes it harder

for someone to look over your shoulder while you type and learn your passphrase. However, you may have problems typing your passphrase without seeing what you are typing. In addition, you may be typing in the privacy of your own homes.

The configurationparameter SHOWPASS enables PGP to echo your typing during passphrase entry.

40 PGP Command Line

TMP: Directory pathname for temporary files

Default s etting: TMP = “” The configurationparameter TMP specifies what directory PGP uses for

temporaryscratchfiles.If TMP is undefined,the temporary filesare writtenin the current directory. If the shell environmental variable TMPis defined, PGP stores temporary files in the named directory.

TEXTMODE: Assume plaintext is a text file

Default setting: TEXTMODE = off TheconfigurationparameterTEXTMODE is equivalenttothe -t commandline

option.If enabled, this parameter causes PGP to assume the plaintext is a text file, not a binary file, and converts the plaintext to “canonical text” before encrypting it. Canonical text hasa carriage return and a linefeed at the end of eachlineoftext.

This parameteris automatically turnedoff if PGPdetect s that the plaintextfile contains non-text binary data. If you intend to use PGP primarily for email purposes, you should turn TEXTMODE=ON.

PGP’s Configuration File

For further details, see " Sending ASCII t ext files to different machine

environments" on page 24 .

TZFIX: Timezone adjustment

Default s etting: TZFIX = 0 UNIX o nly. PGP includes timestamps for keys and signature certificates in

GreenwichMean Time(GMT). When PGPasks the system for the time of day, the system should give the time in G MT. However, on some improperly configured systems, the system time is returned in US Pacific Standard Time time plus 8 hours.

The configurationparameter TZFIX specifies the number of hours to add to the system time function to get GMT. If your o perating system does not give time in GMT, use TZFIX to adjust the system time to GMT.

For Los An geles: SET TZ=PST8PDT For Denver: SET TZ=MST7MDT For Arizona: SET TZ=MST7

(Arizona does not use daylight savings time)

For Chicago: SET TZ=CST6CDT

User Guide 41

PGP’s Configuration File

For New York : SET TZ=EST5EDT For London: SET TZ=GMT0BST For Amsterdam: SET TZ=MET-1DST For Moscow: SET TZ=MSK-3MSD For Auckland: SET TZ=NZT-13

VERBOSE: Quiet, normal, or verbose messages

Default setting: VERBOSE = 1 The VERBOSE variable controls the amount of detail you receive from PGP

diagnosticmessages. The settings are as follows: 0 - Displays only queries and errors (that is, prompts t he user for input and

displays errors when they occur). 1 - Normal default setting. Displays a reasonable am ount of detail in

diagnosticor advisory messages. 2 - Displays maximum information,usually to help diagnose problems in

PGP. Not recommended for normal use.

42 PGP Command Line

AExit And Error Codes

The tables in this appendix identify PGP’s exit and error codes.

General Errors

Error Explanation

0 Exit OK, no error 1 invalid file 2 file not found 3 unknown file 4 batchmode error 5 bad argument 6 process interrupted 7 o ut of memory error

Keyring Errors

Error Code

10 key generation error 11 non-existingkey error 12 keyring add error 13 keyring extract error 14 keyring edit error 15 keyring view error 16 keyring removal error 17 keyring check error 18 key signature error 19 key signature removal error

User Guide 43

Exit And Error Codes

Error Code

20 signature error 21 public key encryption error 22 encryption error 23 compressionerror

Error Description

Keyring Errors

KEY_SIGNATURE_ERROR key signature error

Encode Errors

Decode Errors

30 signature check er ror 31 public key decryption error 32 decryption error 33 decompression error

44 PGP Command Line

Index

Symbols

.asc file 13

-a 13 add a public or secret key file’s contents to

your public or secret key r ing 18 add items to a group 14 addkeystothekeyring14 ARMOR 34 ARMORLINES 34 ASCII armor comment 36 ASCII-armor output 34 ASCII-armored format 13 assume plaintext is a text file 41 attackers

protecting against 10

, 23

BAKRING 35 BATCHMODE 21 binary data files 23

-c 13 CERT_DEPTH 35 certifying

public keys 2 check signatures 14 check the signature integrity of a signed file 16 CIPHERNUM 37 CLEARSIG 35 COMMENT 36 COMPATIBLE 6

, 36

COMPLETES_NEEDED 36 COMPRESS 37 compression before encryption 37 confirmation for key adds 38 copy a key fro m yourpublic o r secret key ring

create a ciphertext file in ASCII-armored-64

format 17 create a key pair 15 create a plaintext ASCII file 18 create a signature certificate that is detached

from the document 19 creating

key p airs 8

creatingseparatesignature c ertificateand text

files 25 Customer Care

contacting x

decrypt a message 16 decrypt a message and recover the original

plaintext filename 16 decrypt a message and view plaintext output

on your screen 16 decrypt a message, read from standard input

and write to standard output 16 decrypt an ASCII-armored message 16 decrypting

email 3

decrypting a message and renaming the

plaintext filename output 26 decrypting a message and viewing plaintext

output on your screen26 decrypting ASCII-armored messages 24 default signing key 28

User Guide 45

Index

default user ID for signatures38 depth of introducers be nested 35 directory pathname for temporary files41 disable a key15 display all certifying signatures attached to

each key 18

display all the keys in a specific key ring

filename 19 display plaintextoutput 13 display theconte ntsof your pub lic key ring18 display the contents of your public key ring

and check the certifying signatures 19 display the fingerprint of a public k e y 18 distributing

public keys 2 your public keys 11

-e 13 echo passphrase to user 40 edit a set of keys 14 edit the trust parameters for a public key 19 edit the userid or passphrase for your secret

key 19 editing the trust parameters for a public key 28 editingyouruserIDorpassphrase28 eliminating confirmation questions 22 email

decrypting3 encrypting 3 signing3 verifying 3

encrypt a message for a ny number of

recipients 16 encrypt a message for viewing by recipient

only 17 encrypt a plaintext file with conventional

cryptography only 16 encrypt a plaintext file with the recipient’s

public key 16

encrypt conventionally 13 encrypt to self 37 encrypt using public key encryption 13 encrypting

email 3 encrypting binary data 23 ENCRYPTTOSELF 37 error codes 43 exchanging

public keys 2 exit codes 43 extractkeysfromthekeyring14

-f 13 fast key generation 37 FASTKEYGEN 37 file management commands26 filename for random number seed 40 filenameforyourpublickeyring39 filenameforyoursecretkeyring40 filtering 22 FORCE 22

-g 13 to 14 generate a key 14 generating

key pairs 8 get a key from the key server and put the key

on yourkeyring 18

-h 13 HASHNUM 37 help on group options13 help o n key options 13 HOME 38

to 14

46 PGP CommandLine

Index

INTERACTIVE 38

-k 13 to 14 key management commands 28 key p airs

creating 2 description of8 generating 8 making8

keyrings

overview of 1

keys

backing up 10 distributing 11 generating 8 overview of 7 protecting 10 saving10

KEYSERVER_URL 38

-kx command 9

, 8

-m 13 make key default signing key 28 making

key p airs 8 managing signature certificates 25 MARGINALS_NEEDED 38 MYNAME 38

Network Associates

contacting

Customer Care x within the United States x

trainingxi

number of completely trusted introducers

needed 36

number of marginally trusted introducers

needed 38

-o 13 overviews

key concepts 7 keyrings 1 private keys 1

-p 13 PAGER 39 passing your passphrase from another

application 31

passphrases

suggestions for 9 PGP exit status codes 22 pgp -h 20 pgp -kd 15 PGP Key Wizard

using to create key pairs 8 pgp -kg 8 PGP 2.6.2 6 pgp.cfg 33 PGP_MIME 39 PGP_MIMEPARSE 39 PGPkeys window

PGPPASS 30 PGPPASSFD 31 PGPPATH 6 private and public key pairs

, 15

creating key pairs with8

creating 2

User Guide 47

Index

private keys

creating2

key pairs 2 overview 1 protecting 10 storing10

protecting

your keys 10

public keys

certifying2 creating2

key pairs 2 distributing your 11 exchanging with other users2 giving to other users2 protecting 10 storing10 trading with other users 2 validating 2

PUBRING39 pubring.pkr 10

RANDOMDEVICE40 RANDSEED 40 receiving separate signature certificate and

text files 25 reenable a key 15 removea key or a useridfrom your publickey

ring 19 remove items from a group14 remove keys from the keyring14 removeselectedsignaturesfrom a userid on a

keyring 19 remove signatures attached to keys on the

keyring 14 revoke or disable keys o n the keyring 14 revoke signatures attached to keys on the

keyring 14 revoke your key15

-s 13 saving

keys 10 SECRING 40 secring.skr 10 selecting keys using the key ID 30 sending a publickey inASCII-armored format

sending ASCII text f iles to different machine

environments 24

sending binary data files in ASC II-armored

format without encryption or signature 23 set pathna me for P GP 6 shell command to display plaintext output 39 SHOWPASS 40 sign 13 sign a plaintext ASCII text file 17 sign a plaintex t file with your secret key 17 sign a plaintex t file with your secret key and

encrypt it with the recipient’s public key 17 sign and certify someone else’s public key on

your public key rin g 19 sign keys on the keyring 14 signature certificates 25 signed message readable with human eyes 35 signing

email 3 signing a file witho u t encrypting 27 size of AS CII armor multipart fil es 34 starting PGP 5 store your passphrase30 storing

keys 10 storing signed files 27 summary of commands13 suppressing unnecessary questions 21

, 20

48 PGP CommandLine

Index

-t 13 tampering

protecting your keys against 10

technical support

email address x information needed from user x

online x TEXTMODE 41 TMP 41 training for Network A ssociates products xi

scheduling xi transmitting binary data 23

to xi

-u 13 ultimately-trusted introducer28 UNIX-style filter 22 UNIX-style filter mode 13

wipe out original plaintext file 17 wiping your disk 27

-z 13

validating

public keys 2 VERBOSE 42 verifying

email 3 verifying a public key over the phone 29 verifying the contents of your public key ring

view a group 14 view a group and the keys it contains 14 view keys and signatures on the keyring 14 view keys on the keyring 14 viewthefingerprintsofasetofkeys14

-w 13 wipe13

User Guide 49

PGP Command Line - 6.5 Instruction Manual

Specifications and Main Features

Frequently Asked Questions

User Manual

Table of Contents

Preface

Organizat io n of this Guide

Conventions used in this Guide

How to contact Network Associates

Customer service

Technical sup port

Year 2000 Compliance

Network Associates training

Comments and feedback

Recommended Readings

Using PGP

A quick overview

Basic steps for using PGP

Starting PGP

Location of PGP files

PGPPATH: Set the pathname for PGP

Making PGP compatible with PGP 2.6.2

Making and Exchanging Keys

Key concepts

Making a key pair

Protecting your keys

Distributing your public key

Summary of key server commands

Creating a passphrase that you will remember

PGP’s command line options

Entering PGP configuration parameters on the command line

Common PGP functions

Creating, disab ling, reenabling, and revoki ng a key

Encrypting and decrypting messages

Wiping your disk

Signing messages

Specifying file types

Key maintenance commands

Creating signature certificates

Summary of commands

Cancelling an operation

Identifying your home directory: HOME

Using PGP non-interactively from UNIX shell scripts or MSDOS batch files

Suppressing unnecessary questions: BATCHMODE

Eliminating confirmation question s: FORCE

Understandin g PGP exit status codes

Using PGP as a UNIX-style filter

Encrypting and transmitting binary data

Sendingbinary data filesin ASCII-armoredformat without encryption or signature

Decrypting ASCII-armored messages

Sending a public key in ASCII-armored format

Sending ASCII text files to different machine envi r onments

Managing Signature Certificates

Creating separate sign ature certificate and text fil es

Receiving separate signature certificate and text files

File Management Commands

Decrypting a messag e and viewing plaintext output on your screen

Decryptingamessageandrenamingtheplaintextfilename output

Decrypting a message and recovering the original plaintext filename

Deleting a key from the key server

Encryptin g for viewing by recipient only

Storing signed files: Signing a file without encrypting

Wiping your disk

Key Management Commands

Editing your user ID or passphrase, or making an existing key your default signing key

Editing the trust parameters for a public key

Verifyin g the contents of your public key ring

Verifyin g a public key over the phone

Selecting keys usin g the key ID

PGPPASS: Store your passphrase

Passing your passphrase from another application

PGPPASSFD

Learning about PGP’s configuration file: pgp.cfg

ARMOR: ASCII-armor output

ARMORLINES: Size of ASCII armor multipart files

CERT_DEPTH: Depth of introducers be nested

CLEARSIG: Signed message readable with human eyes

COMMENT: ASCI I armor comment

COMPATIBLE: Enable user-interfa ce compatibility with PGP 2.6.2

COMPLETES_NEEDE D: Number of complet ely tr ust ed introducers needed