PGP NetShare Command Line
User's Guide
Version Information
PGP NetShare Command Line User's Guide. 10.1. Released September 2010.
Copyright Information
Copyright © 1991-2010 by PGP Corporation. All Rights Reserved. No part of this document can be reproduced or transmitted in any form or by any
means, electronic or mechanical, for any purpose, without the express written permission of PGP Corporation.
Trademark Information
PGP, Pretty Good Privacy, and the PGP logo are registered trademarks of PGP Corporation in the US and other countries. IDEA is a trademark of
Ascom Tech AG. Windows and ActiveX are registered trademarks of Microsoft Corporation. AOL is a registered trademark, and AOL Instant
Messenger is a trademark, of America Online, Inc. Red Hat and Red Hat Linux are trademarks or registered trademarks of Red Hat, Inc. Linux is a
registered trademark of Linus Torvalds. Solaris is a trademark or registered trademark of Sun Microsystems, Inc. AIX is a trademark or registered
trademark of International Business Machines Corporation. HP-UX is a trademark or registered trademark of Hewlett-Packard Company. SSH and
Secure Shell are trademarks of SSH Communications Security, Inc. Rendezvous and Mac OS X are trademarks or registered trademarks of Apple
Computer, Inc. All other registered and unregistered trademarks in this document are the sole property of their respective owners.
Licensing and Patent Information
The IDEA cryptographic cipher described in U.S. patent number 5,214,703 is licensed from Ascom Tech AG. The CAST-128 encryption algorithm,
implemented from RFC 2144, is available worldwide on a royalty-free basis for commercial and non-commercial uses. PGP Corporation has secured a
license to the patent rights contained in the patent application Serial Number 10/655,563 by The Regents of the University of California, entitled Block
Cipher Mode of Operation for Constructing a Wide-blocksize block Cipher from a Conventional Block Cipher. Some third-party software included in PGP
Universal Server is licensed under the GNU General Public License (GPL). PGP Universal Server as a whole is not licensed under the GPL. If you would
like a copy of the source code for the GPL software included in PGP Universal Server, contact
may have patents and/or pending patent applications covering subject matter in this software or its documentation; the furnishing of this software or
documentation does not give you any license to these patents.
PGP Support (https://support.pgp.com). PGP Corporation
Acknowledgments
This product includes or may include:
-- The Zip and ZLib compression code, created by Mark Adler and Jean-Loup Gailly, is used with permission from the free Info-ZIP implementation,
developed by zlib (
under the MIT License found at
freely available high-quality data compressor, is copyrighted by Julian Seward, © 1996-2005. -- Application server (
http://www.apache.org/), Jakarta Commons (http://jakarta.apache.org/commons/license.html) and log4j, a Java-based library used to parse
server (
HTML, developed by the Apache Software Foundation. The license is at
binding framework for moving data from XML to Java programming language objects and from Java to databases, is released by the ExoLab Group
under an Apache 2.0-style license, available at
Foundation that implements the XSLT XML transformation language and the XPath XML query language, is released under the Apache Software
License, version 1.1, available at
Protocol") used for communications between various PGP products is provided under the Apache license found at
http://www.apache.org/licenses/LICENSE-2.0.txt. -- mx4j, an open-source implementation of the Java Management Extensions (JMX), is released
under an Apache-style license, available at
Independent JPEG Group. (
distributed under the MIT License
distributed by University of Cambridge. ©1997-2006. The license agreement is at
and Domain Name System (DNS) protocols developed and copyrighted by Internet Systems Consortium, Inc. (
implementation of daemon developed by The FreeBSD Project, © 1994-2006. -- Simple Network Management Protocol Library developed and
copyrighted by Carnegie Mellon University © 1989, 1991, 1992, Networks Associates Technology, Inc, © 2001- 2003, Cambridge Broadband Ltd. ©
2001- 2003, Sun Microsystems, Inc., © 2003, Sparta, Inc, © 2003-2006, Cisco, Inc and Information Network Center of Beijing University of Posts and
Telecommunications, © 2004. The license agreement for these is at
by Network Time Protocol and copyrighted to various contributors. -- Lightweight Directory Access Protocol developed and copyrighted by OpenLDAP
Foundation. OpenLDAP is an open-source implementation of the Lightweight Directory Access Protocol (LDAP). Copyright © 1999-2003, The
OpenLDAP Foundation. The license agreement is at
OpenBSD project is released by the OpenBSD Project under a BSD-style license, available at
bin/cvsweb/src/usr.bin/ssh/LICENCE?rev=HEAD. -- PC/SC Lite is a free implementation of PC/SC, a specification for SmartCard integration is released
under the BSD license. -- Postfix, an open source mail transfer agent (MTA), is released under the IBM Public License 1.0, available at
http://www.opensource.org/licenses/ibmpl.php. -- PostgreSQL, a free software object-relational database management system, is released under a
BSD-style license, available at
PostgreSQL database using standard, database independent Java code, (c) 1997-2005, PostgreSQL Global Development Group, is released under a
BSD-style license, available at
database management system, is released under a BSD-style license, available at
version of cron, a standard UNIX daemon that runs specified programs at scheduled times. Copyright © 1993, 1994 by Paul Vixie; used by permission. -
- JacORB, a Java object used to facilitate communication between processes written in Java and the data layer, is open source licensed under the
GNU Library General Public License (LGPL) available at
is an open-source implementation of a CORBA Object Request Broker (ORB), and is used for communication between processes written in C/C++ and
the data layer. Copyright (c) 1993-2006 by Douglas C. Schmidt and his research group at Washington University, University of California, Irvine, and
Vanderbilt University. The open source software license is available at
downloading files via common network services, is open source software provided under a MIT/X derivate license available at
http://curl.haxx.se/docs/copyright.html. Copyright (c) 1996 - 2007, Daniel Stenberg. -- libuuid, a library used to generate unique identifiers, is released
under a BSD-style license, available at
libpopt, a library that parses command line options, is released under the terms of the GNU Free Documentation License available at
http://directory.fsf.org/libs/COPYING.DOC. Copyright © 2000-2003 Free Software Foundation, Inc. -- gSOAP, a development tool for Windows clients
to communicate with the Intel Corporation AMT chipset on a motherboard, is distributed under the gSOAP Public License version 1.3b, available at
http://www.zlib.net). -- Libxml2, the XML C parser and toolkit developed for the Gnome project and distributed and copyrighted
http://www.opensource.org/licenses/mit-license.html. Copyright © 2007 by the Open Source Initiative. -- bzip2 1.0, a
http://jakarta.apache.org/), web
www.apache.org/licenses/LICENSE-2.0.txt. -- Castor, an open-source, data-
http://www.castor.org/license.html. -- Xalan, an open-source software library from the Apache Software
http://xml.apache.org/xalan-j/#license1.1. -- Apache Axis is an implementation of the SOAP ("Simple Object Access
http://mx4j.sourceforge.net/docs/ch01s06.html. -- jpeglib version 6a is based in part on the work of the
http://www.ijg.org/) -- libxslt the XSLT C library developed for the GNOME project and used for XML transformations is
http://www.opensource.org/licenses/mit-license.html. -- PCRE Perl regular expression compiler, copyrighted and
http://www.pcre.org/license.txt. -- BIND Balanced Binary Tree Library
http://www.isc.org) -- Free BSD
http://net-snmp.sourceforge.net/about/license.html. -- NTP version 4.2 developed
http://www.openldap.org/software/release/license.html. Secure shell OpenSSH developed by
http://www.openbsd.org/cgi-
http://www.postgresql.org/about/licence. -- PostgreSQL JDBC driver, a free Java program used to connect to a
http://jdbc.postgresql.org/license.html. -- PostgreSQL Regular Expression Library, a free software object-relational
http://www.postgresql.org/about/licence. -- 21.vixie-cron is the Vixie
http://www.jacorb.org/lgpl.html. Copyright © 2006 The JacORB Project. -- TAO (The ACE ORB)
http://www.cs.wustl.edu/~schmidt/ACE-copying.html. -- libcURL, a library for
http://thunk.org/hg/e2fsprogs/?file/fe55db3e508c/lib/uuid/COPYING. Copyright (C) 1996, 1997 Theodore Ts'o. --
4
http://www.cs.fsu.edu/~engelen/license.html. -- Windows Template Library (WTL) is used for developing user interface components and is distributed
under the Common Public License v1.0 found at
automate a variety of maintenance functions and is provided under the Perl Artistic License, found at
http://www.perl.com/pub/a/language/misc/Artistic.html. -- rEFIt - libeg, provides a graphical interface library for EFI, including image rendering, text
rendering, and alpha blending, and is distributed under the license found at
http://refit.svn.sourceforge.net/viewvc/*checkout*/refit/trunk/refit/LICENSE.txt?revision=288. Copyright (c) 2006 Christoph Pfisterer. All rights
reserved. -- Java Radius Client, used to authenticate PGP Universal Web Messenger users via Radius, is distributed under the Lesser General Public
License (LGPL) found at
Copyright (c) 2009, Yahoo! Inc. All rights reserved. Released under a BSD-style license, available at
JSON-lib version 2.2.1, a Java library used to convert Java objects to JSON (JavaScript Object Notation) objects for AJAX. Distributed under the
Apache 2.0 license, available at
available at
available at
available at
common configuration file format used on Windows, on other platforms. Distributed under the MIT License found at
http://www.opensource.org/licenses/mit-license.html. Copyright 2006-2008, Brodie Thiesfield. -- uSTL provides a small fast implementation of common
Standard Template Library functions and data structures and is distributed under the MIT License found at
license.html. Copyright (c) 2005-2009 by Mike Sharov <msharov@users.sourceforge.net>. -- Protocol Buffers (protobuf), Google's data interchange
format, are used to serialize structure data in the PGP SDK. Distributed under the BSD license found at
license.php. Copyright 2008 Google Inc. All rights reserved.
Additional acknowledgements and legal notices are included as part of the PGP Universal Server.
http://ezmorph.sourceforge.net/license.html. -- Apache Commons Lang, used by JSON-lib, is distributed under the Apache 2.0 license,
http://commons.apache.org/license.html. -- Apache Commons BeanUtils, used by JSON-lib, is distributed under the Apache 2.0 license,
http://commons.apache.org/license.html. -- SimpleIni is an .ini format file parser and provides the ability to read and write .ini files, a
http://www.gnu.org/licenses/lgpl.html. -- Yahoo! User Interface (YUI) library version 2.5.2, a Web UI interface library for AJAX.
http://json-lib.sourceforge.net/license.html. -- EZMorph, used by JSON-lib, is distributed under the Apache 2.0 license,
http://opensource.org/licenses/cpl1.0.php. -- The Perl Kit provides several independent utilities used to
http://developer.yahoo.com/yui/license.html. --
http://www.opensource.org/licenses/mit-
http://www.opensource.org/licenses/bsd-
Export Information
Export of this software and documentation may be subject to compliance with the rules and regulations promulgated from time to time by the Bureau
of Export Administration, United States Department of Commerce, which restricts the export and re-export of certain products and technical data.
Limitations
The software provided with this documentation is licensed to you for your individual use under the terms of the End User License Agreement provided
with the software. The information in this document is subject to change without notice. PGP Corporation does not warrant that the information meets
your requirements or that the information is free of errors. The information may include technical inaccuracies or typographical errors. Changes may be
made to the information and incorporated in new editions of this document, if and when made available by PGP Corporation.
Unsupported Third Party Products
By utilizing third party products, software, drivers, or other components ("Unsupported Third Party Product") to interact with the PGP software and/or by
utilizing any associated PGP command or code provided by to you by PGP at its sole discretion to interact with the Unsupported Third Party Product
("PGP Third Party Commands"), you acknowledge that the PGP software has not been designed for or formally tested with the Unsupported Third Party
Product, and therefore PGP provides no support or warranties with respect to the PGP Third Party Commands or the PGP software's compatibility with
Unsupported Third Party Products. THE PGP THIRD PARTY COMMANDS ARE PROVIDED "AS IS," WITH ALL FAULTS, AND THE ENTIRE RISK AS TO
SATISFACTORY QUALITY, PERFORMANCE, ACCURACY, AND EFFORT IS WITH YOU. TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE
LAW, PGP DISCLAIMS ALL REPRESENTATIONS, WARRANTIES, AND CONDITIONS, WHETHER EXPRESS OR IMPLIED, INCLUDING ANY
WARRANTIES OR CONDITIONS OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE, NONINFRINGEMENT, QUIET
ENJOYMENT, AND ACCURACY WITH RESPECT TO THE PGP THIRD PARTY COMMANDS OR THE PGP SOFTWARE'S COMPATIBILITY WITH THE
UNSUPPORTED THIRD PARTY PRODUCT.
Contents
Introduction 3
About PGP NetShare 3
About PGP NetShare Command Line 4
Audience 4
System Requirements 4
Installing and Uninstalling 4
Upgrading to Version 10.1 5
The Command-Line Interface 7
Overview 7
Scripting 8
Editing the Path on a System 8
Configuration File 9
Environment Variables 10
Creating Environment Variables 11
Passphrases 12
XML Output 12
Searching for Keys on Remote Servers 13
Commands 15
--version 16
--help (-h) 17
--encrypt (-e) 17
--decrypt 20
--reencrypt (-r) 21
--reencrypt-full 23
--reencrypt-delta 25
--reencrypt-clone 27
--list (-l) 28
--list-xml 29
--verify (-v) 29
--lock-all 30
--unlock 30
--set-driver 31
--get-driver 32
Options 33
--recipient (-r) 35
--recipient-owner 35
--recipient-operator 35
i
PGP NetShare Command Line Contents
--recipient-remove 35
--recipient-xml 36
--group (-g) 36
--group-operator 37
--signer (s) 37
--signer-passphrase 37
--signer-passphrase-fd 37
--passphrase (-p) 38
--passphrase-fd 38
--adk 39
--public-keyring 39
--private-keyring 39
--universal-server 40
--auth-username 40
--auth-passphrase 40
--auth-passphrase-fd 41
--input (-i) 41
--output (-o) 41
--output-file 41
--home-dir 42
Flags 43
--verbose 43
--remote 44
--force 44
--halt-on-error 44
--local-mode 44
--preserve 45
--quiet 45
Quick Reference 47
Commands 47
Options 48
Flags 48
ii
1
Introduction
This User's Guide tells you how to use the PGP NetShare Command Line
application.
In This Chapter
About PGP NetShare ................................................................................. 3
About PGP NetShare Command Line ....................................................... 4
Audience.................................................................................................... 4
System Requirements ............................................................................... 4
Installing and Uninstalling .......................................................................... 4
Upgrading to Version 10.1......................................................................... 5
About PGP NetShare
PGP NetShare is a software product that lets a defined set of users access files
in a shared, protected space (such as on a corporate file server, in a shared
folder, or even removable media such as a thumb drive).
The files are protected by encryption, but continue to appear (to the users who
have access rights) as normal application files. Anyone without access rights to
the files, but who can access the shared space, can see the files but does not
have access to the content.
PGP NetShare can be purchased as a standalone product, as one product
among several products for example, PGP Desktop Email or PGP Whole Disk
Encryption), or as part of PGP Desktop.
For more information about PGP NetShare, see the:
PGP Desktop User's Guide
PGP NetShare Quick Start Guide
PGP NetShare Data Sheet
3
PGP NetShare Command Line Introduction
About PGP NetShare Command Line
PGP NetShare Command Line gives you access to PGP NetShare functionality
using a command-line interface.
Accessing PGP NetShare Command Line functions from the command line is
useful for scripting PGP NetShare functions, troubleshooting problems, or if the
graphical user interface is not available.
Note: Not all PGP NetShare functions are available via the command line.
PGP NetShare Command Line is always in one of two operation modes:
desktop. PGP Desktop is also installed on the system.
standalone. PGP Desktop is not installed on the same system.
Run the
--version command to see what operation mode PGP NetShare
Command Line is in.
When you run the
that are available in the current operation mode are displayed.
Audience
This User's Guide is for anyone who is going to be using PGP NetShare
Command Line to perform PGP NetShare functions from the command line.
It assumes you are familiar with using PGP NetShare via the graphical user
interface in the standalone product or as part of PGP Desktop.
System Requirements
The system requirements for PGP NetShare Command Line are the same as for
PGP NetShare itself; if PGP NetShare (standalone or as part of PGP Desktop)
installs on a system, PGP NetShare Command Line (pgpnetshare.exe) will also
install and be usable.
--help command, only those commands, options, and flags
Installing and Uninstalling
PGP NetShare Command Line (pgpnetshare.exe) is installed automatically when
PGP NetShare is installed on a system.
4
PGP NetShare Command Line Introduction
The default location for either installation is: C:\Program Files\PGP
Corporation\PGP Desktop\pgpnetshare.exe
.
To uninstall PGP NetShare Command Line, simply uninstall PGP NetShare or
PGP Desktop.
Upgrading to Version 10.1
Changes were made to PGP NetShare Command Line in Version 10.1, resulting
in some commands, options, and flags from previous versions being removed.
If you scripted previous versions of PGP NetShare Command Line, make sure
to check your scripts to ensure that they do not reference commands, options,
or flags that are no longer in the product.
5
The Command-Line
2
Interface
This section describes the command-line interface of PGP NetShare Command
Line.
In This Chapter
Overview ................................................................................................... 7
Scripting..................................................................................................... 8
Editing the Path on a System .................................................................... 8
Configuration File....................................................................................... 9
Environment Variables............................................................................. 10
Passphrases............................................................................................. 12
XML Output............................................................................................. 12
Searching for Keys on Remote Servers .................................................. 13
Overview
PGP NetShare Command Line uses a command-line interface. You enter a valid
command at the command prompt and press
Line responds appropriately based on what you entered (if you entered a valid
command) or with an error message (if you entered an invalid or incorrectly
structured command).
All PGP NetShare Command Line commands have a
"pgpnetshare", a space, two hyphens "
For example:
C:\>pgpnetshare --help [Enter]
is the command to display the built-in help information.
(The command prompt, C:\>, and [Enter] will no longer be shown in examples.)
A few commands also have a
that substitutes for the command name. For example:
pgpnetshare -h
is the short form of the command to access help.
short form: one hyphen and then a single letter
7
--", and then the command name.
Enter. PGP NetShare Command
long form: the text
PGP NetShare Command Line The Command-Line Interface
Scripting
Short forms of commands are noted where appropriate.
PGP NetShare Command Line commands can easily be inserted into scripts for
automating common tasks, such as creating a Protected Folder, re-encrypting a
Protected Folder, or verifying files and folders in a Protected Folder.
PGP NetShare Command Line commands can easily be added to scripts written
with scripting languages such as Perl or Python.
Editing the Path on a System
By default, the PGP NetShare Command Line application, pgpnetshare.exe, is
installed in C:\Program Files\PGP Corporation\PGP Desktop\.
To use PGP NetShare Command Line using the Windows Command Prompt
application, you need to navigate to the PGP NetShare Command Line directory
to execute commands (or the commands will fail).
If you wish to be able to execute PGP NetShare Command Line commands
from any location when using Windows Command Prompt, you need to change
the path on the system to include the location of the PGP NetShare Command
Line application.
To add the PGP NetShare Command Line application to your path on a
Windows 7 or Vista system:
1 On the Windows desktop, right click the
Computer icon, then select
Properties.
2 On the left side of the
System Settings
System Control Panel screen, click Advanced
.
3 If you are prompted for permission to continue, click Continue.
4 At the bottom of the System Properties screen, click Environment
Variables
5 In the
Variables
6 At the end of the existing
.
System Variables section at the bottom of the Environment
screen, select Path, then click Edit.
Variable value line, enter a semicolon (;), then
add the path to the PGP NetShare Command Line application
7 Click OK to save the change, then close the windows you opened.
8
PGP NetShare Command Line The Command-Line Interface
To add the PGP NetShare Command Line application to your path on a
Windows XP or 2000 system:
1 On the Windows desktop, right click the
2 On the
3 At the bottom of the
4 In the
5 At the end of the existing Variable value line, enter a semicolon (;), then
6 Click
Configuration File
The PGP NetShare Command Line configuration file holds settings that affect
how PGP NetShare Command Line works.
The PGP NetShare Command Line configuration file (PGPprefs.xml) cannot be
changed by PGP NetShare Command Line itself: any changes need to be edited
manually.
The PGP NetShare Command Line configuration file is located:
My Computer icon, then select
Properties.
System Properties dialog, click the Advanced tab.
Advanced tab, click Environment Variables.
System Variables section at the bottom of the Environment
Variables
screen, select Path, then click Edit.
add the path to the PGP NetShare Command Line application.
OK to save the change, then close the windows you opened.
Windows XP:
Data\PGP Corporation\PGP\
C:\Documents and Settings\[Local User]\Application
.
Windows 7 and Vista: C:\Users\[Local User]\AppData\Roaming\PGP
Corporation\PGP\
.
Note: Configuration file settings in PGPprefs.xml are shared among all PGP
Corporation applications on the system.
Configuration file settings you can use with PGP NetShare Command Line are:
Output File (CLoutputFile). Specifies the output file (default is not set in
the configuration file; defaults to stdout). The output file is used for output
messages. See
Private keyring file (privateKeyringFile). The filename or path and
filename to the private keyring file. The default is
the default PGP NetShare Command Line home directory. See
keyring
for more information.
--output-file for more information.
secring.skr, located in
--private-
Public keyring file (publicKeyringFile). The filename or path and
filename to the public keyring file. The default is
the default PGP NetShare Command Line home directory. See
keyring
for more information.
9
pubring.pkr, located in
--public-
PGP NetShare Command Line The Command-Line Interface
Keyservers (keyservers). Specifies the keyserver(s) to be searched for
keys.
Always encrypt to keys (alwaysEncryptToKeys). Specifies keys that
should always be added implicitly when encrypting and re-encrypting.
Configured Universal Server (adminGroupServer). Specifies the PGP
Universal Server used for activity logging, key and Active Directory group
queries. Only available in configured installs with PGP Desktop.
Enrollment Cookie (adminConfigCookie). Authenticates the user
against a PGP Universal Server for an operation. Only available in
configured installs with PGP Desktop.
Location Blacklist (blackListContent, enableBlackList). Entries
in the Blacklist specify those locations that should never be encrypted by
PGP NetShare Command Line.
Organization ADK (ADKKeyID, useADK). Specifies the centralized
organization ADK (Additional Decryption Key). Usually only available in
configured installs with PGP Desktop.
Policy ADK (policyADK, usePolicyADK). Specifies a policy-specific
ADK. Usually only available in configured installs with PGP Desktop.
Manage Individual Files (allowAdvancedUserMode). Controls whether
the user is allowed to manage (encrypt, decrypt, or re-encrypt) single files,
as opposed to folders that might contain files.
Environment Variables
PGP NetShare Command Line behavior can be changed using environment
variables.
Environment variables have the lowest priority compared to the command line
and the configuration file. Settings for either will override environment variables.
However, if a value for an item is not specified on the command line or in the
configuration file, the environment variable will be used. Environment variables
cannot be disabled; if they are present, they are implemented. To disable an
environment variable, remove it. Setting a Boolean environment variable will
activate it, regardless of the value to which it is set.
Environment variables that can be implemented for PGP NetShare Command
Line are:
PGP_LOCAL_MODE. This is a Boolean environment variable that forces
PGP NetShare Command Line to run in local mode. The default is unset.
--local-mode for more information.
See
Usage:
PGP_LOCAL_MODE=1
10
PGP NetShare Command Line The Command-Line Interface
PGP_HOME_DIR. This is a string environment variable that overrides the
default home directory, pointing it to the path supplied in the variable. The
default is unset. See
--home-dir for more information.
Usage:
PGP_HOME_DIR=C:\Documents and Settings\<current
user>\Application Data\PGP Corporation\PGP\
PGP_PASSPHRASE. This is a string environment variable that lets you set
your passphrase. The default is unset. See
information.
Usage:
PGP_PASSPHRASE="1Killer*Whale"
Creating Environment Variables
PGP NetShare Command Line lets you create environment variables to control
certain behaviors.
To create
1 Right click the
2 On the System window, click on Advanced system settings in the left
pane.
3 On the
click on
4 In the
New.
an environment variable on a Windows 7 system:
System Properties window, select the Advanced tab and then
Environment Variables near the bottom of the window.
User Variables section of the Environment Variables screen, click
--passphrase for more
Computer icon on your desktop and choose Properties.
5 In the Variable name field, enter a name for the variable you are creating.
For example, if you were setting the PGP_HOME_DIR environment
variable, you would enter:
PGP_HOME_DIR
6 In the Variable value field, enter a value appropriate for the variable you
are creating.
For example, if you were setting the PGP_HOME_DIR environment
variable, you could enter:
C:\PGP\PGPhomedir\
7 Click OK.
The Environment Variables screen reappears. The environment variable
you created displays in the
User variables list.
8 Click OK.
9 On the System Properties window, click Apply then click OK.
10 Close the
System window.
11
PGP NetShare Command Line The Command-Line Interface
Passphrases
For consistency, all example passphrases in this guide are shown in single
quotation marks ('). Putting passphrases between single quotation marks
ensures that reserved characters and spaces are interpreted correctly when
entered on the command line.
If you do not use any reserved characters or spaces in your passphrases, then
you do not have to enclose them in single quotation marks.
On Windows systems, if you have a space in a passphrase, you must enclose
the passphrase in single or double quotation marks when you enter it on the
command line. Also, double quotation marks (") as part of the passphrase must
be escaped with a preceding double quotation mark.
For example, if you want to use
Thomas "Stonewall" Jackson
as your passphrase, you would have to enter it as
'Thomas ""Stonewall"" Jackson'
on the command line. You need the quotation marks at the beginning and end
for the spaces and you need to escape each double quotation mark used in the
passphrase with another double quotation mark.
XML Output
Note: If you are having problems entering certain characters in your
passphrases, check the information about how to handle reserved characters
for the operating system or shell interpreter you are using.
PGP NetShare Command Line gives you the option to save some output in XML
format.
If you desire properly formatted XML output, do not copy the XML output from
the console window and then paste it; this could introduce extraneous newline
characters into the output.
Instead, use either of these two methods:
Use the
--output-file option.
pgpnetshare --list-xml <XMLcontent> output-file
'c:\acllist-xml'
Pipe the output directly to a file: pgpnetshare --list-xml
<XMLcontent> > 'c:\acllist-xml'
12
PGP NetShare Command Line The Command-Line Interface
Searching for Keys on Remote Servers
By default, PGP NetShare Command Line searches for keys on the local
system.
If you want PGP NetShare Command Line to search for keys on a remote
keyserver, a PGP Universal Server for example, you must explicitly tell it to
search there.
There are two commands to search for keys on a remote keyserver:
--universal-server searches for keys on the specified PGP Universal
Server.
--remote searches for keys on the specified keyserver.
13
3
Commands
This section describes PGP NetShare Command Line commands:
--version, which displays PGP NetShare Command Line version
information.
--help, which provides a brief description of the commands and options
available in PGP NetShare Command Line.
--encrypt, which creates a Protected Folder and specifies who can
access the files.
--decrypt, which decrypts an existing Protected Folder and the files in it.
--reencrypt, which modifies who can access files in a Protected Folder.
--reencrypt-full, which modifies who can access files in a Protected
Folder and reencrypts the files.
--reencrypt-delta, which reencrypts files and folders in delta mode.
--reencrypt-clone, which reencrypts files and folders in clone mode.
--list, which lists the file or folder access control list (ACL).
--list-xml, which lists the file or folder ACL in XML format.
--verify, which displays information about the specified protected file or
directory.
--lock-all, which clears symmetric keys cached by PGP NetShare
Command Line
--unlock, which unlocks a file or folder.
--set-driver, which sets the state of the PGP NetShare Command Line
driver, active or passive.
--get-driver, which displays the current state of the PGP NetShare
Command Line driver, active or passive.
15
PGP NetShare Command Line Commands
In This Chapter
--version ................................................................................................... 16
--help (-h) .................................................................................................. 17
--encrypt (-e)............................................................................................. 17
--decrypt................................................................................................... 20
--reencrypt (-r) .......................................................................................... 21
--reencrypt-full.......................................................................................... 23
--reencrypt-delta....................................................................................... 25
--reencrypt-clone...................................................................................... 27
--list (-l) ..................................................................................................... 28
--list-xml ................................................................................................... 29
--verify (-v) ................................................................................................ 29
--lock-all.................................................................................................... 30
--unlock .................................................................................................... 30
--set-driver................................................................................................ 31
--get-driver................................................................................................ 32
--version
The --version command displays information about the version of PGP
NetShare Command Line you are using, including the current operation mode:
desktop or standalone.
The usage format is:
pgpnetshare --version [options]
Where:
[options] let you modify the command. Options are:
--verbose, which displays additional information about the operation.
Examples:
pgpnetshare --version
PGP NetShare Command Line responds with version information in the
format:
PGP NetShare Command Line version 10.1.0 (Build 999),
mode(desktop)
16
PGP NetShare Command Line Commands
--help (-h)
The --help command provides a brief description of the commands, options,
and flags available in PGP NetShare Command Line.
Only the commands, options, and flags that are available for the current
operation mode (desktop or standalone) are displayed when you run
The long form is:
pgpnetshare --help
The short form is:
pgpnetshare -h
The response to either version of the --help command is:
Usage: PGP NetShare
[Commands]
--version Show application version information.
--help.
--encrypt (-e)
-h --help Print out help about this application.
and so on.
The --encrypt command encrypts a specified file or directory and specifies
who can access the files. Use
--encrypt for the initial creation of a shared
space protected by PGP encryption, called a Protected Folder.
If you specify a directory to be encrypted, all files and directories under that
directory are recursively encrypted; do not specify any files or directories under
the directory you specify. Directories are marked as Protected Folders and files
in those zones are protected.
You must designate the users who can access the files in the Protected Folder
using the key IDs of their PGP keys. The key ID of a PGP key in PGP NetShare
or PGP Desktop is shown on the Key Properties screen for the key. To find a
key ID, go to the PGP Keys control box, select All Keys, right click on the key
whose key ID you want to know, select Key Properties, then find the ID field on
the Key Properties screen. You do not need to enter the leading
0x of the key
ID.
To specify multiple users or groups who can access the files in the Protected
Folder, use the
--recipient command once for each user or the --group
command once for each group.
17
PGP NetShare Command Line Commands
If you specify a recipient who is required to use an ADK, that recipient and the
ADK user will both appear on the access control list (ACL); meaning both will
have cryptographic access to the protected files.
The usage format is:
pgpnetshare --encrypt <input> [input2 ...] --recipient
<user> --group <group_name> --signer <signer>
--passphrase <phrase> --public-keyring <pubring>
--private-keyring <priring> --output <target>
--universal-server <server> --adk <adkkey> --outputfile <logoutput> [ --halt-on-error --local-mode
--remote --preserve --verbose ]
Where:
--encrypt is the command specifying that a Protected Folder be
created.
<input> is the directory or file to be encrypted. You can list multiple
directories or files if desired.
--recipient is the option specifying that the listed users are to be
part of the ACL being created for the Protected Folder being created.
The ACL lists those users who have cryptographic access to the files
in the Protected Folder.
<user> is the key ID of a PGP key (EFDDCE3C, for example) on the
system on which you are running PGP NetShare Command Line. These
can be either the keypairs or the public keys of the users who will be
added to the ACL. If you specify a public key, those users must have
the corresponding private key on their system when they attempt to
access files in the Protected Folder.
--signer is the option specifying the user on the local system
whose private key will be used to sign the files in the Protected
Folder.
<signer> is the key ID of the PGP keypair whose private key will be
used to sign the files in the Protected Folder. This user must have a
private key on the local system. This user does not have to be listed as
a recipient, meaning this user does not have to be someone who can
access the files in the Protected Folder once it is created.
--passphrase is the option specifying the passphrase of the private
key being used to sign the files in the Protected Folder being created.
<phrase> is the actual passphrase of the private key being used to
sign the files in the Protected Folder.
--group is the option specifying that you want the members of an
Active Directory group to be able to access the files in the Protected
Folder being created. You are not required to use this option.
<group_name> is the name of an Active Directory group that includes
the users you want to be able to access the files in the Protected
Folder.
18
PGP NetShare Command Line Commands
--public-keyring is the option specifying that a public keyring file
should be used for an operation
<pubring> is the filename of the public keyring file.
--private-keyring is the option specifying that private keyring file
should be used for an operation.
<priring> is the filename of the private keyring file.
--output is the option specifying a target location to be used for an
operation.
<target> is the path to the target location.
--universal-server is the option specifying that a PGP Universal
Server be used for an operation.
<server> is the specific PGP Universal Server to use.
--adk is the option specifying that an Additional Decryption Key
(ADK) be used for an operation.
<adkkey> is the key ID of the ADK to be used.
--output-file is the option specifying that messages be written to
a log file for an operation.
<logoutput> is the path to the log file.
Optional flags are:
--halt-on-error, which stops operation if an error occurs.
--local-mode, which forces the use of local mode; passphrase and
keyring caches are not enabled or used.
--remote, which searches for keys on a remote keyserver.
--preserve, which preserves certain file attributes.
--verbose, which displays additional information about the operation
being performed.
Example:
pgpnetshare --encrypt C:\Projects\HR\ProjectX
--recipient EFDDCE3C --recipient CCB81F3C --recipient
C092007E --signer EFDDCE3C --passphrase '1Killer*Whale'
In this example, the folder "ProjectX" is being turned into a Protected
Folder; all files and folders in that folder will be protected using encryption
by PGP NetShare. Three users are on the ACL; meaning only they will be
able to access the files, Alice Cameron (
CCB81F3C), and Ming Pa (C092007E). Alice Cameron's private key, which
(
EFDDCE3C), Jose Medina
is on the local system, is being used to sign the files in the Protected
Folder, and the passphrase to her key is provided.
19
PGP NetShare Command Line Commands
pgpnetshare --encrypt C:\Projects\HR\ProjectX --group
HR4 --signer EFDDCE3C --passphrase '1Killer*Whale'
In this example, the folder "ProjectX" is being turned into a Protected
Folder; all files and folders in that folder will be protected using encryption
by PGP NetShare. The users in the Active Directory group HR4 will be
added to the ACL, meaning only those users will have cryptographic
access to the files in the Protected Folder. The private key of Alice
Cameron (
EFDDCE3C), which is on the local system and who is in the
specified Active Directory group, is being used to sign the files in the
Protected Folder, and the passphrase to her key is provided.
--decrypt
The --decrypt command decrypts the specified files or directories. The short
form is -d.
Using this command takes a Protected Folder or files and removes PGP
NetShare encryption from it. Use this command when you no longer need the
Protected Folder. All files and folders in the subfolder will be decrypted.
If you specify a directory to be decrypted, all files and directories under the
target directory are recursively decrypted. If you specify a directory, do not
specify any files or directories under the directory you specify.
The usage format is:
pgpnetshare --decrypt <input> [input2 ...] --passphrase
<phrase> --public-keyring <pubring> --private-keyring
<priring> --output <target> [ --halt-on-error --localmode --preserve --verbose --force ]
Where:
--decrypt is the command specifying that the files/folders in the
Protected Folder be decrypted.
<input> is the files or directories to be decrypted.
--passphrase is the option specifying that the passphrase of the
private key used to sign the files in the Protected Folder needs to be
used.
<phrase> is the actual passphrase of the private key used to sign the
files in the Protected Folder.
--public-keyring is the option specifying that a public keyring file
should be used for an operation
<pubring> is the filename of the public keyring file.
--private-keyring is the option specifying that private keyring file
should be used for an operation.
<priring> is the filename of the private keyring file.
20
PGP NetShare Command Line Commands
--output is the option specifying a target location to be used for an
operation.
<target> is the path to the target location.
Optional flags are:
--halt-on-error, which stops operation if an error occurs.
--local-mode, which forces the use of local mode; passphrase and
keyring caches are not enabled or used.
--preserve, which preserves certain file attributes.
--verbose, which displays additional information about the operation
being performed.
--force, which searches for keys on a remote keyserver.
Examples:
pgpnetshare --decrypt C:\Projects\HR\ProjectX\
--passphrase '1Killer*Whale'
In this example, the folder "ProjectX" is being decrypted; all files and folders
in that folder will no longer be protected as part of a Protected Folder. The
passphrase to the private key on the local system being used to sign the
files is provided.
--reencrypt (-r)
The --reencrypt command creates a new ACL from scratch that replaces an
existing ACL. Files and folders that are no currently protected will be encrypted
using the new ACL. The short form is
-r.
--reencrypt changes the metadata of already encrypted files but does not re-
encrypt the encrypted data.
This allows you to easily modify who can access the files in the Protected
Folder without having to reencrypt the files themselves, which is a longer
process and not necessary if you are simply changing access rights.
The usage format is:
pgpnetshare --reencrypt <input> [input2 ...]
--recipient <user> [-recipient <user> ...] --group
<group> --signer <signer> --passphrase <phrase>
--public-keyring <pubring> --private-keyring <priring>
--output <target> --universal-server <server> --adk
<adkkey> [ --halt-on-error --local-mode --remote
-- preserve --verbose ]
Where:
--reencrypt is the command specifying that the ACL is going to
change and then be reencrypted.
21
PGP NetShare Command Line Commands
<input> is the files or directories affected by the --reencrypt
command.
--recipient is the option specifying that the listed users are to be
added to the ACL, giving them cryptographic access to the files in the
Protected Folder.
<user> is the key ID of a PGP key (EFDDCE3C, for example) on the
local system that you are adding to the ACL.
--group is the option specifying that you want the members of the
listed Active Directory group to be able to access the files in the
Protected Folder. You are not required to use this option.
<group> is the name of an Active Directory group that includes the
users you want to be able to access the files in the Protected Folder.
--signer is the option specifying the user on the local system
whose private key will be used to sign the files in the Protected
Folder.
<signer> is the key ID of the PGP key whose private key will be used
to sign the files in the Protected Folder. This user must have a private
key on the local system.
--passphrase is the option specifying the passphrase of the private
key being used to sign the files in the Protected Folder being created.
<phrase> is the actual passphrase of the private key being used to
sign the files in the Protected Folder.
--public-keyring is the option specifying that a public keyring file
should be used for an operation
<pubring> is the filename of the public keyring file.
--private-keyring is the option specifying that private keyring file
should be used for an operation.
<priring> is the filename of the private keyring file.
--output is the option specifying a target location to be used for an
operation.
<target> is the path to the target location.
--universal-server is the option specifying that a PGP Universal
Server be used for an operation.
<server> is the specific PGP Universal Server to use.
--adk is the option specifying that an Additional Decryption Key
(ADK) be used for an operation.
<adkkey> is the key ID of the ADK to be used.
Optional flags are:
--halt-on-error, which stops operation if an error occurs.
22
PGP NetShare Command Line Commands
--local-mode, which forces the use of local mode; passphrase and
keyring caches are not enabled or used.
--remote, which searches for keys on a remote keyserver.
--preserve, which preserves certain file attributes.
--verbose, which displays additional information about the operation
being performed.
Example:
pgpnetshare --reencrypt C:\Projects\HR\ProjectX -r
ABCD1234 -r EFGH5678 --signer EFDDCE3C --passphrase
'1Killer*Whale'
In this example, an existing Protected Folder (C:\Projects\HR\ProjectX) is
having two additional users added (the users whose PGP key IDs are
ABCD1234 EFGH5678). The key ID of a private key that was already on the
ACL (EFDDCE3C) is being used to sign the files in the Protected Folder,
and the passphrase to that key is provided.
--reencrypt-full
The --reencrypt-full command creates a new ACL from scratch that
replaces an existing ACL
and reencrypts both the ACL and the encrypted files
themselves. This allows you to modify who can access the files in the
Protected Folder and reencrypt the files themselves at the same time.
Note: PGP Corporation recommends using the --reencrypt-full
command whenever you remove a user or group from the ACL or whenever
you are refreshing the ACL when users have been removed from a group.
This strengthens the security of your PGP NetShare files.
The usage format is:
pgpnetshare --reencrypt-full <input> [input2 ...]
--recipient <user> [-recipient <user> ...] --group
<group> --signer <signer> --passphrase <phrase>
--public-keyring <pubring> --private-keyring <priring>
--output <target> --universal-server <server> --adk
<adkkey> [ --halt-on-error --local-mode --remote
-- preserve --verbose ]
Where:
--reencrypt-full is the command specifying that the ACL is
going to change and then be reencrypted and that the files in the
Protected folder are to be reencrypted.
<input> is the files or directories affected by the --reencrypt-full
command.
23
PGP NetShare Command Line Commands
--recipient is the option specifying that the listed users are to be
added to the ACL, giving them cryptographic access to the files in the
Protected Folder.
<user> is the key ID of a PGP key (EFDDCE3C, for example) on the
local system that you are adding to the ACL.
--signer is the option specifying the user on the local system
whose private key will be used to sign the files in the Protected
Folder.
<signer> is the key ID of the PGP key whose private key will be used
to sign the files in the Protected Folder. This user must have a private
key on the local system.
--passphrase is the option specifying the passphrase of the private
key being used to sign the files in the Protected Folder being created.
<phrase> is the actual passphrase of the private key being used to
sign the files in the Protected Folder.
--group is the option specifying that you want the members of the
listed Active Directory group to be able to access the files in the
Protected Folder. You are not required to use this option.
<group> is the name of an Active Directory group that includes the
users you want to be able to access the files in the Protected Folder.
--public-keyring is the option specifying that a public keyring file
should be used for an operation
<pubring> is the filename of the public keyring file.
--private-keyring is the option specifying that private keyring file
should be used for an operation.
<priring> is the filename of the private keyring file.
--output is the option specifying a target location to be used for an
operation.
<target> is the path to the target location.
--universal-server is the option specifying that a PGP Universal
Server be used for an operation.
<server> is the specific PGP Universal Server to use.
--adk is the option specifying that an Additional Decryption Key
(ADK) be used for an operation.
<adkkey> is the key ID of the ADK to be used.
Optional flags are:
--halt-on-error, which stops operation if an error occurs.
--local-mode, which forces the use of local mode; passphrase and
keyring caches are not enabled or used.
24
PGP NetShare Command Line Commands
--remote, which searches for keys on a remote keyserver.
--preserve, which preserves certain file attributes.
--verbose, which displays additional information about the operation
being performed.
Example:
pgpnetshare --reencrypt-full C:\Projects\HR\ProjectX -r
CCB81F3C --signer EFDDCE3C --passphrase '1Killer*Whale'
In this example, an existing Protected Folder (C:\Projects\HR\ProjectX) is
having a user added to the ACL (the user whose PGP key ID is CCB81F3C).
Because a user not on the ACL added a file to the Protected Folder, the
--reencrypt-full command is being used so that all of the files in the
Protected Folder will be encrypted to a different underlying key. The key ID
of a private key that was already on the ACL (EFDDCE3C) is being used to
sign the files in the Protected Folder, and the passphrase to that key is
provided.
--reencrypt-delta
The --reencrypt-delta command allows specified recipients to be added or
removed from an existing ACL.
By default,
data; it re-encrypts the metadata. You can force it to re-encrypt the data using
--reencrypt-full as an option.
The usage format is:
Where:
--reencrypt-delta does not re-encrypt the already encrypted
pgpnetshare --reencrypt-delta <input> [input2 ...]
--recipient <user> [-recipient <user> ...] --group
<group> --signer <signer> --passphrase <phrase>
--public-keyring <pubring> --private-keyring <priring>
--universal-server <server> --adk <adkkey> [ --halt-onerror --local-mode --remote -- preserve --verbose ]
--reencrypt-delta is the command specifying that certain
recipients will be added to or removed from the ACL, which will then
be re-reencrypted.
<input> is the files or directories affected by the --reencrypt
command.
--recipient is the option specifying that the listed users are to be
added to the ACL, giving them cryptographic access to the files in the
Protected Folder.
<user> is the key ID of a PGP key (EFDDCE3C, for example) on the
local system that you are adding to the ACL.
25
PGP NetShare Command Line Commands
--group is the option specifying that you want the members of the
listed Active Directory group to be able to access the files in the
Protected Folder. You are not required to use this option.
<group> is the name of an Active Directory group that includes the
users you want to be able to access the files in the Protected Folder.
--signer is the option specifying the user on the local system
whose private key will be used to sign the files in the Protected
Folder.
<signer> is the key ID of the PGP key whose private key will be used
to sign the files in the Protected Folder. This user must have a private
key on the local system.
--passphrase is the option specifying the passphrase of the private
key being used to sign the files in the Protected Folder being created.
<phrase> is the actual passphrase of the private key being used to
sign the files in the Protected Folder.
--public-keyring is the option specifying that a public keyring file
should be used for an operation
<pubring> is the filename of the public keyring file.
--private-keyring is the option specifying that private keyring file
should be used for an operation.
<priring> is the filename of the private keyring file.
--universal-server is the option specifying that a PGP Universal
Server be used for an operation.
<server> is the specific PGP Universal Server to use.
--adk is the option specifying that an Additional Decryption Key
(ADK) be used for an operation.
<adkkey> is the key ID of the ADK to be used.
Optional flags are:
--halt-on-error, which stops operation if an error occurs.
--local-mode, which forces the use of local mode; passphrase and
keyring caches are not enabled or used.
--remote, which searches for keys on a remote keyserver.
--preserve, which preserves certain file attributes.
--verbose, which displays additional information about the operation
being performed.
26
PGP NetShare Command Line Commands
Example:
pgpnetshare --reencrypt-delta -r ABCD1234 --recipientremove EFGH5678
In this example, the user with PGP key ABCD1234 is being added to the
ACL, while the user with PGP key EFGH5678 is being removed.
--reencrypt-clone
The --reeencrypt-clone command consolidates a folder tree recursively
using an existing ACL as a template. Files and folders that are not encrypted will
be encrypted according to the template ACL.
--reencrypt-clone does not re-resolve keys, groups, or ADKs. The
signature is also retained, as the ACL does not change.
The usage format is:
pgpnetshare --reencrypt-clone <input> [input2 ...]
--passphrase <phrase> --public-keyring <pubring>
--private-keyring <priring> --output <target> [ --halton-error --local-mode -- preserve --verbose ]
Where:
--reencrypt-clone is the command specifying that the ACL is
going to change and then be reencrypted.
<input> is the files or directories affected by the --reencrypt
command.
--passphrase is the option specifying the passphrase of the private
key being used to sign the files in the Protected Folder being created.
<phrase> is the actual passphrase of the private key being used to
sign the files in the Protected Folder.
--public-keyring is the option specifying that a public keyring file
should be used for an operation
<pubring> is the filename of the public keyring file.
--private-keyring is the option specifying that private keyring file
should be used for an operation.
<priring> is the filename of the private keyring file.
--output is the option specifying a target location to be used for an
operation.
<target> is the path to the target location.
Optional flags are:
--halt-on-error, which stops operation if an error occurs.
27
PGP NetShare Command Line Commands
--local-mode, which forces the use of local mode; passphrase and
keyring caches are not enabled or used.
--preserve, which preserves certain file attributes.
--verbose, which displays additional information about the operation
being performed.
Example:
pgpnetshare --reencrypt-clone -i source -p password -o
target --reencrypt-full
In this example, the target is consolidated using the ACL of source as a
template, and the data is fully re-encrypted by specifying the
--reencrypt-full command as an option.
--list (-l)
The --list command displays the current ACL of a file or folder. All keys (user
ID and key ID) and groups (including members) are displayed.
The short form is
-l.
The usage format is:
pgpnetshare --list <input> [input2 ...] --output-file
<logoutput>
Where:
--list is the command specifying that you want to display the
current ACL of the specified protected file or directory.
<input> is the file or directory to be listed.
Optional flags are:
--output-file is the option specifying that messages be written to
a log file for an operation.
<logoutput> is the path to the log file.
Example:
pgpnetshare --list C:\Projects\HR\ProjectX --outputfile C:\Projects\HR\Logs\ProjectX.txt
In this example, the protected directory "ProjectX" is being listed.
28
PGP NetShare Command Line Commands
--list-xml
The --list-xml command displays the current ACL of a file or folder, just like
--list command; the --list-xml command, however, outputs
the
information in XML format.
All keys (user ID and key ID) and groups (including members) are output.
The usage format is:
pgpnetshare --list-xml <input> [input2 ...] --outputfile <logoutput>
Where:
--list-xml is the command specifying that you want to display the
current ACL of the specified protected file or directory in XML format.
<input> is the file or directory to be listed.
Optional flags are:
--verify (-v)
--output-file is the option specifying that messages be written to
a log file for an operation.
<logoutput> is the path to the log file.
Example:
pgpnetshare --list-xml C:\Projects\HR\ProjectX
--output-file C:\Projects\HR\Logs\ProjectX.xml
In this example, the protected directory "ProjectX" is being listed, with the
output in XML format.
The --verify command recursively verifies the integrity of a folder tree.
It checks whether the existing ACL of files and folders is the same as the
folder's ACL where it started from. Files and folder with a different ACL are
displayed, as are unprotected files and folders.
The short version is
-v.
When a directory is specified, all files and directories under the specified
directory are recursively processed. Do not specify any files or directories under
the specified directory on the command line.
The usage format is:
pgpnetshare --verify <input> [input2 ...] --halt-onerror --output-file --verbose
29
PGP NetShare Command Line Commands
Where:
--verify is the command specifying that you want to display
information about the specified protected file or directory.
<input> is the file or directory to be verified.
Optional flags are:
--halt-on-error, which stops operation if an error occurs.
--output-file, which specifies a file to which you can output
log information.
--verbose, which displays additional information about the
operation.
Example:
pgpnetshare --verify C:\Projects\HR\ProjectX --halt-onerror
In this example, the protected directory "ProjectX" is being verified. The
process will stop if it encounters a file or folder with a different ACL.
--lock-all
--unlock
The --lock-all command clears symmetric keys cached by PGP NetShare
Command Line. It does not clear cached private keys, which can be used to
gain access to "locked" files.
--lock-all is only available in desktop mode.
The usage format is:
pgpnetshare --lock-all
Where:
--lock-all is the command to lock all PGP NetShare-protected files and
directories.
Example:
pgpnetshare --lock-all
Locks all PGP NetShare-protected files and directories.
The --unlock command prepares access to files/folders such that a later
access will not trigger an unlock dialog.
--unlock is only available in desktop mode.
30
PGP NetShare Command Line Commands
This command can be used to unlock folders if no one is physically present to
enter the necessary passphrase; this allows files dropped into a now unlocked
folder to be transparently encrypted/decrypted.
The usage format is:
pgpnetshare --unlock <input> --public-keyring <pubring>
--private-keyring <priring> [input2 ...] --passphrase
<phrase> [ --local-mode ]
Where:
--unlock is the command specifying that you want to unlock the
specified locked folder.
<input> is the file or folder to be unlocked.
--passphrase is the option specifying the passphrase of the private
key that signed the locked folder.
<phrase> is the actual passphrase of the private key used to sign the
folder.
--public-keyring is the option specifying that a public keyring file
should be used for an operation
--set-driver
<pubring> is the filename of the public keyring file.
--private-keyring is the option specifying that private keyring file
should be used for an operation.
<priring> is the filename of the private keyring file.
Optional flags are:
--local-mode, which forces the use of local mode; passphrase and
keyring caches are not enabled or used.
Example:
pgpnetshare --unlock C:\Projects\HR\ProjectX
--passphrase '1Killer*Whale'
In this example, the locked folder "ProjectX" is being unlocked. The files in
this folder are signed by the private key whose passphrase is provided.
The --set-driver command sets the state of the PGP NetShare driver on
the local system.
The default setting is active, which is appropriate for almost all cases.
Only
change this state on the command line if you fully understand how it will
affect PGP NetShare Command Line operation.
31
PGP NetShare Command Line Commands
There are two options:
active: PGP NetShare is operating normally, the default setting.
passive: Most PGP NetShare background functionality is disabled; this
setting is useful if you want to disable most PGP NetShare functionality
without affecting other PGP services on the local system. The files in the
Protected Folder remain protected by PGP NetShare encryption, but no one
can open, edit, or save them.
while the driver is set to passive, those files will not be protected.
If new files are added to a Protected Folder
The usage format is:
pgpnetshare --set-driver <state>
Where:
--set-driver is the command specifying that the driver state is to
be set.
<state> is the option specifying the desired state for the driver: active
passive.
or
Example:
--get-driver
pgpnetshare --set-driver active
Sets the PGP NetShare driver to an active state.
The --get-driver command shows the PGP NetShare Command Line driver
state: active or passive.
--get-driver is only available in desktop mode.
Example:
pgpnetshare --get-driver
The current driver state is [active].
This example shows the results of the --get-driver command on a
system where the driver is active.
32
4
Options
This section describes all PGP NetShare Command Line options:
--recipient, which specifies a recipient to use for an operation.
--recipient-owner, which specifies an administrator recipient for an
operation.
--recipient-operator, which specifies a group administrator recipient
for an operation.
--recipient-remove, which specifies a recipient to be removed.
--recipient-xml, which specifies a list of recipients in XML format.
--group, which specifies the name of an Active Directory group.
--group-operator, which specifies an Active Directory group by a group
administrator.
--signer, which specifies the PGP key ID to which protected files are
encrypted.
--signer-passphrase, which specifies the passphrase of a signer.
--signer-passphrase-fd, which specifies the passphrase of a signer
from a file descriptor.
--passphrase, which specifies the passphrase to use for an operation.
--passphrase-fd, which reads --passphrase from a file descriptor.
--public-keyring, which specifies the location of the public keyring
file.
--private-keyring, which specifies the location of the private keyring
file.
--universal-server, which specifies a PGP Universal Server.
--auth-username, which specifies a username on a PGP Universal
Server.
--auth-passphrase, which specifies the passphrase of a user on a PGP
Universal Server.
--auth-passphrase-fd, which specifies the passphrase of a user on a
PGP Universal Server from a file descriptor.
--input, which specifies an explicit input or source to use for an
operation.
33
PGP NetShare Command Line Options
--output, which specifies an explicit output or target to use for an
operation.
--output-file, which specifies a file to which you can output log
information.
--home-dir, which specifies the location of the home directory.
The descriptions of some PGP NetShare Command Line options mention that
they are "secure," as in "This option is not secure" or "--auth-passphrase is
secure". In this context, "secure" means that the option’s argument is saved in
non-pageable memory (when that option is available to applications). Options
that are not "secure" are saved in normal system memory.
-
In This Chapter
--recipient (-r)............................................................................................ 35
--recipient-owner...................................................................................... 35
--recipient-operator .................................................................................. 35
--recipient-remove.................................................................................... 35
--recipient-xml .......................................................................................... 36
--group (-g)................................................................................................ 36
--group-operator ....................................................................................... 37
--signer (s) ................................................................................................ 37
--signer-passphrase.................................................................................. 37
--signer-passphrase-fd ............................................................................. 37
--passphrase (-p) ...................................................................................... 38
--passphrase-fd ........................................................................................ 38
--adk ......................................................................................................... 39
--public-keyring......................................................................................... 39
--private-keyring ....................................................................................... 39
--universal-server...................................................................................... 40
--auth-username....................................................................................... 40
--auth-passphrase .................................................................................... 40
--auth-passphrase-fd ................................................................................ 41
--input (-i) .................................................................................................. 41
--output (-o) .............................................................................................. 41
--output-file............................................................................................... 41
--home-dir................................................................................................. 42
34
PGP NetShare Command Line Options
--recipient (-r)
Specifies a recipient for the current operation. The short form is -r.
To specify multiple users who can access the files in the Protected Folder, use
--recipient command once for each user.
the
--recipient accepts a single key or key collection as an argument.
The default is not set. This option is not secure.
Example:
pgpnetshare --encrypt C:\Projects\HR\ProjectX --recipient
EFDDCE3C --recipient CCB81F3C --recipient C092007E
EFDDCE3C --passphrase '1Killer*Whale'
In this example, three recipients are specified: EFDDCE3C, CCB81F3C, and
C092007E. These are the three users who will be on the Access Control
List, meaning they will have cryptographic access to the files in the
Protected Folder being created.
--signer
--recipient-owner
Specifies a PGP NetShare administrator as the recipient for the current
operation.
--recipient-owner accepts a single key or key collection as an argument.
The default is not set. This option is not secure.
--recipient-operator
Specifies a PGP NetShare group administrator as the recipient for the current
operation.
--recipient-operator accepts a single key or key collection as an
argument.
The default is not set. This option is not secure.
--recipient-remove
Used with the --reencrypt-delta command, removes a specific key or
group from an ACL.
35
PGP NetShare Command Line Options
--recipient-remove does not support a key collection as an argument.
--recipient-xml
Specifies an XML-formatted file that contains a list of recipients for the current
operation.
--recipient-xml cannot be mixed with other recipient options.
The syntax for a recipient in an XML-formatted file is:
<recipient>
<type>key</type>
<role>owner</role>
<keyid>0x12345678</keyid>
<name>test1 'test1@example.com'</name>
</recipient>
--group (-g)
Where:
Type can be one of
key, adk, or group. If none is specified, key is used.
Role can be one of owner, operator, or user. If none is specified, user
is used.
Specifies an Active Directory group whose users will be added to the ACL of
the Protected Folder. The short form is
-g.
To specify multiple groups who can access the files in the Protected Folder, use
--group command once for each group.
the
The default is not set. This option is not secure.
Example:
pgpnetshare --encrypt C:\Projects\HR\ProjectX --group HR4
--group HR7 --signer EFD DCE3C --passphrase
'1Killer*Whale'
In this example, the folder "ProjectX" is being turned into a Protected
Folder. The users in Active Directory groups HR4 and HR7 will be added to
the ACL, meaning only those users will have cryptographic access to the
files in the Protected Folder.
36
PGP NetShare Command Line Options
--group-operator
Specifies the PGP NetShare administrative role (group administrator) for a
group; used instead of
All the members of the group share the group's role; a group cannot be the
Owner (administrator).
--group.
--signer (s)
The default is not set. This option is not secure.
Specifies the key ID of the signing key being used to sign the meta data.
If the operation requires only a single passphrase (
then the regular passphrase option (
--passphrase) can be used instead of
--encrypt, for example),
--signer-passphrase or --signer-passphrase-fd.
The default is not set. This option is not secure.
Example:
pgpnetshare --encrypt C:\Projects\HR\ProjectX -r
CCB81F3C -r C092007E
--signer EFDDCE3C --passphrase
'1Killer*Whale'
In this example, the key with key ID EFDDCE3C is being used to sign the
meta data. The option
the key, as the operation only requires one passphrase.
passphrase
place of
or --signer-passphrase-fd could have been used in
--passphrase.
--passphrase is used to specify the passphrase of
--signer-
--signer-passphrase
Specifies the passphrase of the key being used to sign the meta data.
If the operation requires only a single passphrase (
then the regular passphrase option (
--signer-passphrase.
--signer-passphrase-fd
Specifies the passphrase of the key being used to sign the meta data from a file
descriptor.
--encrypt, for example),
--passphrase) can be used instead of
37
PGP NetShare Command Line Options
If the operation requires only a single passphrase (--encrypt, for example),
then the regular passphrase option (
--passphrase) can be used instead of
--signer-passphrase-fd.
--passphrase (-p)
Specifies a passphrase to use for the current operation. The short form is -p.
A passphrase can be specified by an environment variable. A passphrase
specified on the command line always takes precedence over the environment
variable.
By default, PGP NetShare Command Line integrates with an existing
passphrase cache. This integration can be disabled using the
flag.
The default is not set. This option is secure.
Example:
pgpnetshare --encrypt C:\Projects\HR\ProjectX -r
EFDDCE3C -r ECCB81F3C -r EC092007E --signer EFDDCE3C
passphrase '1Killer*Whale'
--local-mode
--
--passphrase-fd
Sets --passphrase to the data read from a file descriptor.
The default is not set. This option is secure. Requires a positive integer.
Reads double-byte characters on Windows and UTF-8 on UNIX. The version of
the option that ends with "8" reads UTF-8 on Windows; this has no effect on
UNIX, as UTF-8 is already being read there.
Example:
In this example, a new Protected Folder is being created. The files in the
Protected Folder will be encrypted to private key of user EFDDCE3C,
requiring the passphrase of that key.
Note: Consult the help and/or documentation for the command shell being
used for more information about how that command shell handles file
descriptors.
pgp ... --passphrase-fd 7
Read passphrase from file descriptor 7.
38
PGP NetShare Command Line Options
--adk
Specifies the key ID of a key to be used as an ADK (additional decryption key).
If an organization ADK and/or a policy ADK are specified in the configuration file,
they are always used; specifying an ADK on the command line does not
override the organization and/or policy ADK.
If a specified ADK cannot be retrieved, the operation aborts.
--public-keyring
Changes the location of the public keyring file. The default order for keyring
search is: specified in configuration file, then home directory/pubring.pkr. This
option is not secure.
This option always specifies a file. Relative or absolute path information can be
included, but the target must still be a file.
You can also set the location in the PGP NetShare Command Line configuration
file.
You can specify a single file, relative path, or full path:
Relative path, relative to the current directory.
Example:
File, relative to the personal directory.
Absolute path, recommended usage.
pgpnetshare --public-keyring C:\Documents and
Settings\<current user>\Application Data\PGP
Corporation\PGP\pubring.pkr
--private-keyring
Changes the location of the private keyring file. The default order for keyring
search is: specified in configuration file, then home directory/secring.skr. This
option is not secure.
This option always specifies a file. Relative or absolute path information can be
included, but the target must still be a file.
You can also set the location in the PGP Command Line configuration file; refer
to Configuration File for more information.
This example shows the absolute path to the public keyring file.
39
PGP NetShare Command Line Options
You can specify a single file, relative path, or full path:
File, relative to the personal directory
Relative path, relative to the current directory
Absolute path, recommended usage
Examples:
pgp --private-keyring /home/dave/.pgp/secring-
1
backup.skr
Absolute path to the private keyring file.
2
pgp --private ./secring.skr
Relative path to the private keyring file.
--universal-server
Specifies a PGP Universal Server to search for keys or to resolve groups.
--universal-server takes the fully qualified domain name (FQDN) or IP
address of the PGP Universal Server as an argument.
PGP NetShare Command Line supports connections to a PGP Universal Server
via the USP or OCOS protocols.
--auth-username
Specifies a username used to authenticate to a PGP Universal Server for those
operations that require authentication.
--auth-username takes a valid username on the PGP Universal Server as an
argument.
--auth-passphrase
Specifies the passphrase to a username used to authenticate to a PGP
Universal Server for those operations that require authentication.
--auth-passphrase takes a valid passphrase (for the specified username) on
the PGP Universal Server as an argument.
40
PGP NetShare Command Line Options
--auth-passphrase-fd
Specifies the passphrase from a file descriptor to a username used to
authenticate to a PGP Universal Server for those operations that require
authentication.
--auth-passphrase-fd takes a file descriptor number that references a valid
passphrase (for the specified username) on the PGP Universal Server as an
argument.
--input (-i)
Specifies an explicit input or source to be used in an operation. The short form
-i.
is
--input is only available in standalone mode.
--output (-o)
--output-file
--input supports the special argument '-' to specify stdin (standard input).
The default is not set. If an operation requires input but does not get it, an error
is returned. This option is not secure.
Specifies an explicit output or target to be used in an operation. The short form
-o.
is
--output is only available in standalone mode.
--output supports the special argument '-' to specify stdout (standard output).
The default is not set. If a location/object cannot be determined from the
output, an error is returned. This option is not secure.
Specifies a file to which PGP NetShare Command Line messages will be
output.
The default is not set. This option is not secure.
41
PGP NetShare Command Line Options
Example:
pgpnetshare --output-file
C:\Projects\HR\ProjectX\logs.txt
Specifies that the PGP NetShare Command Line output logs should be
sent to a file called
logs.txt in directory C:\Projects\HR\ProjectX.
--home-dir
Specifies the location of the home directory, the location where PGP NetShare
Command Line looks for keyring files and the configuration file (PGPprefs.xml).
--home-dir can only be used in standalone mode; that is, without PGP
Desktop also installed on the same system.
You can specify a default home directory using the environment variable
PGP_HOME_DIR. A home directory specified on the command line takes
precedence over the environment variable.
42
5
Flags
This section describes all PGP NetShare Command Line flags:
--verbose, which displays additional information about the operation.
--remote, which searches for keys on a remote keyserver.
--force, which forces the decryption of a file.
--halt-on-error, which stops operation if an error occurs.
--local-mode, which forces the use of local mode; passphrase and
keyring caches are not enabled or used.
--preserve, which preserves certain file attributes.
--quiet, which limits the number of error messages displayed.
--verbose
In This Chapter
--verbose .................................................................................................. 43
--remote ................................................................................................... 44
--force....................................................................................................... 44
--halt-on-error ........................................................................................... 44
--local-mode ............................................................................................. 44
--preserve................................................................................................. 45
--quiet....................................................................................................... 45
Enables verbose messages, which displays additional information about an
operation. Using
of the operation.
The default message level is normal, which displays errors and the result of the
operation.
Note: --verbose is not compatible with --quiet. You can use one or the
other, but not both, for an operation.
--verbose displays processed objects, errors, and the result
The default is off.
43
PGP NetShare Command Line Flags
--remote
Searches for keys on a remote keyserver. Use --remote if the needed keys
are on a keyserver and not on the local keyring.
Using
--remote specifies that the keyserver(s) specified in the configuration
file will also be searched for the specified keys. Make sure the desired
keyserver is specified in the configuration file.
Note: PGP NetShare Command Line does not search for keys on any
keyserver unless instructed to do so using either --remote to specify a
keyserver or --universal-server to specify a PGP Universal Server.
--force
--halt-on-error
The default is off.
Forces the decryption of a file. Only available for use with the --decrypt
command.
Using
--force skips the padding verification that is normally performed to
ensure that the entire key chain is valid.
If a file is truncated or corrupted, it will not normally be decrypted. Use
--force to decrypt these files to recover their data.
The default is off.
When specified, stops the operation if any error occurs.
When
--halt-on-error is off, the default setting, PGP NetShare Command
Line will stop an operation only if a severe or unrecoverable error occurs.
--local-mode
The default is off.
Forces the use of local mode; passphrase and keyring caches are disabled.
--local-mode controls whether or not PGP NetShare Command Line
integrates with the PGP SDK managing the passphrase cache. When set, the
passphrase cache and features that require the passphrase cache are disabled.
44
PGP NetShare Command Line Flags
Local mode can also be set by an environment variable, but the command line
flag takes precedence.
--preserve
--quiet
The default is off.
Preserves certain file attributes.
Using
--preserve controls whether certain properties are preserved by an
operation. The last modified date and read-only attributes (Windows 32 only) are
preserved.
The default is off.
Enables quiet messages, which limits the amount of information that PGP
NetShare Command Line displays about an operation (errors are suppressed).
The default message level is normal, which displays errors and the result of the
operation.
Note: --quiet is not compatible with --verbose. You can use one or the
other, but not both, for an operation.
Use --quiet with --output to prevent the corruption of the output stream.
The default is off.
45
A
Quick Reference
This section lists and briefly describes all PGP NetShare Command Line
commands, options, and flags.
In This Chapter
Commands .............................................................................................. 47
Options .................................................................................................... 48
Flags ........................................................................................................ 48
Commands
--version Shows PGP NetShare Command Line version information.
--help (-h) Shows basic help information for PGP NetShare Command Line.
--encrypt Creates a Protected Folder and specifies who can access the files.
--decrypt Decrypts an existing Protected Folder and the files in it.
--reencrypt Modifies who can access files in a Protected Folder.
--reencrypt-full Modifies who can access files in a Protected Folder and reencrypts them.
--reencrypt-delta Reencrypts files and folders in delta mode.
--reencrypt-clone Reencrypts files and folders in clone mode.
--list Lists the file or folder access control list (ACL).
--list-xml Lists the file or folder ACL in XML format.
--verify Displays information about the specified protected file or directory.
--lock-all Clears any cached symmetric keys.
--unlock Provides access to the specified locked file or directory.
--set-driver Sets the PGP NetShare Command Line driver state, active or passive.
--get-driver Displays the current state of the PGP NetShare Command Line driver, active or
passive.
47
PGP NetShare Command Line Quick Reference
Options
--recipient Specifies a recipient for an operation.
--recipient-owner Specifies an administrator recipient for an operation.
--recipient-operator Specifies a group administrator recipient for an operation.
--recipient-remove Specifies a recipient to be removed.
--recipient-xml Specifies a list of recipients in XML format.
--group (-g) Specifies an Active Directory group.
--group-operator Specifies an Active Directory by a group administrator.
--signer Specifies the PGP key ID to which protected files are encrypted.
--signer-passphrase Specifies the passphrase of a signer.
--signer-passphrase-fd Specifies the passphrase of a signer from a file descriptor.
--passphrase (-p) Specifies a passphrase for an operation.
--passphrase-fd Reads a passphrase from a file descriptor.
--adk Specifies an additional decryption key for an operation.
--public-keyring Specifies the location of the public keyring file.
--private-keyring Specifies the location of the private keyring file.
--universal-server Specifies a PGP Universal Server.
--auth-username Specifies a username on a PGP Universal Server.
--auth-passphrase Specifies the passphrase of a user on a PGP Universal Server.
--auth-passphrase-fd Specifies the passphrase of a user on a PGP Universal Server from a file
descriptor.
--input Specifies an explicit input or source to use for an operation.
--output Specifies an explicit output or target to use for an operation.
--output-file Specifies a file for log output.
--home-dir Specifies the location of the home directory; can only be used in standalone
mode.
-
Flags
--verbose Displays additional information about the operation.
--remote Searches for keys on a remote keyserver.
48
PGP NetShare Command Line Quick Reference
--force Forces the decryption of a file.
--halt-on-error Stops operation if an error occurs.
--local-mode Forces the use of local mode; passphrase and keyring caches are not enabled or
used.
--preserve Preserves certain file attributes
--quiet Limits the number of errors messages displayed.
49
Loading...