This article provides a quick guide for PGP Command Line.
Important TIP: For information on how to encrypt with PGP Command Line using Symantec Encryption Management Server (AKA KMS) as well as a spreadsheet with all the useful PGP Command Line commands, see the following article:
159237 - Using PGP Command Line with Symantec Encryption Management Server (PGP Server)
This is very useful if you do not want to host your keyrings locally, or have several installations of PGP Command Line and want to have access to keys in a more secure fashion.
See article: 180234 for more information.
Use the --gen-key command to create a new key pair.
The --gen-key command automatically creates your key pair and a public and a private keyring in the home directory,
pgp --gen-key <user> --key-type <type> --encryption-bits <bits> --passphrase <pass> [--signing-bits <bits>] [options]
Example:
pgp --gen-key "Alice Example <[email protected]>" --key-type rsa --encryption-bits 2048 --signing-bits 2048 --passphrase cam3r0n --expiration-date 2007-06-01
<user> is a user ID that people can use to locate your public key. A common user ID is your name and email address in the format: "Alice Example <[email protected]>". If your user ID contains spaces, you must enclose it in quotation marks.
<type> means you are creating either an RSA or a DH key.<bits> is the number of bits of the key (usually 1024 - 4096).
<passphrase> is a passphrase of your choice. If your passphrase includes spaces, enclose it in quotation marks.
NOTE: You can locate your keyrings using the --version -v command.
The command --export exports only public keys, while the command --export-key-pair exports private keys.
pgp --export/--export-key-pair <input> [options]
where:
<input> is the user ID, portion of the user ID, or the key ID of the key you want to export.
[options] change the behavior of the command. Options are:
--output lets you specify a different name for the exported file.
If you don’t enter any input, all keys on the keyring are exported.
By default, keys are exported as ASCII armor (.asc) files into the directory currently active on the command line.
Examples:
pgp --export test1
All keys with the string “test1” anywhere in them would be exported into separate .asc files.
pgp --export “Alice C <[email protected]>”
Only keys that exactly match this user ID would be exported. The filename would be Alice C.asc.
pgp --import <input> [<input2> ...] [options]
Examples:
pgp --import "Bob Example.asc"
This is a simple import command importing a key from a keyfile. If more granularity is needed for importing specific key types, see the PGP Command Line Guide.
A simple example is provided here to outline an encryption and sign request:
pgp --encrypt "report.txt" --recipient Bob --sig "report.txt" --signer "0x01234567" --passphrase "SignerPassphrase"
There are many more options that can be used when encrypting files and more details can be found in the PGP Command Line Guide in the --encrypt section.
There are three main options to perform signing in PGP commandline --sign, --clearsign, and --detached. These options are very different from one another and they each have their own use cases.
--sign is used to sign all file types including binary-based files. When using the --sign option remember to include the .pgp file extension so the file can be decrypted as all signed files are encasulated in the signed file.
pgp --sign report.txtExample --signer "the signing key" --passphrase "your passphrase here"
Using the decrypt option would be used to verify the signed file. the --decrypt option can be used without putting in a passphrase.
--clearsign is only used for regular text documents such as notepad or ASCII format. The --clearsign option cannot be used with non-text file format. For example signing an Excel spreadsheet would result in a courrupted file that can no longer be used.
pgp --clearsign report.txtExample --signer "the signing key" --passphrase "your passphrase here"
--detached will output a single .sig so both the original file and the .sig file will be needed to verify the signature. This signing option can be used with all file types.
pgp --detached report.txtExample --signer "the signing key" --passphrase "your passphrase here"
pgp --decrypt <input> [<input2> ...] [<inputd>...] [options]
Example:
pgp --decrypt --input "D:\Folder\h837.20120613.13996.pgp" --passphrase "PrivateKeyPassphrase"
In addition to "Decryption", the --decrypt option will also attempt to verify a signature. In the event that a file has been signed, the --decrypt will check if the file was modified in transit.
Files with bad signatures should be inspected to pinpoint where the verification is failing. Ideally, you should try to correct the bad signature.
If data nonrepudiation is not needed, then you can ignore the bad signature, and the PGP Command Line will commonly decrypt the file anyway and note the bad signature error:
Example of Good Signature:
encryptedfile.txt.pgp:decrypt (3177:message signed by key ID 0x12345678)
encryptedfile.txt.pgp:decrypt (3038:signing key 0x12345678 ProductionPGPKey <[email protected]>)
encryptedfile.txt.pgp:decrypt (3040:signature created 2023-01-16T04:09:01+05:00)
encryptedfile.txt.pgp:decrypt (3170:signature hash SHA256
encryptedfile.txt.pgp:decrypt (3035:good signature)
encryptedfile.txt.pgp:decrypt (3178:message signed by subkey ID 0x12345678)
Example of Bad Signature
(3038:signing key 0x123456789 ProductionPGPKey <[email protected]>)
encryptedfile2.txt.pgp:decrypt (3040:signature created 2023-01-16T04:09:01+05:00)
encryptedfile2.txt.pgp:decrypt (3170:signature hash SHA256)
encryptedfile2.txt.pgp:decrypt (3036:bad signature)
encryptedfile2.txt.pgp:decrypt (0:output file encryptedfile2.txt)
If you would like to have functionality to be able to skip verification, please reach out to Symantec Encryption Support and mentioned ID ISFR-2681.
For more info please refer: PGP Command Line Guide
Important Note: If you have a Default Key set for the current configuration, and then you generate a new PGP key, this will set the newly-generated key as the default. To set the previous key back, refer to the PGPprefs.xml file, and inside it, look for the following string and update to the proper Key ID:
<key>CLdefaultKey</key>
<string>Put your Key ID in here</string>
If you would like to check which key a file was encrypted to, as well as a few more technical details, you can use the "--dump-packets" option
pgp --dump-packets file.pgp
Old: Marker Packet(tag 10)(3 bytes)
String - PGP
New: Public-Key Encrypted Session Key Packet(tag 1)(524 bytes)
New version(3)
Key ID - 0xB8DF93B91EB01429
Pub alg - RSA Encrypt or Sign(pub 1)
RSA m^e mod n(4096 bits) -
0: bf bf 14 1a 4d c2 41 9e 1c 64 6f a6 19 2e 9e 03 |....M.A..do.....|
16: 75 6f f5 59 24 28 38 1c 66 c3 dd 55 a4 d5 3f f3 |uo.Y$(8.f..U..?.|
32: 21 de 19 f8 4b 31 26 15 67 06 df 1a 44 dc 0e 76 |!...K1&.g...D..v|
48: 53 8e 80 b9 33 be 59 3b c3 ce ea a8 11 ac 09 c8 |S...3.Y;........|
64: b7 91 b7 ea 8f 70 d6 b5 38 15 29 92 48 08 7c 6a |.....p..8.).H.|j|
80: 17 b6 e0 0c ea 97 2d c5 5b 9c df ca 64 e0 9f d5 |......-.[...d...|
96: 62 37 c8 2b 95 2a 39 96 4b a1 90 0a f0 df 51 b2 |b7.+.*9.K.....Q.|
112: bd f9 aa 82 19 4b d5 1d 6b 1d b0 f3 57 44 e5 57 |.....K..k...WD.W|
128: 7a 81 67 f8 81 68 41 d1 74 2b 2d 1f 93 92 c6 1f |z.g..hA.t+-.....|
144: b0 36 35 9d f3 ef 01 c1 32 a3 24 3c 4f 89 24 71 |.65.....2.$<O.$q|
160: c3 96 a7 ca d1 82 a8 4f 42 fd 48 d6 fa a2 b6 76 |.......OB.H....v|
176: 00 c2 88 be 8e a0 b5 ce 86 5b c6 e7 de 76 15 d4 |.........[...v..|
192: 75 9d 69 e8 78 56 f2 95 20 79 ae 4f 0f b2 cd fe |u.i.xV.. y.O....|
208: f7 e9 63 41 8a cb 1f af f5 39 f6 e8 08 94 fa 7c |..cA.....9.....||
224: 28 41 c5 88 69 66 4a a9 b8 a6 9f b5 f1 87 b6 83 |(A..ifJ.........|
240: d3 f4 5f b8 e2 d1 7c 57 f5 f4 58 e9 be b2 64 6c |.._...|W..X...dl|
256: 19 e5 06 6b c5 c8 cb 6a b3 83 2e 22 89 c1 14 3f |...k...j..."...?|
272: 39 e1 7e a9 da 76 f3 68 41 05 42 69 84 da 14 8a |9.~..v.hA.Bi....|
288: ee 9a 75 fe 26 27 8a 5a 69 be d4 b9 13 9f c5 32 |..u.&'.Zi......2|
304: fa c1 79 28 4d dd d9 cd 31 4e 52 e5 9a f6 d3 0a |..y(M...1NR.....|
320: f7 8a 49 9c 5c ae f5 33 44 10 a4 ba 03 44 4d 29 |..I.\..3D....DM)|
336: a5 9a 56 51 6f a3 ea 31 a1 22 db e9 d8 18 7b b4 |..VQo..1."....{.|
352: 38 3b 77 33 10 82 75 7b 65 ab 49 74 48 68 c1 12 |8;w3..u{e.ItHh..|
368: 0f df 47 a5 e0 a4 b5 3a 8e f1 c9 b8 fb bf 00 44 |..G....:.......D|
384: 6a 79 d4 df 3b 26 31 6f 80 0f cc a7 76 9e 34 aa |jy..;&1o....v.4.|
400: 64 f6 fd 51 44 6a f4 14 fe a8 63 95 ad f4 d9 f4 |d..QDj....c.....|
416: 9b 99 36 54 20 9e cc 8c fd b0 68 2d 1b cd 41 bb |..6T .....h-..A.|
432: 7c cc 86 ef 1b 2c 85 e4 3a 04 bc 69 e6 0d f1 f1 ||....,..:..i....|
448: b3 d8 99 c6 54 fe ea d6 3a c2 f8 d3 1e 12 b6 5a |....T...:......Z|
464: 93 e6 a8 db 0d eb b2 3f 96 4d 15 11 d0 ad 4e 05 |.......?.M....N.|
480: f2 16 92 7d 0c 67 bd 1d 50 48 dd 13 0f 53 bd 93 |...}.g..PH...S..|
496: b0 11 5e 41 38 eb 09 c9 db 49 e5 07 73 df be 64 |..^A8....I..s..d|
-> m = sym alg(1 byte) + checksum(2 bytes) + PKCS-1 block type 02
New: Symmetrically Encrypted and MDC Packet(tag 18)(75 bytes)
Ver 1
Encrypted data [sym alg is encrypted in the pub session key above]
(plain text + MDC SHA1(20 bytes))
file.pgp:dump packets (0:packets decoded successfully)
As you can see in the output above, the full key ID version is displayed. This is the "Subkey", so if you do a --list-keys, the top-key ID is specified.
You will then need to do a "--list-key-details" on that key ID to see what the actual "Subkey" is, but this can help validate the key being used for encryption.
PGP Command Line 10 processes files differently than PGP Command Line version 9. This is a legacy behavior change, so it has been this way for a while, but the current working directory source files changes how encryption and decryption works.
For PGP Command Line 9, the encrypted file would always output to the same directory where the source file is located. With PGP Command Line 10, the behavior changed so output files will always be created for the working directory. Consider the following scenarios for Encryption and Decryption:
Encrypting files for PGP Command Line 10:
If the source file, TESTING1.txt and the location is in the directory "d:\working-directory1", and you are currently in c:\temp (Current working directory), then when you issue a command to encrypt the "TESTING1.txt", the output will be "TESTING1.pgp" and will output to "d:\working-directory1".
Decrypting files for PGP Command Line 10:
If the source file is encrypted and is called "TESTING1.pgp" and is in the directory Z:\working-directory2", and you are currently working in c:\temp, then when you issue the command to decrypt, it should output the decrypted file to "c:\temp".
In previous versions, such as PGP Command Line 9.x, the output of the encrypted/decrypted file would always stay with the source file. A feature request has been logged to be able to change this working directory. To be added to this request, please log a new case with Symantec Encryption Support and reference the following ticket numbers:
ISFR-2277/EPG-27230
It is common for PGP Command Line to be used to process thousands of files. PGP Command Line is a powerful application that can handle encryption jobs when proper CPU and resources are provided.
PGP Command Line is also able to handle encryption/decryption routines and make use of multi-threaded operations.
As a result, if there are any PGP Encryption/Decryption jobs that are not completing, this typically points to other jobs that may be interfering with the encryption jobs. It is helpful to simplify these jobs by doing only encryption to see where potential issues may reside. If it is not clear how to do this, reach out to Symantec Encryption Support for further guidance for ideas on how this could be done.
180234 - HOW TO: License PGP Command Line
153244 - HOW TO: Set the PGP_HOME_DIR variable for PGP Command Line
180118 - HOW TO: Use PGP Command Line to Create and Manage PGP Keys
263777 - Setting Preferred Key Attributes (Cipher, Hash, Compression) with PGP Command Line
ISFR-2047 - IBM Power System with RHEL has been recently reviewed for consideration of platform certification for PGP Command Line as it is currently not supported. If you would like to be added to this request to support this platform, please reach out to Symantec Encryption Support and reference this ID.