search cancel

Using PGP Command Line


Article ID: 158454


Updated On:


PGP Command Line


This article provides a quick guide for PGP Command Line.

Important TIP: For information on how to encrypt with PGP Command Line using Symantec Encryption Management Server (AKA KMS) as well as a spreadsheet with all the useful PGP Command Line commands, see the following article: 

159237 - Using PGP Command Line with Symantec Encryption Management Server (PGP Server)

This is very useful if you do not want to host your keyrings locally, or have several installations of PGP Command Line and want to have access to keys in a more secure fashion.


1. How to License PGP Command Line:

See article: HOWTO42089 for more information.



2. How to Generate Keys on the PGP Command Line:

Use the --gen-key command to create a new key pair.

The --gen-key command automatically creates your key pair and a public and a private keyring in the home directory,

 pgp --gen-key <user> --key-type <type> --encryption-bits <bits> --passphrase <pass> [--signing-bits <bits>] [options]


pgp --gen-key "Alice Cameron <[email protected]>" --key-type rsa --encryption-bits 2048 --signing-bits 2048 --passphrase cam3r0n --expiration-date 2007-06-01

<user> is a user ID that people can use to locate your public key. A common user ID is your name and email address in the format: "Alice Cameron <[email protected]>". If your user ID contains spaces, you must enclose it in quotation marks.

<type> means you are creating either an RSA or a DH key.<bits> is the number of bits of the key (usually 1024 - 4096).

<passphrase> is a passphrase of your choice. If your passphrase includes spaces, enclose it in quotation marks.

NOTE: You can locate your keyrings using the --version -v command.



3. Exporting Your Public Key to a Text File

The command --export exports only public keys, while the command --export-key-pair exports private keys.

pgp --export/--export-key-pair <input> [options]
– <input> is the user ID, portion of the user ID, or the key ID of the key you want to export.

[options] change the behavior of the command. Options are:
--output lets you specify a different name for the exported file.

If you don’t enter any input, all keys on the keyring are exported.

By default, keys are exported as ASCII armor (.asc) files into the directory currently active on the command line.

pgp --export example

All keys with the string “example” anywhere in them would be exported into separate .asc files.

pgp --export “Alice C <[email protected]>”
Only keys that exactly match this user ID would be exported. The filename would be Alice C.asc.


4. Importing a Public Key:

pgp --import <input> [<input2> ...] [options]



5. Encrypt & Sign a file:

pgp --encrypt report.txtExample -recepient public key --sig report.txtExample --signer "ur keyid" --passphrase <abc>



6. Signing only:

There are three main options to perform signing in PGP commandline --sign, --clearsign, and --detached. These options are very different from one another and they each have their own use cases.

--sign is used to sign all file types including binary-based files. When using the --sign option remember to include the .pgp file extension so the file can be decrypted as all signed files are encasulated in the signed file.

pgp --sign report.txtExample --signer "the signing key" --passphrase "your passphrase here"

Using the decrypt option would be used to verify the signed file. the --decrypt option can be used without putting in a passphrase.

--clearsign is only used for regular text documents such as notepad or ASCII format. The --clearsign option cannot be used with non-text file format. For example signing an Excel spreadsheet would result in a courrupted file that can no longer be used. 

pgp --clearsign report.txtExample --signer "the signing key" --passphrase "your passphrase here"

--detached will output a single .sig so both the original file and the .sig file will be needed to verify the signature. This signing option can be used with all file types.

pgp --detached report.txtExample --signer "the signing key" --passphrase "your passphrase here"



7. Decrypt a file:

pgp --decrypt <input> [<input2> ...] [<inputd>...] [options]

pgp --decrypt --input "D:\Folder\h837.20120613.13996.pgp" --passphrase "Passphrase Removed"

For more info please refer: PGP Command Line Guide


Important Note: If you have a Default Key set for the current configuration, and then you generate a new PGP key, this will set the newly-generated key as the default.  To set the previous key back, refer to the PGPprefs.xml file, and inside it, look for the following string and update to the proper Key ID:


<string>Put your Key ID in here</string>


8. Current Working Directory Behavior

PGP Command Line 10 processes files differently than PGP Command Line version 9.  This is a legacy behavior change, so it has been this way for a while, but the current working directory source files changes how encryption and decryption works.

For PGP Command Line 9, the encrypted file would always output to the same directory where the source file is located.   With PGP Command Line 10, the behavior changed so output files will always be created for the working directory.  Consider the following scenarios for Encryption and Decryption:

Encrypting files for PGP Command Line 10:

If the source file, TESTING1.txt and the  location is in the directory "d:\working-directory1", and you are currently in c:\temp (Current working directory), then when you issue a command to encrypt the "TESTING1.txt", the output will be "TESTING1.pgp" and will output to "d:\working-directory1".  


Decrypting files for PGP Command Line 10:
If the source file is encrypted and is called "TESTING1.pgp" and is in the directory Z:\working-directory2", and you are currently working in c:\temp, then when you issue the command to decrypt, it should output the decrypted file to "c:\temp".


In previous versions, such as PGP Command Line 9.x, the output of the encrypted/decrypted file would always stay with the source file.  A feature request has been logged to be able to change this working directory.  To be added to this request, please log a new case with Symantec Encryption Support and reference the following ticket numbers:


Additional Information

180234 - HOW TO: License PGP Command Line 10.x

153244 - HOW TO: Set the PGP_HOME_DIR variable for PGP Command Line

180118 - HOW TO: Use PGP Command Line to Create and Manage PGP Keys


ISFR-2047 - IBM Power System with RHEL has been recently reviewed for consideration of platform certification for PGP Command Line as it is currently not supported.  If you would like to be added to this request to support this platform, please reach out to Symantec Encryption Support and reference this ID.