This article provides a quick guide for PGP Command Line.
Important TIP: For information on how to encrypt with PGP Command Line using Symantec Encryption Management Server (AKA KMS) as well as a spreadsheet with all the useful PGP Command Line commands, see the following article:
159237 - Using PGP Command Line with Symantec Encryption Management Server (PGP Server)
This is very useful if you do not want to host your keyrings locally, or have several installations of PGP Command Line and want to have access to keys in a more secure fashion.
1. How to License PGP Command Line:
See article: HOWTO42089 for more information.
2. How to Generate Keys on the PGP Command Line:
Use the --gen-key command to create a new key pair.
The --gen-key command automatically creates your key pair and a public and a private keyring in the home directory,
pgp --gen-key <user> --key-type <type> --encryption-bits <bits> --passphrase <pass> [--signing-bits <bits>] [options]
pgp --gen-key "Alice Cameron <[email protected]>" --key-type rsa --encryption-bits 2048 --signing-bits 2048 --passphrase cam3r0n --expiration-date 2007-06-01
<user> is a user ID that people can use to locate your public key. A common user ID is your name and email address in the format: "Alice Cameron <[email protected]>". If your user ID contains spaces, you must enclose it in quotation marks.
<type> means you are creating either an RSA or a DH key.<bits> is the number of bits of the key (usually 1024 - 4096).
<passphrase> is a passphrase of your choice. If your passphrase includes spaces, enclose it in quotation marks.
NOTE: You can locate your keyrings using the --version -v command.
3. Exporting Your Public Key to a Text File
The command --export exports only public keys, while the command --export-key-pair exports private keys.
pgp --export/--export-key-pair <input> [options]
– <input> is the user ID, portion of the user ID, or the key ID of the key you want to export.
[options] change the behavior of the command. Options are:
--output lets you specify a different name for the exported file.
If you don’t enter any input, all keys on the keyring are exported.
By default, keys are exported as ASCII armor (.asc) files into the directory currently active on the command line.
pgp --export example
All keys with the string “example” anywhere in them would be exported into separate .asc files.
pgp --export “Alice C <[email protected]>”
Only keys that exactly match this user ID would be exported. The filename would be Alice C.asc.
4. Importing a Public Key:
pgp --import <input> [<input2> ...] [options]
5. Encrypt & Sign a file:
pgp --encrypt report.txtExample -recepient public key --sig report.txtExample --signer "ur keyid" --passphrase <abc>
6. Signing only:
There are three main options to perform signing in PGP commandline --sign, --clearsign, and --detached. These options are very different from one another and they each have their own use cases.
--sign is used to sign all file types including binary-based files. When using the --sign option remember to include the .pgp file extension so the file can be decrypted as all signed files are encasulated in the signed file.
pgp --sign report.txtExample --signer "the signing key" --passphrase "your passphrase here"
Using the decrypt option would be used to verify the signed file. the --decrypt option can be used without putting in a passphrase.
--clearsign is only used for regular text documents such as notepad or ASCII format. The --clearsign option cannot be used with non-text file format. For example signing an Excel spreadsheet would result in a courrupted file that can no longer be used.
pgp --clearsign report.txtExample --signer "the signing key" --passphrase "your passphrase here"
--detached will output a single .sig so both the original file and the .sig file will be needed to verify the signature. This signing option can be used with all file types.
pgp --detached report.txtExample --signer "the signing key" --passphrase "your passphrase here"
7. Decrypt a file:
pgp --decrypt <input> [<input2> ...] [<inputd>...] [options]
pgp --decrypt --input "D:\Folder\h837.20120613.13996.pgp" --passphrase "Passphrase Removed"
For more info please refer: PGP Command Line Guide
Important Note: If you have a Default Key set for the current configuration, and then you generate a new PGP key, this will set the newly-generated key as the default. To set the previous key back, refer to the PGPprefs.xml file, and inside it, look for the following string and update to the proper Key ID:
<string>Put your Key ID in here</string>
ISFR-2047 - IBM Power System with RHEL has been recently reviewed for consideration of platform certification for PGP Command Line as it is currently not supported. If you would like to be added to this request to support this platform, please reach out to Symantec Encryption Support and reference this ID.