Using PGP Command Line to create and manage PGP keys
search cancel

Using PGP Command Line to create and manage PGP keys

book

Article ID: 180118

calendar_today

Updated On:

Products

Desktop Email Encryption Drive Encryption Encryption Management Server Endpoint Encryption File Share Encryption Gateway Email Encryption PGP Command Line PGP Key Management Server PGP Key Mgmt Client Access and CLI API PGP SDK

Issue/Introduction

Learn how to create and manage PGP Keys using PGP Command Line, including generating key pairs, importing and exporting keys, and sending keys to key servers.

Resolution

Generating Keyring Files

PGP uses Keys and Keyrings.  Individual Keys, which are the unique identities to each PGP user are created and can be used for encryption and decryption. 
These keys are then stored in Keyrings.  Keyrings are basically files that contain the individual keys. 

PGP Command Line uses the Keyrings and Keys paradigm, so the first step to get started with PGP Command Line is to create a Keyring.

pgp --create-keyrings

This will create a pubring.pkr (public keyring) and secring.skr (private keyring) file in the default keyring location.

For Windows this is in the Documents>PGP folder. This article will use [ ] to identify information that you will need to enter that is specific to your individual keys.

Pubring.pkr indicates a keyring that contains only public keys.

Secring.skr indicates a keyring that contains private keys.  TIP: Make sure you do not share this keyring file with anyone for best security. 

Generate A Key Pair

To create a key pair using PGP Command Line follow these steps:

  1. Open a command shell or DOS prompt.
  2. On the command line, enter:

    pgp --gen-key [user ID] --key-type [key type] --bits [bits #] --passphrase [passphrase]

    NOTE: Any information that contains spaces must be contained inside quotation marks. See the example below step 3.

  3. Press "Enter" when the command is complete.

    Example: The following example will show you how to create a 2048 Bit RSA key for Joe User, an employee of ACME Corp, with the passphrase "my passphrase".

    1. Open a command prompt and enter the following:

      pgp --gen-key "Joe User" --key-type RSA --bits 2048 --passphrase "my passphrase"

    2. Press "Enter"
  4. PGP Command line will now generate your keypair. You should see your Key ID (i.e. 0X12345678), and a message that the key was successfully generated.
  5. To display your new keypair enter the following command:

    pgp --list-keys


This will display all the keys that are found on your keyring.

Tip: Short version of listing a key is "pgp -l" 

Export The Public Key

After the key pair is generated and identified, it is important to export the public portion (public key) of the key pair so others can import your public key and encrypt to you.

NOTE: Once you have exported your public key to a file, it is easy to distribute. You can attach it to an email, paste the public key block text into the body of an email message (open with Notepad), or copy to a CD, for example.
To export your public key you will need to have information about the key in order to identify it, which will be referred to in this document as (input). You can use the key ID (i.e. 0x12345678), user ID (i.e. "Joe User"), or a portion of the user ID, (i.e. Joe).

Display the keys

To display the keys on your keyrings, open a command prompt and type the following:

pgp --list-keys

Press Enter and the keys will be displayed. Make note of the key's username or number ID that you wish to export.

Export the key

To export the key, do the following:

  1. Open a command prompt.
  2. From the command prompt, enter:

    pgp --export (input)

    NOTE: Remember that any information that contains spaces must be contained inside quotes.

  3. Press "Enter" when the command is complete.

PGP Command Line responds by exporting keys as ASCII armor (.asc) files into the directory currently active on the command line.

Example 1 The following example will show you how to export your public key using your key ID.

  1. From the command prompt, enter:

    pgp --export 0x12345678

  2. Press "Enter".

Example 2 The following example will show you how to export your key using your user ID.

From the command prompt, enter:

pgp --export "Joe User"

 

Export The Private Key or Keypair

After the key pair is generated and identified, it is also highly recommended to export your keypair so you have a full backup of it and then store it in a safe location.

To export the keypair, use the following command if the Key ID for your key is "0x12345678":

pgp --export-key-pair 0x12345678 --output c:\my-own-keypair.asc

This will export the keypair to the c:\ drive, and will be called "my-own-keypair.asc", but you can use any path or filename that will work for you.

Import a PGP Key

You may import a public key from an ASCII Armor file (.asc) or from a text file, the process is the same for both. The file containing the key(s) to be imported must be in the current directory. As with exporting a key, this will be referred to as (input) in the examples. Both public and private keys will be imported if they exist in the file. If a key being imported already exists in the local keyring, the keys are merged.

Import Key From File:

  1. Open a command prompt.
  2. From the command prompt, enter:

    pgp --import (input)

  3. Press "Enter" when the command is complete.

PGP Command Line responds as follows: Joe User.asc:import key {0:key imported as 0x12345678 Joe User}

Example 1 The following example will show you how to import a key from an ASCII Armor file (.asc).

  1. From the command prompt, enter:

    pgp --import "Joe User.asc"

  2. Press "Enter".

Example 2 The following example will show you how to import a key from a text file containing the PGP key block.

From the command prompt, enter:

pgp --import "PGP Joe.txt"

 

Press "Enter".

Deleting Keys from your Keyring

All of the above commands are how to create, and import keys to your keyring.  There are other commands are more destructive, such as the ability to remove keys from your keyring. 

For example, if you have a key in your keyring that is no longer a valid key, you can remove it so that you do not ever encrypt to that key again.

You want to be careful about deleting keys from your keyring, but it is useful to be able to do in case some keys are no longer valid.

If the Key ID for a key you wish to remove is "0x1234ABCD", then to remove the key from your keyring, you use the following command:

pgp --remove 0x1234ABCD

This will remove the public key from your keyring.

If you have a keypair that you no longer would like to use,  you can issue the following command:

pgp --remove-key-pair 0x1234ABCD --force

CAUTION: It is a good idea to export your keypair first!  Once you delete your keypair, you will no longer have it.  Export the keypair first, and then you can delete it.

These are all the basic commands for using PGP Command Line to get started, but there are so many more commands available to use that offer a plethora of functionality to meet all your encryption/decryption needs.  For more information on these additional commands and operations, see the following article:

158454 - Using PGP Command Line  

PGP Command Line also has some very powerful functionality when combined with the Symantec Encryption Management Server, or PGP Server.  When used in this way, you can store all your keys on the centralized PGP server, and then none of your keys need to be held locally.  This is useful for scenarios where you may have multiple servers with PGP Command Line installed, and you want to have access to all the same keys.  The PGP server can be the central repository to securely store your keys, which means better security for where the PGP Command Lice application is stored!

For more information on this functionality, see the following article:

159237 - Using PGP Command Line with Symantec Encryption Management Server (PGP Server)

Check Keyring Location or Backup Keyrings

The PGP Command Line uses keyring files to store each individual key.  There are two keyring files:
pubring.pkr and secring.skr.  

The pubring.pkr file contains only public keys.  The secring.skr keyring file will contain private keys, or keypairs.  

Both of these keyring files together will house all your keys.  In order to see the location of your keyring run the following command:

pgp --version -v

This will display the location of your keyring files.  This is handy to know as you can simply copy these files for backup.

Example:

Public Keyring: c:\Users\user1\Documents\PGP\pubring.pkr
Private Keyring: c:\Users\user1\Documents\PGP\secring.pkr

To make a backup of these files, simply copy them to another location.

PGP Command Line and FIPS Mode

To use PGP Command Line in FIPS mode, see the following article:

267847 - Enable FIPS mode with PGP Command Line Permanently

 

Additional Information

180234 - HOW TO: License PGP Command Line 10.x

153244 - HOW TO: Set the PGP_HOME_DIR variable for PGP Command Line

158454 - Using PGP Command Line

263777 - Setting Preferred Key Attributes (Cipher, Hash, Compression) with PGP Command Line

269535 - Creating new Keyrings for each specific Encryption Job with PGP Command Line