Learn how to create and manage PGP Keys using PGP Command Line, including generating key pairs, importing and exporting keys, and sending keys to key servers.
PGP uses Keys and Keyrings. Individual Keys, which are the unique identities to each PGP user are created and can be used for encryption and decryption.
These keys are then stored in Keyrings. Keyrings are basically files that contain the individual keys.
PGP Command Line uses the Keyrings and Keys paradigm, so the first step to get started with PGP Command Line is to create a Keyring.
pgp --create-keyrings
This will create a pubring.pkr (public keyring) and secring.skr (private keyring) file in the default keyring location.
For Windows this is in the Documents>PGP folder. This article will use [ ] to identify information that you will need to enter that is specific to your individual keys.
Pubring.pkr indicates a keyring that contains only public keys.
Secring.skr indicates a keyring that contains private keys. TIP: Make sure you do not share this keyring file with anyone for best security.
To create a key pair using PGP Command Line follow these steps:
pgp --gen-key [user ID] --key-type [key type] --bits [bits #] --passphrase [passphrase]
pgp --gen-key "Joe User" --key-type RSA --bits 2048 --passphrase "my passphrase"
pgp --list-keys
This will display all the keys that are found on your keyring.
Tip: Short version of listing a key is "pgp -l"
After the key pair is generated and identified, it is important to export the public portion (public key) of the key pair so others can import your public key and encrypt to you.
NOTE: Once you have exported your public key to a file, it is easy to distribute. You can attach it to an email, paste the public key block text into the body of an email message (open with Notepad), or copy to a CD, for example.
To export your public key you will need to have information about the key in order to identify it, which will be referred to in this document as (input). You can use the key ID (i.e. 0x12345678), user ID (i.e. "Joe User"), or a portion of the user ID, (i.e. Joe).
To display the keys on your keyrings, open a command prompt and type the following:
pgp --list-keys
Press Enter and the keys will be displayed. Make note of the key's username or number ID that you wish to export.
To export the key, do the following:
pgp --export (input)
PGP Command Line responds by exporting keys as ASCII armor (.asc) files into the directory currently active on the command line.
Example 1 The following example will show you how to export your public key using your key ID.
pgp --export 0x12345678
Example 2 The following example will show you how to export your key using your user ID.
From the command prompt, enter:
pgp --export "Joe User"
After the key pair is generated and identified, it is also highly recommended to export your keypair so you have a full backup of it and then store it in a safe location.
To export the keypair, use the following command if the Key ID for your key is "0x12345678":pgp --export-key-pair 0x12345678 --output c:\my-own-keypair.asc
This will export the keypair to the c:\ drive, and will be called "my-own-keypair.asc", but you can use any path or filename that will work for you.
You may import a public key from an ASCII Armor file (.asc) or from a text file, the process is the same for both. The file containing the key(s) to be imported must be in the current directory. As with exporting a key, this will be referred to as (input) in the examples. Both public and private keys will be imported if they exist in the file. If a key being imported already exists in the local keyring, the keys are merged.
Import Key From File:
pgp --import (input)
PGP Command Line responds as follows: Joe User.asc:import key {0:key imported as 0x12345678 Joe User}
Example 1 The following example will show you how to import a key from an ASCII Armor file (.asc).
pgp --import "Joe User.asc"
Example 2 The following example will show you how to import a key from a text file containing the PGP key block.
From the command prompt, enter:
pgp --import "PGP Joe.txt"
Press "Enter".
All of the above commands are how to create, and import keys to your keyring. There are other commands are more destructive, such as the ability to remove keys from your keyring.
For example, if you have a key in your keyring that is no longer a valid key, you can remove it so that you do not ever encrypt to that key again.
You want to be careful about deleting keys from your keyring, but it is useful to be able to do in case some keys are no longer valid.
If the Key ID for a key you wish to remove is "0x1234ABCD", then to remove the key from your keyring, you use the following command:
pgp --remove 0x1234ABCD
This will remove the public key from your keyring.
If you have a keypair that you no longer would like to use, you can issue the following command:
pgp --remove-key-pair 0x1234ABCD --force
CAUTION: It is a good idea to export your keypair first! Once you delete your keypair, you will no longer have it. Export the keypair first, and then you can delete it.
These are all the basic commands for using PGP Command Line to get started, but there are so many more commands available to use that offer a plethora of functionality to meet all your encryption/decryption needs. For more information on these additional commands and operations, see the following article:
158454 - Using PGP Command Line
PGP Command Line also has some very powerful functionality when combined with the Symantec Encryption Management Server, or PGP Server. When used in this way, you can store all your keys on the centralized PGP server, and then none of your keys need to be held locally. This is useful for scenarios where you may have multiple servers with PGP Command Line installed, and you want to have access to all the same keys. The PGP server can be the central repository to securely store your keys, which means better security for where the PGP Command Lice application is stored!
For more information on this functionality, see the following article:
159237 - Using PGP Command Line with Symantec Encryption Management Server (PGP Server)
The PGP Command Line uses keyring files to store each individual key. There are two keyring files:pubring.pkr
and secring.skr.
The pubring.pkr
file contains only public keys. The secring.skr
keyring file will contain private keys, or keypairs.
Both of these keyring files together will house all your keys. In order to see the location of your keyring run the following command:pgp --version -v
This will display the location of your keyring files. This is handy to know as you can simply copy these files for backup.
Example:
Public Keyring: c:\Users\user1\Documents\PGP\pubring.pkr
Private Keyring: c:\Users\user1\Documents\PGP\secring.pkr
To make a backup of these files, simply copy them to another location.
To use PGP Command Line in FIPS mode, see the following article:
267847 - Enable FIPS mode with PGP Command Line Permanently
180234 - HOW TO: License PGP Command Line 10.x
153244 - HOW TO: Set the PGP_HOME_DIR variable for PGP Command Line
158454 - Using PGP Command Line
263777 - Setting Preferred Key Attributes (Cipher, Hash, Compression) with PGP Command Line
269535 - Creating new Keyrings for each specific Encryption Job with PGP Command Line