HOW TO: Set the PGP_HOME_DIR variable for PGP Command Line

book

Article ID: 153244

calendar_today

Updated On:

Products

PGP Command Line

Issue/Introduction

Symantec PGP Command Line is often run by many different profiles on a single machine. Because information such as licensing is set per profile, each profile either needs to be licensed, or a PGP Home Directory can be configured to use the same preferences for each profile.  In some cases, it may be necessary to have the same keyrings for each profile. This article describes how to specify a specific directory on a machine so that every time PGP is run, it uses a preference file from this specific location.

 

Environment

Symantec PGP Command Line 10.4 and above.

Resolution

Setting up a permanent PGP Home Directory in Windows for PGP Command Line

1.  Decide which location is going to be best for all users to access.  Since this directory must be accessible from all profiles, creating the folder off of the C: drive is probably the best thing to do.  In this example, C:\PGP will be used.

2.  Because PGP creates the home directory when the license is authorized, a PGPprefs.xml file may already exist on the system and may exist on multiple profiles already depending on what has been done. This preference file contains information on where the PGP Home Directory should be, where keyrings are stored, license information as well as other information and should be deleted before proceeding to the next steps. Search for PGPprefs.xml and delete any instances of it. There may also be variations of the file called PGPCommandLineprefs.xml, make sure you delete any of these PGP preference files. Make sure the name "PGP" appears in the filename.

3.  Set your environment variable to point to the new location that has been chosen. In this example, a PGP folder was created for this purpose so the path is C:\PGP.  If the directory that has been chosen for the PGP_HOME_DIR variable does not exist, these steps will not work.

To open the Environment Variables in Windows, open the Properties of My Computer, click on the Advanced tab, click on the Environment Variables button and choose New under System Variables rather than User Variables.  Set the Variable Name to PGP_HOME_DIR. Then, set the Variable Value to the path that has been chosen. Make sure to put a backslash at the end of the Variable Value or unexpected behavior will be seen (C:\PGP\):

4.  If keyrings already exist on the machine, copy them into the new directory that has been created (C:\PGP in this example). PGP Keyring files will end in .pkr and .skr extensions.  Otherwise, these will be created once keys are created.

5.  Once the PGP Home Directory has been set and all PGP Preferences have been removed, log off the system, then log back on. The PGP Command Line software must be re-licensed to complete this operation.  Once this is completed, the new home directory will be set. To confirm the home directory configuration was successful, type: pgp --version -v. The section under files will be listed. Now when PGP is run from any profile, all the license information and keyrings will be used from C:\PGP or the location that was selected:

 

Using a Home Directory for individual PGP Commands

It may be desired to use a PGP Home Directory for a specific PGP Command. Using this method, a PGP Home Directory variable is specified each time a PGP command is run such as when encrypting or decrypting a file.

To enable PGP Command line to reference a specific directory to use as the home directory in an individual command, the --home-dir option can be used.  This option is used less frequently and would not generally be recommended.  For more information on this option, see the PGP Command Line User's Guide.  For this article, we will focus on the actual and persistent PGP_HOME_DIR variable.


PGP Command Line commands require a license number to be entered and is done by running a command similar to the following: 
pgp --license-authorize --license-number "DTRE3-DFJK3-34D03-DJ23K-DK2LD-23D".

Note: If a license number is already being used, and you want to use a new license number, add the --force option to the end of the command to overwrite the current license number with the new license number.

For more information on how to license PGP Command Line, see article https://knowledge.broadcom.com/external/article/180234

Once this license command has been run a new PGPprefs.xml file will be created in this directory which contains the license information and settings. This PGPprefs.xml file typically exists in %appdata%\PGP Corporation\PGP.
  

NOTE: PGP Command Line 10.2.0 and older would put the PGPprefs.xml into the PGP_HOME_DIR directory set.  PGP Command Line 10.2.1 and above no longer do this, and will always put the PGPPrefs.xml file into %appdata%\PGP Corporation\PGP.  See KB https://knowledge.broadcom.com/external/article?articleId=158535 for more information.

If keyrings already exist in a different directory, simply copy them into the home directory location that was chosen. If keyrings do not exist, they will be created once a PGP Key has been generated.

 

Setting PGP_HOME_DIR variables and putting the "pgp" binary in your "path" for Linux

After installing PGP Command Line for Windows, the "pgp" binary will run from any location automatically.  Linux is different and requires you to manually setup the Linux PATH variable for the pgp binary to run from any directory.  By default, the pgp binary for Linux is installed into /opt/pgp/bin.  This means, when running a command w/out putting this location in your path, you would need to call the absolute path, such as this example:

/opt/pgp/bin/pgp --version

If you would like to be able to run PGP Command Line from any directory on Linux, first consult your Linux administrator and then look at the following example for ideas on how you want to set this up:


Setting the /opt/pgp/bin directory on Linux in your PATH so that the pgp binary can be run from any directory:

Step 1: Login as Root

Step 2: Run the following command to make the directory "/opt/pgp/bin" to be included with all profiles in the path.
This makes it possible to run the "pgp" binary from any directory:

echo "export PATH=$PATH:/opt/pgp/bin" >> /etc/profile.d/pgppath.sh

Step 3: Verify the contents of the /etc/profile.d/pgppath.sh file, it should look very similar to your "export PATH=..." PATH values, but should have "/opt/pgp/bin" at the end of it.

(cat /etc/profile.d/pgppath.sh)

Step 4: Reboot the machine for this to take effect for all users.

Step 5: Run the following command from any directory:
pgp --version

Step 6: Run the following to see "/opt/pgp/bin" in the path for all users:

echo $PATH

You should see something similar to the following:

[email protected] ~]$ cat /etc/profile.d/pgppath.sh 
export PATH=/home/UserA/.local/bin:/home/UserA/bin:/home/UserA/.local/bin:/home/UserA/bin:/usr/local/bin:/usr/local/sbin:/usr/bin:/usr/sbin:/opt/pgp/bin

As you can see at the end of this directory, "/opt/pgp/bin" is listed in the path.

Now you can run pgp command from any directory on the system.



Setting up the PGP_HOME_DIR on Linux

By default, PGP will use the user's profile to place files used by PGP Command Line, such as keyrings.  

Run the following command and check the location for "Home Directory", "Personal Directory", "Public Keyring", "Private Keyring" and "Random Seed" directories:
pgp --version -v

For the "root" account, the value will most likely be:
/root/.pgp/

If you have a user named "Bob", this will most likely be in:
/home/bob/.pgp

If you wish to have a specific location designated, you can set a "PGP_HOME_DIR" variable so all these files will be somewhere else.


In this example, we will use /opt/pgp/bin as the location for the PGP_HOME_DIR variable.  Several methods exist to make this possible.  Some methods apply to only the user, and are not persistent beyond reboots.  Other methods will be persistent and available for all users:


Example 1: Setting a PGP_HOME_DIR variable that is both persistent, and will apply to all users


Step 1: Create a file in /etc/profile.d called PGP_HOME_DIR.sh.  

Note: This will require root access to the system.

Step 2: In the file, enter the following details:
export PGP_HOME_DIR=/opt/pgp/bin

The /opt/pgp/bin location is where we will be designating the folder.

Step 3: Logout of profile, log back in.  

Tip: It's better to reboot the system so that this takes effect for all users.

For other users, you may need to reboot the machine.

Step 4: Run the following command to see where the PGP_HOME_DIR location is set to:
pgp --version -v 

Check for the "Home Directory", "Personal Directory", "Public Keyring", "Private Keyring" and "Random Seed" directories, these should now all be set to "/opt/pgp/bin".

Important note:  The above will set /opt/pgp/bin as the home directory, and will allow all users logging in to the system to use this same directory as the home directory, however, in order for those users to run the commands, they must be given read/write permissions to the "Home Directory", "Personal Directory", "Public Keyring", "Private Keyring" and "Random Seed" as well as the PGPprefs.xml file.

TIP: The PGPprefs.xml file is created in /etc/

Once all users have been provided the proper permissions, run the commands from any profile and all users will be able to use PGP Command Line.

For example, as "root", run the following command to create the keyring files if you have never generated keys before:
pgp --create-keyrings

Next, run the following to list the keys:
pgp --list-keys

You will be shown the keys (if any) inside your keyring.  By default, only user "root" will have permissions.

Now logout as root, and login as a different user on the system and run the same commands.

If you get a "permission denied" error, most likely the proper permissions have not yet been set.

Set proper permissions to both /opt/pg/bin/[pubring.pkr/secring.srk/randseed.rnd] and /etc/PGPprefs.xml so all users can read/write and run all commands needed.

In the rest of the examples, the PGP_HOME_DIR can be set per user and will apply to only the user using various methods:



Example 2: This sets the PGP_HOME_DIR for all users, and is persistent:

Step 1: Run the following command:
echo "export PGP_HOME_DIR=/opt/pgp/bin" >> ~/.bash_profile

Step 2: Then run:
source ~/.bash_profile

Step 3: Reboot

This should apply to the current users, but you may need to re-configure this if more users are added.



Example 3:
This works for all users and is persistent beyond a reboot:

Step 1: Run the following command:
echo "export PGP_HOME_DIR=/opt/pgp/bin" >> ~/.bashrc

Step 2: Then run:
source ~/.bashrc

Step 3:
Reboot the machine.

This should apply to the current users, but you may need to re-configure this if more users are added.


For additional information, including details on how to run PGP Command Line for Linux using a dedicated service account, please see article TECH148942.