|
|
|
|
|
register |
bbs |
search |
rss |
faq |
about
|
|
|
meet up |
add to del.icio.us |
digg it
|
|
|
PGP 2.6 UNIX Command Line
This page contains the manual page for the UNIX shell comand "pgp" for your
reference. Note that this is taken straight from the man page on my system,
your system might be running a different version or not have this command
enabled at all.
--------------------------------------------------------------------------------
PGP(1) PGP(1)
NAME
pgp - Pretty Good Privacy encryption system
SYNOPSIS
pgp [options] pgpfile
pgp -e [options] file user ...
DESCRIPTION
PGP (Pretty Good Privacy) is a public key encryption pack-
age to protect E-mail and data files. It lets you commu-
nicate securely with people you've never met, with no
secure channels needed for prior exchange of keys. It's
well featured and fast, with sophisticated key management,
digital signatures, data compression, and good ergonomic
design. If you really want to learn how to use it prop-
erly, it's best to read the full documentation that comes
with the system, which is very complete. This is a "quick
start" guide and reference manual; it is necessarily
incomplete, and assumes you are already familiar with most
of the basic concepts, including the concepts behind pub-
lic key cryptography.
Terminology
user id: an ascii string used to identify a user. User
IDs tend to look like "John Q. Public ";
please try sticking to that format. When giving a user id
to PGP, you may specify any unique (case-insensitive) sub-
string. E.g. john, or jqp@xyz.
pass phrase: the secret string used to conventionally
encipher your private key. It's important that this be
kept secret.
keyring: a file containing a set of public or secret keys.
Default names for public and secret rings are "pub-
ring.pgp" and "secring.pgp" respectively.
ascii armor: the ascii radix 64 format PGP uses for trans-
mitting messages over channels like E-Mail; similar in
concept to uuencoding.
Command summary
To see a quick command usage summary for PGP, just type:
pgp -h
To encrypt a plaintext file with the recipient's public
key:
pgp -e textfile her_userid ...
To sign a plaintext file with your secret key:
pgp -s textfile [-u your_userid]
To sign a plaintext file with your secret key, and then
encrypt it with the recipient's public key:
pgp -es textfile her_userid ... [-u your_userid]
To create a signature certificate that is detached from
the document:
pgp -sb textfile [-u your_userid]
To encrypt a plaintext file with just conventional cryp-
tography, type:
pgp -c textfile
To decrypt an encrypted file, or to check the signature
integrity of a signed file:
pgp ciphertextfile [-o plaintextfile]
To see a quick summary of PGP's key-management commands,
just type:
pgp -k
To generate your own unique public/secret key pair:
pgp -kg
To add a public or secret key file's contents to your pub-
lic or secret key ring:
pgp -ka keyfile [keyring]
To remove a key from your public key ring:
pgp -kr userid [keyring]
To extract (copy) a key from your public or secret key
ring:
pgp -kx[a] userid keyfile [keyring]
To view the contents of your public key ring:
pgp -kv[v] [userid] [keyring]
To view the "fingerprint" of a public key, to help verify
it over the telephone with its owner:
pgp -kvc [userid] [keyring]
To view the contents and check the certifying signatures
of your public key ring:
pgp -kc [userid] [keyring]
To edit the pass phrase for or add a userid to your secret
key:
pgp -ke userid [keyring]
To edit the trust parameters for a public key:
pgp -ke userid [keyring]
To remove a key or just a userid from your public key
ring:
pgp -kr userid [keyring]
To sign and certify someone else's public key on your pub-
lic key ring:
pgp -ks her_userid [-u your_userid] [keyring]
To remove selected signatures from a userid on a keyring:
pgp -krs userid [keyring]
Command options that can be used in combination with other
command options (sometimes even spelling interesting
words):
To produce a ciphertext file in ASCII radix-64 format,
just add the -a option when encrypting or signing a mes-
sage or extracting a key:
pgp -sea textfile her_userid
pgp -kxa userid keyfile [keyring]
To wipe out the plaintext file after producing the cipher-
text file, just add the -w (wipe) option when encrypting
or signing a message:
pgp -sew message.txt her_userid
To specify that a plaintext file contains ASCII text, not
binary, and should be converted to recipient's local text
line conventions, add the -t (text) option to other
options:
pgp -seat message.txt her_userid
To view the decrypted plaintext output on your screen
(like the Unix-style "more" command), without writing it
to a file, use the -m (more) option while decrypting:
pgp -m ciphertextfile
To specify that the recipient's decrypted plaintext will
be shown only on her screen and cannot be saved to disk,
add the -m option:
pgp -steam message.txt her_userid
To recover the original plaintext filename while decrypt-
ing, add the -p option:
pgp -p ciphertextfile
To use a Unix-style filter mode, reading from standard
input and writing to standard output, add the -f option:
pgp -feast her_userid outputfile
The Config File
PGP uses a configuration database that is stored in the
file "config.txt"; please see the manual for complete
details. Blank lines and lines beginning with "#" are
comments. Options take string, numeric, or boolean val-
ues. The boolean values are "on" and "off". These
options can also be specified on the command line, using a
syntax such as +armor=on. Keywords can be abbreviated to
unique prefixes. Keywords are not case-sensitive. "=on"
is assumed for boolean options if nothing is specified.
Some highlights:
MYNAME - Default User ID for Making Signatures
Default setting: MYNAME = ""
The configuration parameter MYNAME specifies the default
user ID to use to select the secret key for making signa-
tures. If MYNAME is not defined, the most recent secret
key you installed on your secret key ring is used. The
user may also override this setting by specifying a user
ID on the PGP command line with the -u option.
TEXTMODE - Assuming Plaintext is a Text File
Default setting: TEXTMODE = off
The configuration parameter TEXTMODE is equivalent to the
-t command line option. If enabled, it causes PGP to
assume the plaintext is a text file, not a binary file,
and converts it to "canonical text" before encrypting it.
Canonical text has a carriage return and a linefeed at the
end of each line of text.
This mode is automatically turned off if PGP detects that
the plaintext file contains 8-bit binary data. Thus, it
is safe to leave enabled at all times.
ARMOR - Enable ASCII Armor Output
Default setting: ARMOR = off
The configuration parameter ARMOR is equivalent to the -a
command line option. If enabled, it causes PGP to emit
ciphertext or keys in ASCII Radix-64 format suitable for
transporting through E-mail channels. Output files are
named with the ".asc" extension.
If you tend to use PGP mostly for E-mail, it may be a good
idea to enable this parameter.
ARMORLINES - Size of ASCII Armor Multipart Files
Default setting: ARMORLINES = 720
For large ASCII armor files, PGP splits them into files
named ".asc1", ".asc2", ".asc3", etc. so as not to choke
mailers, which typically starts to happen around 50,000
bytes. This specifies the number of (64-byte) lines to
place in each file. If set to 0, PGP will not split ASCII
armor files.
CLEARSIG - Enable Clear-Signed Output
Default setting: CLEARSIG = on
Normally, a signed and ASCII-armored PGP message is gib-
berish, even though the text is not encrypted. This pre-
vents munging by mailers, but requires PGP to simply read
the message.
If CLEARSIG is enabled, then when signing and ASCII-armor-
ing a text file, PGP uses a different format that includes
the plaintext in human-readable form. Lines beginning
with "-" are quoted with "- ". To cope with some of the
stupider mailers in the world, lines beginning with "From"
are also quoted, and trailing whitespace on lines is
stripped. PGP will remove the quoting if you use it to
decrypt the message, but the trailing whitespace is not
recovered. This is still useful enough to be enabled by
default.
ENCRYPTTOSELF - Add MYNAME to Recipients List
Default setting: ENCRYPTTOSELF = off
If this is emabled, MYNAME will be implcitly added to the
list of recipients for any message you encrypt with a pub-
lic key. Since in this case, MYNAME is looked up in the
public keyring, it is important that it unambiguously
specify the right key.
LANGUAGE - Language To Use
Default setting: LANGUAGE = en
If you want to use a different language, and translations
are in the language.txt file, setting this option will
cause PGP's messages to appear in a different language.
If a translation for a message is not available, it
appears in english.
If you look at the supplied language.txt file, the format
should be obvious.
CHARSET - Character Set
PGP tries to translate all text-mode messages into the ISO
Latin-1 alphabet, or the KOI-8 alphabet for cyrillic
alphabets. This setting indicates the native character
set, so PGP can do the translation. Options are noconv,
latin1 or koi8, indicating that no translation should be
done; cp850, indicating that IBM PC code page 850 mappings
should be used; ascii, indicating that a minimal ASCII
subset should be used; and alt_codes, indicating that the
IBM PC alt codes should be used for the cyrillic alphabet.
KEEPBINARY - Preserve Intermediate .pgp File
Default setting: KEEPBINARY = off
If KEEPBINARY is enabled, then PGP will produce a .pgp
file in addition to a .asc file when ASCII armor is
enabled.
TMP - Temporary file directory
Default setting: TMP = ""
PGP produces temporary files while decrypting a message.
This is the directory they are stored in. If not speci-
fied in the config file, the environment variable TMP is
used, or the current directory. It helps security some-
what if this is not a publicly-readable directory. A
local file system is also a good idea.
COMPRESS - Compress Plaintext Before Encrypting
Default setting: COMPRESS = on
PGP usually compresses the plaintext before encrypting it,
so it will have less to encrypt and the file you send will
be smaller. It also makes cryptanalysis harder. This is
usually only turned off for debugging purposes.
PAGER - Select Shell Command to Display Pager Output
Default setting: PAGER = ""
If set, PGP uses this program to view files when the -m
option is specified. By default, PGP uses a simple
builtin pager.
SHOWPASS - Echo Pass Phrase During Entry
Default setting: SHOWPASS = off
If someone is unable to type a long pass phrase reliably
without seeing it, this can be turned on, at the cost of
security.
INTERACTIVE - Prompt Before Adding Each Key
Default setting: INTERACTIVE = off
By default, when given a file containing new keys, PGP
asks if you would like to add them to your public key
ring. Since adding keys does not imply that you trust
them, adding more just wakes up space. If this option is
set, PGP asks about each key in a key file.
VERBOSE - Level of Detail Printed
Default setting: VERBOSE = 1
When set to 0, PGP only prints messages that are necessary
or indicate an error. When set to 2, PGP prints a signif-
icant amount of debugging information describing what it's
doing. Values above 2 have no effect.
PUBRING - Public Key Ring Location
Default setting: PUBRING = $PGPPATH/pubring.pgp
This is the path name to the public key ring to use.
SECRING - Secret Key Ring Location
Default setting: SECRING = $PGPPATH/secring.pgp
This is the path name to the secret key ring to use.
BAKRING - Backup Secret Key Ring
Default setting: BAKRING = ""
If this is set, when checking your key ring (pgp -kc), PGP
will compare the normal secret key ring against the given
backup copy, usually kept on write-protected removable
media. This is to protect against wholesale modifications
to your key rings in a spoofing attack.
RANDSEED - Random Number Seed File
Default setting: RANDSEED = $PGPPATH/randseed.bin
This is the path to a random seed file which is part of
PGP's random number generation algorithm, used to generate
session keys. While PGP goes to great lengths to use
every available source of randomness in generating session
keys, this file is part of the process and protecting it
from disclosure is desirable.
COMMENT - ASCII Armor Comment
Default setting: COMMENT = ""
If set to a non-empty string, the value of this variable
is printed in the header of ASCII armor files, preceded by
"Comment: ".
PKCS_COMPAT - PKCS compatibility
Default setting: PKCS_COMPAT = 1
This flag is ignored by PGP 2.5; it is always taken as 1.
If set to 1, PGP pads message digests and session keys
inside RSA-encrypted integers according to RSA Data Secu-
rity, Inc.'s Public-Key Cryptography Standards. If set to
0, earlier versions of PGP generated an old incompatible
formats. Either was accepted.
The RSAREF public-key encryption routines used by PGP 2.5
are unable to decode the old formats.
There are still many areas of incompatibility with the
PKCS; in future, higher values of this flag may enable
more compatibility features.
Key certification
PGP employs a system where users specify trusted users who
may sign other people's public keys. It is important that
you understand how this mechanism works; a full descrip-
tion is in the manual.
Important: The manual also describes how to generate and
send a "key compromise" certificate that tells readers
that your private key has been compromised. If your key
has been compromised, please read the manual section on
key compromise certificates and how to create them; the
faster you send out a key compromise certificate, the
smaller the window of opportunity for "bad guys" to send
forged messages.
Important Hints
PGP automatically tries compressing your input file; there
is little point in precompressing input for transmission.
PGP "ascii armor" is only needed on the outer transmitted
message; as an example, if you are, say, sending a public
key to someone else and you are for some reason signing
it, simply armor the outer message; it's better to sign
the binary form of the key.
Foreign Languages
PGP is easily customized for foreign language help and
error messages; it has been translated into a number of
non-english languages. See the manual for details on the
file "language.txt".
ENVIRONMENT
PGP uses several special files for its purposes, such as
your standard key ring files "pubring.pgp" and
"secring.pgp", the random number seed file "randseed.bin",
the PGP configuration file "config.txt", and the foreign
language string translation file "language.txt". These
special files can be kept in any directory, by setting the
environment variable "PGPPATH" to the desired pathname.
If PGPPATH remains undefined, these special files are
assumed to be in the current directory.
Normally, PGP prompts the user to type a pass phrase when-
ever PGP needs a pass phrase to unlock a secret key. But
it is possible to store the pass phrase in an environment
variable from your operating system's command shell. The
environment variable PGPPASS can be used to hold the pass
phrase that PGP attempts to use first. If the pass phrase
stored in PGPPASS is incorrect, PGP recovers by prompting
the user for the correct pass phrase. This dangerous fea-
ture makes your life more convenient if you have to regu-
larly deal with a large number of incoming messages
addressed to your secret key, by eliminating the need for
you to repeatedly type in your pass phrase every time you
run PGP. This is a very dangerous feature; on UNIX it is
trivial to read someone else's environment using the ps(1)
command. If you are contemplating using this feature, be
sure to read the sections "How to Protect Secret Keys from
Disclosure" and "Exposure on Multi-user Systems" in the
full PGP manual.
If the environment variable PGPPASSFD is defined, it must
have a numeric value, which PGP uses as a file descriptor
number to read a pass phrase from. This is done before
anything else, so it can be combined with an input file on
standard input. This is mainly for use by shell scripts,
since under Unix it is difficult to read the contents of
other people's pipes.
RETURN VALUE
PGP returns a 0 to the shell on success, and a nonzero
error code on failure. See the source code for details on
nonzero status return values.
FILES
*.pgp ciphertext, signature, or key file
*.asc ascii armor file
/usr/local/lib/config.txt system-wide configuration file
$PGPPATH/config.txt per-user configuration file
$PGPPATH/pubring.pgp public key ring
$PGPPATH/secring.pgp secret key ring
$PGPPATH/randseed.bin random number seed file
/usr/local/lib/pgp/language.txt
$PGPPATH/language.txt foreign language translation file
/usr/local/lib/pgp/pgp.hlp
$PGPPATH/pgp/pgp.hlp online help text file
/usr/local/lib/pgp/pgpkey.hlp
$PGPPATH/pgp/pgpkey.hlp online key-management help text file
NOTE
The manual is really good, and it's really important in
the long run that you read it. PGP may be an unpickable
lock, but you have to put in in the door properly to keep
out intruders. So read the manual and find out how!
CAVEATS
It is impossible to overemphasize the importance of pro-
tecting your secret key. Anyone gaining access to it can
forge messages from you or read mail addressed to you. Be
very cautious in using PGP on any multi-user unix system.
PGP is believed by its authors to be the most secure cryp-
tographic software available to the public when used as
directed, but then again everyone always claims their pet
encryption system is secure. Read the section in the man-
ual on "Trusting Snake Oil" and the section on "Vulnera-
bilities" for caveats.
DIAGNOSTICS
Mostly self explanatory.
BUGS
PGP was initially written for the PC, and behaves very
PCish. In particular, its automagic file selection, file
extensions, and the like all make it somewhat alien in the
UNIX environment.
This man page needs to be updated to reflect all the lat-
est features.
AUTHORS
Originally written by Philip R. Zimmermann. Later aug-
mented by a cast of thousands.
LEGAL RESTRICTIONS
For detailed information on PGP licensing, distribution,
copyrights, patents, trademarks, liability limitations,
and export controls, see the "Legal Issues" section in the
"PGP User's Guide, Volume II: Special Topics". In partic-
ular, PGP is export restricted by the Offices of Defense
Trade Controls and Munitions Control, U.S. Department of
State, and shall not be exported or reexported from the
United States, directly or indirectly, without obtaining a
U.S. Department of State License.
PGP uses a public key algorithm claimed by U.S. patent
#4,405,829. The exclusive rights to this patent are held
by a California company called Public Key Partners. This
is explained in the PGP User's Guide, Volume II.
PGP itself is freeware, but it inherits certain encum-
brances from its use of RSAREF to perform public-key
encryption.
Another fully licensed commercial PGP is available from
ViaCrypt, 2104 West Peoria Avenue, Phoenix, Arizona 85029,
(602) 944-0773.
PGP Version 2.6 11
|
|
|
To the best of our knowledge, the text on this page may be freely reproduced and distributed. If you have any questions about this, please check out our Copyright Policy.
totse.com certificate signatures
|
|
|
About | Advertise | Bad Ideas | Community | Contact Us | Copyright Policy | Drugs | Ego | Erotica
FAQ | Fringe | Link to totse.com | Search | Society | Submissions | Technology
|
|
|
|
|
|