PGP Command Line gives you severa l key types to choose from: RSA, RSA-sign-only, DH, and DH-sign-only:
RSA. RSA v4 keys support all PGP key features, such as ADKs, designated revoker, preferred ciphers, multiple encryption subkeys, or photo IDs. Their siz e is 1024 bits to 4096 bits.
Managing Keys Commands 97
RSA-sign-only. These are RSA v4 keys with no automatically generated subkey. You can generate a subkey for this key later by using --gen-subkey. Like any other v4 keys, they support all PGP key features, such as ADKs, designated revoker, preferred ciphers, and so on.
DH. Diffie-Hellman (DH/DSS) signing keys can be 1024, 2048, or 3072 bits (per FIPS 186-3). Version 4 keys support all PGP key features, such as ADKs, designated revoker, preferred ciphers. This is a DH/DSS key with no automatically generated subkey. Version 4 keys support all PGP key features, such as ADKs, designated revoker, preferred ciphers, and so on.
DH-sign-only. This is a DH/DSS key without an encryption subkey.
Note: rsa-legacy keys can no longer be generated by PGP Command Line. They will be recognized if used, but you cannot generate new keys of this type.
--gen-revocation
Generates a revoca tion certificate for a key, but does not revoke the key on the key ring.
By default, the revocation certificate is exported as if you have used the command --export.
The usage format is:
pgp --gen-revocation <user> --passphrase <pass> --force [--revoker
<revoker>][--output <output>]
Where:
<user> is the user ID, portion of the user ID, or the key ID of the key being revoked.
<pass> is the passphrase of the key being revoked.
--force is required to revoke a key.
<revoker> is the user ID, portion of the user ID, or the key ID of the designated revoker key. When this option is used, th e passphrase belongs to the revoker key.
This option is not needed if you use a designated revoker or if you are doing self revocation.
<output> is used to change the location of the exported certificate.
Example:
pgp --gen-revocation "Jose Medina" --passphrase "Jose*Med1na"
--force
0xF6EFC4D9:generate revocation (0:key exported to Jose Medina.asc)
0xF6EFC4D9:generate revocation (2094:this key has NOT been permanently revoked)
Generates th e revocation certificate "Jose Medina.asc".
98 Managing Keys Commands
--gen-subkey
Generates a subkey on an existing key. The key must be allowed to have subkeys or the operation fails. The subkey is always of the same type as the key to which it is being added.
The usage format is:
pgp --gen-subkey <user> --bits <bits> --passphrase <pass>
[options]
Where:
<user> is the user ID, portion of the user ID, or key ID of the key that is getting the subkey.
<bits> specifies th e length of the encryption subkey in bits. Values are 1024 to 4096.
<pass> is the passphrase of the key that is getting a subkey.
[options] change the behavior of the command. Options are:
--creation-date specifies the date on which the key becom es valid. You cannot use --creation-date and --creation-days for the same operation.
--creation-days specifies the number of days until creation.
--expiration-date specifies th e date th e key expires. You cannot use --expiration-date and --expiration-days in one operation.
--expiration-days specifies th e number of days until expiration.
Example:
pgp --gen-subkey "[email protected]" --bits 2048 --passphrase
"B0bsm1t4"
0x3D58AE31:generate subkey (0:subkey successfully generated) Generates a subkey of the specified number of bits on Bob’s key:
Subkey ID: 0x3D58AE31 (0xAEE6484D3D58AE31) Type: RSA (v4)
Size: 2048 Created: 2005-11-18 Expires: Never Status: Active Revocable: Yes
Prop Flags: Encrypt communications Prop Flags: Encrypt storage
--get-email-encoding
Displays th e email en coding of the specified key: eith er PGP/MIME or S/MIME.
Managing Keys Commands 99
PGP/MIME keys are normal PGP keys, including all keys created by PGP Desktop and imported bundle keys created by PGP Desktop 9.5 or greater. S/MIME keys are PGP keys created by PGP Desktop versions prior to 9.5 wh ere an X.509 certificate was imported and a PGP key "wrapped" around it (also called a wrapper key).
The usage format is:
pgp --get-email-encoding <user>
Where:
<user> is the user ID, portion of the user ID, or key ID of the key.
Example:
pgp --get-email-encoding 0x1234ABCD
The email encoding for the specified key will be displayed.
--import
Imports a key or keys to the loca l keyring.
The file containing the key(s) to be imported should be in the current directory, or you must specify th e fully qualified path to the file containing the keys. Note that both private and public keys will be imported, if they exist in the file. If a key being imported already exists in the local keyring, the keys are merged.
When importing PKCS-12 X.509 certificates (a digital certificate format used by most Web browsers), you have two options:
for keys created by a version of PGP Desktop prior to 9.5, crea te a wrapper key.
You must use the --wrapper-key option.
for keys created by a version of PGP Desktop 9.5 or greater, create a bundle key.
A wrapper key is a PGP key based on the X.509 certificate being imported. A bundle key is a PGP key with the X.509 certificate information imported as subkeys on the PGP key.
A bundle key allows for greater flexibility for use of the key; any operational restrictions will be respected and bundle keys are compatible with oth er OpenPGP applications.
Note: Only X.509 certificates that include a private key can be imported.
The usage format is:
pgp --import <input> [<input2> ...] [options]
Where:
<input> is the filename of the key being imported. Multiple keys can also be imported by listing them, separated by a space.
[options] modify the behavior of the command. Options are:
--import-format specifies the im port format for the current operation. See --import-format for more information.
--manual-import-keys changes the behavior of PGP Command Line when keys are found during import operations. The default is all.
--manual-import-key-pairs changes the behavior of PGP Command Line when key pairs are found during an import operation.
100 Managing Keys Commands
--passphrase is the passphrase of the key being imported.
--new-passphrase is the new passphrase of the bundle key being imported.
--local-user is the key ID of an existing bundle key.
--local mode runs the operation in local mode.
Examples:
1 pgp --import "Bob Smith.asc"
Bob Smith.asc:import key (0:key imported as 0x6245273E Bob Smith
Imports Bob Smith's key "Bob Sm ith.asc".
pgp --import key.p12 --wrapper-key --passphrase <p12pass>
Imports file "key.p12" as a wrapper key. The passphrase to the PKCS-12 private key is provided.
pgp --import key.p12 --passphrase <p12pass> --new-passprhase
"0b*Sm1t4"
pgp --import encrypt.p12 --passphrase <p12pass> --new-passphrase
"B0b*Sm1t4"
In a two-step process, imports file key.p12 as a bundle key that includes a signing and encryption subkey.
pgp --import key.p12 --passphrase <p12pass> --new-passprhase
"B0b*Sm1t4"
pgp --import encrypt.p12 --passphrase <p12pass> --new-passphrase
"B0b*Sm1t4" --local-user <existingbundlekeyID>
In a two-step process, imports the file key.p12 and adds the certificate to an existing bundle key.
--join-key
This command joins the shares of a key that was previously split.
The minimum number of share files m ust be on the computer where th e key is being joined. The passphrase cach e must be enabled for this command to work with public keys that have passphrases; no passphrase ca ching is required for public keys with no passphrases.
Since PGP Command Line currently cannot cache symmetrica l passphrases, you need to enter all necessary symmetrical passphrases onto the command line during key joining.
The symmetrical passphrases are added together with corresponding share files onto the command line.
You can also turn on automatic passphrase caching by changing the value for
CLpassphraseCache from false/ to true/ in the preference file PGPprefs.xml, which is located in your Data directory.
Following is an overview of how PGP Command Line handles key joining:
Local shares are always assembled before PGP Command Line begins listening on the network for remote shares.
If the local shares are based on keys with passphrases, the passphrases must be cached.
Managing Keys Commands 101
If the local shares are conventionally encrypted, the passphrase must be supplied on the command line.
If there are enough local shares for reconstruction of the key, PGP Command Line does not listen on the network for remote shares.
If you are experien cing problems with your local shares, perform the --join-key command wit hout --force; PGP Command Line will return all of the information about each loca l file share that it has found, including whether or not the passphrases are correct. If you find problems without --force, fix them. Once all problems with the local shares are fixed, add --force and --skep to have PGP Command Line listen on the network for remote shares after collecting the local shares.
The usage format is:
pgp --join-key <user> --passphrase <new pass> --share <share1>
--share <share2> [--share <shareN> ...] [--force] [options]
Where:
<user> is the user ID, portion of the user ID, or the key ID of the key you want to join. You must make an exact match, as you can only join one key at a time.
<new pass> This is the passphrase of the newly join ed key. It is given to the new key after the threshold requiremen t is removed: there were enough shares put together for the key to be join ed.
<share1> <share2> are share files given to a specific user when the key was split. When you join the key using these shares, you need to reach the threshold:
the minimum number of shares needed for joining operation to succeed.
You need to supply th e symmetric passphrases in corporated with the shares for any share users who have such passphrases.
The share file format for users with symmetric passphrases (that cannot be ca ched for this operation) is as follows:
--share "<share user>-2-<split key ID>.shf:<share user's symmetric passphrase>" --share "Alice Cameron-2-Jill Johnson.shf:ji11"
The share file format for users with asymmetric passphrases (that must be cached for this operation) is as follows:
--share "<share user>-1-<split key ID>.shf" --share "Alice Cameron-1-Bob Smith.shf"
--force. If you run the --join command without the --force option, PGP Command Line will not join the key: it will only list th e state of the shares in the preview mode. The output will not be displayed if th ere are parse errors, or if a key is missing or unable to decrypt.
The key shares preview will report if there are enough shares to join the key and if there are invalid (or not cached) passphrases.
--skep. PGP Command Line uses this option wh en joining split keys over the network. It looks for split files on the network and if it doesn't find enough of them, it continues to listen using the timeout defined by the option
--skep-timeout.
--skep-timeout changes the timeout for join ing keys over the network. There is no value reserved to in dicate no timeout. Defa ult is 120 secon ds
-v|--verbose will give a detailed overview of th e operation.
102 Managing Keys Commands
Examples:
1 In this example, the original key was split in 50 shares with a threshold of 40.
Therefore, you need only 40 shares in order to join the key: you can take shares from two share users who together have 40 shares.
In order to join a key, you need first to cache passphrases of the users whose shares you are joining:
pgp --cache-passphrase "Bob Smith" --passphrase "B0bsm1t4"
--passphrase-cache 0x2B65A65E:cache passphrase (0:key passphrase cached)
You will enter the symmetrical passphrase together with the shares onto the command line (Jill's passphrase in this example):
pgp --join-key "Alice Cameron" --passphrase "B0bsm1t4" --share
"Alice Cameron-1-Bob Smith.shf" --share "Alice Cameron-2-Jill Johnson.shf:ji11"
2 pgp --join-key "Alice Cameron" --passphrase "B0bsm1t4" --share
"Alice Cameron-1-Bob Smith.shf" --share "Alice Cameron-2-Jill Johnson.shf:ji11" --force --skep --skep-timeout 300
Tells the key joining operation to wait 5 minutes before it times out.