Verifying Keys
8 Working with Keyservers
78 Working with Keyservers Commands
If a keyserver is specified on the command line, any keyservers listed in the PGP Command Line configuration file will not be used.
The usage format is:
pgp --keyserver-disable <input> [--keyserver <ks1> ...] [--signer
<signer>] [--passphrase <pass>] [options]
Where:
<input> is the user ID, portion of the user ID, or key ID of the key you want disabled on the keyserver. Key disable requires an exact match on the key to be disabled.
<ks> is the name of the keyserver where the key to be disabled is located.
You can enter more than one keyserver, separated by a space.
[options] modifies th e command.Options are:
--signer the user ID of the signer.
--passphrase the passphrase of the signer.
--keyserver-timeout sets the number of seconds until th e keyserver operation times out. The defa ult setting is 120 seconds.
--halt-on-error stops if an error occurs, if more than one keyserver is specified, or the operation stops.
Example:
pgp --keyserver-disable 0x12345678 --keyserver ldap://keyserver.example.com --signer "Alice Cameron
<[email protected]>" --passphrase "Bilbo*Baggins"
The specified key is disabled on the specified keyserver.
--keyserver-recv
Finds keys on a keyserver and imports them onto your keyring. Keyservers are searched in the order provided on the command line. As soon as a match is made on a keyserver, the operation will finish and all other keyservers on the list will be ignored.
If a keyserver is specified on the command line, any keyservers listed in the PGP Command Line configuration file will not be used. Preferred keyservers are not used.
Note that you cannot search for disabled or pending keys.
The usage format is:
pgp --keyserver-recv <input> [<input2> ...] --keyserver <ks>
[--keyserver <ks2> ...] [options]
Where:
<input> is the user ID, portion of the user ID, or key ID of the key you want to get onto your keyring.
To get a specific key, use the key ID. To get one or more keys, use th e user ID or portion of the user ID.
<ks> is the name of the keyserver you want to search.
You can enter more than one keyserver to search, separated by a space. Only results from the first keyserver where th ere is a match will be returned.
Working with Keyservers Commands 79
[options] modify the command. Options are:
--keyserver-timeout sets the number of seconds until th e keyserver operation times out. The defa ult setting is 120 seconds.
--halt-on-error stops if an error occurs, if more than one keyserver is specified, or the operation stops.
Examples:
1 pgp --keyserver-recv 0xABCD1234 --keyserver ldap://keyserver.pgp.com
The key with the key ID shown would be im ported if it were on the specified keyserver.
2 pgp --keyserver-recv Jim --keyserver http://keyserver.pgp.com All keys that have "Jim" in their user IDs would be found and imported.
--keyserver-remove
Removes a key from a keyserver. This command only works with the legacy PGP Keyserver product.
Requests for removal must be signed. If no signer is supplied, the default signing key is used. Key remova l requires an exact match on the key to be removed.
If a keyserver is specified on the command line, any keyservers listed in the PGP Command Line configuration file will not be used.
The usage format is:
pgp --keyserver-remove <input> [--keyserver <ks1> ...] [--signer
<signer>] [--passphrase <pass>] [options]
Where:
<input> is the user ID, portion of the user ID, or key ID of the key you want removed from the keyserver. Key remova l requires an exact match on the key to be removed.
<ks> is the name of the keyserver from which you want the key removed.
You can enter more than one keyserver, separated by a space.
[options] modify the command. Options are:
--signer the user ID of the signer.
--passphrase the passphrase of the signer.
--keyserver-timeout sets the number of seconds until th e keyserver operation times out. The defa ult setting is 120 seconds.
--halt-on-error stops if an error occurs, if more than one keyserver is specified, or the operation stops.
Example:
pgp --keyserver-remove 0x12345678 --keyserver
ldap://keyserver.pgp.com --signer "[email protected]" --passphrase
"B0bsm1t4"
80 Working with Keyservers Commands
Removes the specified key from the specified keyserver.
--keyserver-search
Searches a keyserver for keys and lists those that it finds that match the criteria; it does not import them.
Keyservers are searched in the order provided on the command lin e. As soon as a match is made on a keyserver, the operation fin ishes; all oth er keyservers in the list after the one that made the match will be ignored.
If a keyserver is specified on the command line, any keyservers listed in the PGP Command Line configuration file will not be used. Preferred keyservers are not used.
You cannot search for disabled or pen ding keys.
The usage format is:
pgp --keyserver-search <input> [<input2> ...] --keyserver <ks>
[--keyserver <ks2> ...] [options]
Where:
<input> is the user ID, portion of the user ID, or key ID of the key for which you are searching.
To find a specific key, use the key ID. To find one or more keys, use the user ID or portion of the user ID.
<ks> is the name of the keyserver you want to search.
You can enter more than one keyserver to search, separated by a space. Only results from the first keyserver where th ere is a match will be returned.
[options] modify the command. Options are:
--keyserver-timeout sets the number of seconds until th e keyserver operation times out. The defa ult setting is 120 seconds.
--halt-on-error stops if an error occurs, if more than one keyserver is specified, or the operation stops.
Example:
pgp --keyserver-search example.com --keyserver ldap://keyserver.pgp.com
This search would return keys that have example.com in the user ID and are on keyserver.pgp.com, a public keyserver.
PGP Command Line now searches for additional LDAP attributes when searching a LDAP X.509 directory. The attribute list in which PGP Command Line now searches for a substring match (*%s*) is now:
cn mail displayname proxyaddresses
Working with Keyservers Commands 81
--keyserver-send
Posts a public key to a keyserver. If multiple keyservers are specified, in most cases only the first keyserver specified will be used. If a keyserver is specified on the command line, any keyservers listed in the PGP Command Line configuration file will not be used.
Preferred keyservers are not used.
The usage format is:
pgp --keyserver-send <input> [<input2> ...] --keyserver <ks>
[--keyserver <ks2> ...] [options]
Where:
<input> is the user ID, portion of the user ID, or key ID of the public key you are posting. You can list one or more users, with their names/IDs separated by a space.
<ks> is the name of the keyserver to which you are posting.
[options] modify the command. Options are:
--keyserver-timeout sets the number of seconds until th e keyserver operation times out. The defa ult setting is 120 seconds.
--halt-on-error moves to the next keyserver if an error occurs, if more than one keyserver is specified, or the operation stops.
Examples:
1 pgp --keyserver-send [email protected] --keyserver ldap://keyserver.example.com
If there are multiple keys on the keyring with user IDs that match the input, all of them will be posted. To make sure only a specific key is posted, use the key ID as the input.
2 pgp --keyserver-send 0x12345678 --keyserver ldap://keyserver.pgp.com
Only the specified key (if it is on the keyring) will be posted to ldap://keyserver.pgp.com, a public keyserver.
--keyserver-update
Updates keys that have already been uploaded to a keyserver. This ensures that the most up-to-date versions of the keys are on the keyserver.
An update consists of finding the key on the keyserver; merging that key onto the local keyring; and sending the merged key back to the keyserver on which it was found. A key must be on the loca l keyring to be updated.
If no keys are specified on the command line, all of the keys on the loca l keyring are updated, one at a time. When multiple keys are specified, they are updated one key at a time.
If a key has a preferred keyserver established, that keyserver is used for the update (only RSA and DH/DSS v4 keys can have a preferred keyserver); keyservers specified on the command line or in the configuration file are ignored. If the key being updated is not found, it is sent to the preferred keyserver; if it is found, it is updated.
82 Working with Keyservers Commands
If a key does not have a valid preferred keyserver establish ed, PGP Command Line will search the keyserver specified on the command line, followed by keyservers specified in the configuration file. If the key cannot be found, an error is returned; if it is foun d, it is updated.
The usage format is:
pgp --keyserver-update <input> [<input2> ...] [--keyserver <ks1>
...] [options]
Where:
<input> is the user ID, portion of the user ID, or key ID of the key for which you are searching. To find a specific key, use the key ID. To find one or more keys, use the user ID or portion of the user ID.
<ks> is the name of the keyserver you want to search. You can enter more than one keyserver to search, separated by a space. Only results from the first keyserver where there is a match will be returned.
--keyserver-timeout sets the number of seconds until th e keyserver operation times out. The defa ult setting is 120 seconds.
--halt-on-error stops if an error occurs, if more than one keyserver is specified, or the operation stops.
Examples:
1 pgp --keyserver-update 0x12345678 --keyserver ldap://keyserver.pgp.com
Updates the key with key ID 0x12345678 on keyserver.pgp.com if that key is on the local keyring and has already been uploaded to the keyserver. If either is not true, the operation returns with an error.
2 pgp --keyserver-update 0x12345678
Key 0x12345678 has a preferred keyserver set, and that keyserver is used for the update.
This chapter describes those commands used to manage keys with PGP Command Line.
These commands are:
--add-adk, which adds an ADK to a key.
--add-photoid, which adds a photo ID to a key.
--add-preferred-cipher, which adds the preferred cipher to a key.
--add-preferred-compression-algorithm, which adds the preferred compression algorithms to a key.
--add-preferred-email-encoding, which adds a preferred email encoding to a key.
--add-preferred-hash, which adds the preferred hash encryption algorithm to a key.
--add-revoker, which adds a revoker to a key.
--add-userid, which adds a user ID to a key.
--cache-passphrase, which specifically caches a passphrase.
--change-passphrase, which changes the passphrase.
--clear-key-flag, which clears one of the preferences flags.
--disable, which disables a key.
--enable, which enables a key.
--export and --export-key-pair, which export keys or key pairs.
--export-photoid, which exports a photo ID to a file.
--gen-key, which generates a new key pair.
--gen-revocation, which generates a revoked version of a key without actua lly revoking the key. The revoked version of the key is stored securely in the event the passphrase is lost, so the key can still be revoked.
--gen-subkey, which generates a subkey.
--import, which imports keys.
--join-key, which reconstitutes a split key.
--join-key-cache-only, which temporarily joins a key on the local machine.
--key-recon-send, which sends PGP key reconstruction data to a PGP Universa l Server
--key-recon-recv-questions, which retrieves the PGP key reconstruction questions for a specified key.
--key-recon-recv, which reconstructs a key
--remove, which removes a key.
--remove-adk, which removes an ADK from a key.
9 Managing Keys
84 Managing Keys Commands
--remove-all-adks, which remove all ADKs from a key.
--remove-all-photoids, which removes all photo IDs
--remove-all-revokers, which removes all revokers.
--remove-expiration-date, which removes the expiration date from a key.
--remove-key-pair, which removes a key pair.
--remove-photoid, which removes a photo ID from a key.
--remove-preferred-cipher, which removes a preferred cipher from a key.
--remove-preferred-compression-algorithm, which removes a preferred compression algorithm from a key.
--remove-preferred-email-encoding, which removes a preferred email encoding from a key.
--remove-preferred-hash, which removes the preferred hash from a key.
--remove-preferred-keyserver, which removes a preferred keyserver from a key.
--remove-revoker, which removes a revoker from a key.
--remove-sig, which removes a signature.
--remove-subkey, which removes a subkey.
--remove-userid, which removes a user ID from a key.
--revoke, which revokes a key pair.
--revoke-sig, which revokes a signature.
--revoke-subkey, which revokes a subkey.
--send-shares, which sends shares to the server joining a key.
--set-expiration-date, which sets the expiration date.
--set-key-flag, which sets one of the preference flags for a key.
--set-preferred-ciphers, which sets the list of preferr ed ciphers on a key.
--set-preferred-compression-algorithms, which sets the list of preferred compression algorithms on a key.
--set-preferred-email-encodings, which sets preferred email encodings for a key.
--set-preferred-hashes, which sets the entire list of hashes for a key.
--set-preferred-keyserver, which adds a preferred keyserver to a key.
--set-primary-userid, which sets a user ID as primary for a key.
--set-trust, which sets the trust on a key.
--sign-key, which signs all user IDs on a key.
--sign-userid, which signs a single user ID on a key.
--split-key, which splits a specified key into multiple shares.
Managing Keys Overview 85
In This Chapter
Overview ... 85 Commands ... 85
Overview
The PGP keys you create and those you obtain from others are stored in digital
keyrings; private keys are stored on your private keyring in a file named secring.skr and public keys are stored on your public keyring in a file called pubring.pkr.
Commands you can use to manage your keys are described in this chapter.
Commands
--add-adk
Adds an ADK to a key. Keys can support multiple ADKs, if desired.
An Additional Decryption Key (ADK) is a key that allows an authorized person, generally in an organization, to decrypt data this is from or was sent to someone in the organization if that person is unable or unwilling to do it themselves.
Only RSA and DH/DSS v4 keys can have ADKs.
The usage format is:
pgp --add-adk <user> --adk <adk> --passphrase <pass>
Where:
<user> is the user ID, portion of the user ID, or the key ID of the key to which the ADK is being added.
<adk> is the specific ADK to be added to the key.
<pass> is the passphrase of the key to which the ADK is being added.
Example:
pgp --add-adk "Bob Smith" --adk Alice --passphrase "B0bsm1t4"
0x6245273E:add ADK (0:ADKs successfully updated) Adds the specified ADK to the specified key.
86 Managing Keys Commands
--add-photoid
Adds a photo ID to a key. You can add just one photo ID to a key using PGP Command Line. Other programs that are compatible with PGP Command Line support allow more than one photo ID added to a file; PGP Command Line can work with these extra photo IDs.
Only JPEG files can be added. For maximum picture qua lity, crop th e picture to 120 by 144 pixels before adding it.
The usage format is:
pgp --add-photoid <user> --image <photo.jpg> --passphrase <pass>
Where:
<user> is the user ID, portion of the user ID, or the key ID of the key to which the photo ID is being added.
<photo.jpg> is the filename of the image being added.
<pass> is the passphrase of the key to which the photo ID is being added.
Example:
pgp --add-photoid Alice --image alice.jpg --passphrase "cam3r0n"
0x3E439B98:add photo ID (0:photo ID added successfully) Adds the image alice.jpg to the specified key.
--add-preferred-cipher
Adds a preferred cipher to a key.
If the preferred cipher is already on the key, it is moved to the top of the list. Only RSA v4 and DH/DSS v4 keys can have a preferred cipher.
The usage format is:
pgp --add-preferred-cipher <user> --cipher <cipher> --passphrase
<pass>
Where:
<user> is the user ID, portion of the user ID, or the key ID of the key to which the preferred cipher is being added.
<cipher> is the preferred cipher being added.
<pass> is the passphrase of the key.
Example:
pgp --add-preferred-cipher "Bob Smith" --cipher aes256 --passphrase "B0bsm1t4"
0x6245273E:add preferred cipher (0:preferred ciphers updated) Adds the cipher AES256 to th e specified key.
Managing Keys Commands 87
--add-preferred-compression-algorithm
Adds a preferred compression algorithm to a key.
If the preferred com pression algorithm is already on the key, it is moved to th e top of the list. Only RSA v4 and DH/DSS v4 keys can have a preferred compression algorithm.
The usage format is:
pgp --add-preferred-compression-algorithm <user>
--compression-algorithm <algo> --passphrase <pass>
Where:
<user> is the user ID, portion of the user ID, or the key ID of the key to which the preferred com pression algorithm is being added.
<algo> is the preferred compression algorithm being added.
<pass> is the passphrase of the key.
Example:
pgp --add-preferred-compression-algorithm "[email protected]"
--compression-algorithm bzip2 --passphrase "B0bsm1t4"
0x6245273E:add preferred compression algorithm (0:preferred compression algorithms updated)
Adds the compression algorithm Bzip2 to the specified key.
--add-preferred-email-encoding
Adds a preferred email encoding to a key.
If the preferred ema il encoding is already on the key, it is moved to the top of the list.
Only RSA v4 and DH/DSS v4 keys can have a preferred email encoding.
The usage format is:
pgp --add-preferred-email-encoding <user> --email-encoding
<encoding> --passphrase <pass>
Where:
<user> is the user ID, portion of the user ID, or the key ID of the key to which the preferred ema il encoding is being added.
<encoding> is the preferred email encoding being added.
<pass> is the passphrase of the key.
Example:
pgp --add-preferred-email-encoding "Bob Smith" --email-encoding pgpmime --passphrase "B0bsm1t4"
Adds the email encoding pgpmime to the specified key.
88 Managing Keys Commands
--add-preferred-hash
Adds the preferred hash encryption algorithm to a key and lists it on the top of the hash list. Note that a key must be at least v4 to have preferred hashes.
Adds the preferred hash encryption algorithm to a key and lists it on the top of the hash list. Note that a key must be at least v4 to have preferred hashes.