1RNP(1) RNP Manual RNP(1)
2
3
4
6 RNP - OpenPGP-compatible signatures and encryption.
7
9 rnp [--homedir dir] [OPTIONS] COMMAND [INPUT_FILE, ...] ...
10
12 The rnp command-line utility is part of the RNP suite and provides
13 OpenPGP signing and encryption functionality compliant with IETF RFC
14 4880.
15
16 rnp does not allow manipulation of keys or keyrings — please use
17 rnpkeys(1) for that purpose.
18
19 BASICS
20 By default, rnp will apply a COMMAND, additionally configured with
21 OPTIONS, to all INPUT_FILE(s) or stdin if no INPUT_FILE is given. There
22 are some special cases for INPUT_FILE :
23
24 • - (dash) substitutes to stdin
25
26 • env:VARIABLE_NAME substitutes to the contents of environment
27 variable VARIABLE_NAME
28
29 Depending on the input, output may be written:
30
31 • if --output option is given output is written to the path specified
32 (or to the stdout if - is used)
33
34 • to the INPUT_FILE with a removed or added file extension (.pgp,
35 .gpg, .asc, .sig), depending on operation.
36
37 • to the stdout if input was read from the stdin.
38
39 If output file already exists, it will not be overwritten, unless
40 --overwrite option is given.
41
42 Without the --armor option, output will be in binary.
43
44 If COMMAND requires public or private keys, rnp will look for the
45 keyrings in ~/.rnp. The options --homedir and --keyfile override this
46 (see below).
47
48 If COMMAND needs a password, rnp will ask for it via stdin or tty,
49 unless the --password or --pass-fd option was specified.
50
52 INFORMATIONAL
53 -h, --help
54 Displays a short help message. No options are expected.
55
56 -V, --version
57 Displays version information. No options are expected.
58
59 ENCRYPTION AND SIGNING
60 -e, --encrypt
61 Encrypt data with public key(s), and optionally sign, if the --sign
62 command is added.
63
64 You would likely want to specify one or more --recipient(s) or pick
65 a --cipher (instead of the default).
66
67 Additional options:
68
69 --recipient
70 Specify one or more recipients.
71
72 --cipher
73 Select a specific cipher.
74
75 -z 0..9, --zlib, --zip, --bzip
76 Select a compression algorithm and level.
77
78 --armor
79 Output ASCII data instead of binary via the --armor option. If
80 the input file is file.ext, and --output is not specified, then
81 the data will be written (depending on --armor option) to
82 file.ext.pgp or file.ext.asc.
83
84 --no-wrap
85 Do not wrap the output in literal data packet. This could be
86 used to encrypt a file which is already signed or encrypted. By
87 default this would also disable compression, use option -z to
88 override.
89
90 --overwrite
91 If the destination file already exists, and the --overwrite
92 option is not given, the caller will be asked for the
93 permission to overwrite or to provide a new file name. Please
94 see the OPTIONS section for more information.
95
96 -c, --symmetric
97 Encrypt data with password(s).
98
99 Can be combined with the commands --encrypt and --sign.
100
101 Options that apply to the --encrypt command also apply here.
102
103 Additional options:
104
105 --passwords
106 Encryption to multiple passwords is possible with --passwords
107 option. Each password would be asked via stdin/tty unless
108 --password or --pass-fd is specified.
109
110 -s, --sign
111 Digitally sign data, using one or more secret keys you own.
112
113 Public-key or password-based encryption may be added via the
114 --encrypt and --symmetric commands.
115
116 Additional options:
117
118 -u, --userid
119 By default, the first secret key you own will be selected for
120 signing. Apply this option to select a different key or to use
121 multiple keys.
122
123 --detach
124 By default, the signature is stored together with signed data.
125 This option detaches the data signature to a separate file
126 (file.ext.sig).
127
128 --hash
129 You may want to use --hash option to override default hash
130 algorithm settings. As with encryption, output may be converted
131 to ascii via the --armor option.
132
133 Compression options also apply here. Since the secret key is
134 usually stored encrypted, you will be asked for the password to
135 decrypt it via stdin/tty unless --password or --pass-fd is
136 specified.
137
138 --clearsign
139 Digitally sign text data, producing human-readable output with the
140 signature attached.
141
142 In this mode, data cannot be additionally encrypted or compressed.
143
144 Other signing options, --hash, -u, --password, can still be used
145 here.
146
147 DECRYPTION AND VERIFICATION
148 -d, --decrypt
149 Decrypt and verify data from the INPUT_FILE or stdin.
150
151 If the data is signed, signature verification information will be
152 printed to stdout/tty.
153
154 Additional options:
155
156 --output
157 Override the default output selection with a file name or
158 stdout specifier (-). For the default output path selection see
159 the BASICS section.
160
161 --password, --pass-fd
162 Depending on encryption options, you may be asked for the
163 password of one of your secret keys, or for the encryption
164 password. These options override that behavior such that you
165 can input the password through automated means.
166
167 -v, --verify
168 Verify signature(s) without writing embedded data out, if any
169 (unless option --output is specified).
170
171 To verify the detached signature of a file file.ext, the detached
172 signature file in the file name pattern of file.ext.sig or
173 file.ext.asc must exist.
174
175 Also you may use option --source to specify the exact source for
176 the signed data.
177
178 If data is encrypted, you may be asked for password as in the
179 --decrypt command.
180
181 OTHER COMMANDS
182 --list-packets
183 Show detailed information about the OpenPGP data in INPUT_FILE or
184 stdin. Useful for curiosity, troubleshooting or debugging.
185
186 Additional options can be used:
187
188 --json
189 output JSON data instead of human-readable information
190
191 --grips
192 print out key fingerprints and grips
193
194 --mpi
195 print out all MPI values
196
197 --raw
198 print raw, hex-encoded packets too
199
200 --enarmor[=msg|pubkey|seckey|sign]
201 Convert binary data to the ASCII-armored as per OpenPGP standard.
202 This includes the -----BEGIN PGP MESSAGE----- header and footer,
203 and Base64-encoded data.
204
205 Output for file.ext will be written to file.ext.asc (if it does not
206 exist) or to stdout.
207
208 The following OpenPGP headers may be specified:
209
210 msg
211 -----BEGIN PGP MESSAGE-----
212
213 pubkey
214 -----BEGIN PGP PUBLIC KEY BLOCK-----
215
216 seckey
217 -----BEGIN PGP SECRET KEY BLOCK-----
218
219 sign
220 -----BEGIN PGP SIGNATURE-----
221
222 Additional options:
223
224 --overwrite
225 Forcefully overwrite existing destination file if it exists.
226
227 --output
228 Specify destination file path.
229
230 --dearmor
231 Attempts to convert data from an armored format to the binary
232 format.
233
234 The file.ext.asc output file would be written to file.ext. If the
235 destination file already exists, it will prompt the user for a new
236 filename.
237
238 Additional options:
239
240 --overwrite
241 Forcefully overwrite existing destination file if it exists.
242
243 --output
244 Specify destination file path.
245
247 --home, --homedir DIR
248 Change homedir (where RNP looks for keyrings) to the specified
249 value.
250
251 The default homedir is ~/.rnp .
252
253 -f, --keyfile PATH
254 Instead of loading keyrings, use key(s) from the file specified.
255
256 -u, --userid KEY
257 Specify one or more signing keys, searching for it via the given
258 value KEY. See rnpkeys(1) on how to find valid values.
259
260 -r, --recipient KEY
261 Add the message recipient, i.e. the public key to which message
262 will be encrypted to. See rnpkeys(1) on how to find valid values.
263
264 --armor, --ascii
265 Apply ASCII armoring to the output, so that the resulting output
266 can be transferred as plain text.
267
268 See IETF RFC 4880 for more details.
269
270 --detach, --detached
271 Create a detached signature.
272
273 --output PATH
274 Write data processing related output to the file specified.
275
276 If not specified, the output filename will be guessed from the
277 input filename/extension or the command will prompt the user via
278 stdin/tty.
279
280 --overwrite
281 Overwrite already existing files without prompt.
282
283 --source
284 Specify signed data for the detached signature verification (- and
285 env: substitutions may be used here).
286
287 --hash ALGORITHM
288 Set hash algorithm which to be used for signing and derivation of
289 the encryption key from a password.
290
291 The default value is SHA256.
292
293 --cipher ALGORITHM
294 Set the symmetric algorithm used during encryption.
295
296 The default value is AES256.
297
298 --aead [EAX, OCB]
299 Enable AEAD encryption and select algorithm to be used.
300
301 --aead-chunk-bits BITS
302 Change AEAD chunk size bits, from 0 to 16 (actual chunk size would
303 be 1 << (6 + bits)). See OpenPGP documentation for the details.
304
305 --zip, --zlib, --bzip2
306 Select corresponding algorithm to compress data with. Please refer
307 to IETF RFC 4880 for details.
308
309 -z 0..9
310 Set compression level for the compression algorithms.
311
312 9 is the highest compression level, where 0 disables compression.
313
314 The default value is 6.
315
316 --pass-fd FD
317 Specify a file descriptor to read passwords from instead of from
318 stdin/tty.
319
320 Useful for automated or non-interactive sessions.
321
322 --password PASSWORD
323 Use the specified password when it is needed.
324
325 Warning
326 Not recommended for production use due to potential security
327 issues. Use --pass-fd for batch operations instead.
328
329 --passwords COUNT
330 Set the number of passwords for --symmetric encryption.
331
332 While not commonly used, you may encrypt a message to any
333 reasonable number of passwords.
334
335 --creation TIME
336 Override signature creation time.
337
338 By default, creation time is set to the current local computer
339 time.
340
341 TIME could be specified in the ISO 8601-1:2019 date format
342 (yyyy-mm-dd), or in the UNIX timestamp format.
343
344 --expiration TIME
345 Set signature expiration time, counting from the creation time.
346
347 By default, signatures do not expire.
348
349 A specific expiration time can be specified as:
350
351 • expiration date in the ISO 8601:2019 date format (yyyy-mm-dd);
352 or
353
354 • hours/days/months/years since creation time with the syntax of
355 20h/30d/1m/1y;
356
357 • number of seconds.
358
359 --keystore-format GPG|KBX|G10|G21
360 Set keystore format.
361
362 RNP automatically detects the keystore format.
363
364 This option allows the auto-detection behavior to be overridden.
365
366 --notty
367 Disable use of tty.
368
369 By default RNP would detect whether TTY is attached and use it for
370 user prompts.
371
372 This option overrides default behaviour so user input may be passed
373 in batch mode.
374
375 --current-time TIME
376 Override system’s time with a specified value.
377
378 By default RNP uses system’s time in all signature/key checks,
379 however in some scenarios it could be needed to override this.
380
381 TIME may be specified in the same way as --creation.
382
384 0
385 Success.
386
387 Non-zero
388 Failure.
389
391 The following examples demonstrate method of usage of the rnp command.
392
393 EXAMPLE 1
394 rnp --homedir .rnp --encrypt -r 0x6E69636B6F6C6179 --output
395 document.txt.encrypted document.txt
396
397 Load keyrings from the .rnp folder, encrypt the document.txt file using
398 the key with keyid 0x6E69636B6F6C6179.
399
400 EXAMPLE 2
401 rnp --keyfile john-sec.asc -s --detach --hash SHA512 document.txt
402
403 Generate a detached signature over the file document.txt, using the
404 secret key stored in the file. Additionally override the hash algorithm
405 to SHA512.
406
407 EXAMPLE 3
408 rnp --keyfile john-pub.asc --verify document.txt.sig
409
410 Verify detached signature, using the key stored in the john-pub.asc
411 file. The signed data is assumed to be available from the file
412 document.txt.
413
414 EXAMPLE 4
415 rnp -e -c -s --passwords 3 -r 0x526F6E616C642054 -r "john@doe.com" -u
416 0x44616E69656C2057 document.txt
417
418 Encrypt document.txt with 2 keys (specified via keyid
419 0x526F6E616C642054 and userid john@doe.com), and 3 passwords, so any of
420 these may be used to decrypt the resulting file.
421
422 Additionally, the message will be signed with key 0x44616E69656C2057.
423
424 EXAMPLE 5
425 printf "Message" | rnp --keyfile env:PGP_ENCRYPTION_KEY -e - --armor
426
427 Encrypt message, passed via stdin, using the key, stored in environment
428 variable PGP_ENCRYPTION_KEY, add ascii armoring, and print result to
429 the stdout.
430
432 Please report issues via the RNP public issue tracker at:
433 https://github.com/rnpgp/rnp/issues.
434
435 Security reports or security-sensitive feedback should be reported
436 according to the instructions at: https://www.rnpgp.org/feedback.
437
439 RNP is an open source project led by Ribose and has received
440 contributions from numerous individuals and organizations.
441
443 Web site: https://www.rnpgp.org
444
445 Source repository: https://github.com/rnpgp/rnp
446
448 Copyright (C) 2017-2021 Ribose. The RNP software suite is freely
449 licensed: please refer to the LICENSE file for details.
450
452 rnpkeys(1), librnp(3)
453
455 RNP
456
457
458
459RNP 0.16.2 2022-11-04 RNP(1)