1PEM2OPENPGP(1) BSD General Commands Manual PEM2OPENPGP(1)
2
4 pem2openpgp — translate PEM-encoded RSA keys to OpenPGP certificates
5
7 pem2openpgp $USERID < mykey.pem | gpg --import
8 PEM2OPENPGP_EXPIRATION=$((86400 * $DAYS))
10 PEM2OPENPGP_USAGE_FLAGS=authenticate,certify pem2openpgp
11 $USERID <mykey.pem
12
14 pem2openpgp is a low-level utility for transforming raw, PEM-encoded RSA
15 secret keys into OpenPGP-formatted certificates. The generated certifi‐
16 cates include the secret key material, so they should be handled care‐
17 fully.
18 It works as an element within a pipeline: feed it the raw key on stdin,
20 supply the desired User ID as a command line argument. Note that you may
21 need to quote the string to ensure that it is entirely in a single argu‐
22 ment.
23 Other choices about how to generate the new OpenPGP certificate are gov‐
25 erned by environment variables.
26
28 The following environment variables influence the behavior of
29 pem2openpgp:
30 PEM2OPENPGP_TIMESTAMP controls the timestamp (measured in seconds since the
32 UNIX epoch) indicated as the creation time (a.k.a "not valid before") of
33 the generated certificate (self-signature) and the key itself. By
34 default, pem2openpgp uses the current time.
35 PEM2OPENPGP_KEY_TIMESTAMP controls the timestamp (measured in seconds since
37 the UNIX epoch) indicated as the creation time of just the key itself
38 (not the self-signature). By default, pem2openpgp uses the value from
39 PEM2OPENPGP_TIMESTAMP.
40 PEM2OPENPGP_USAGE_FLAGS should contain a comma-separated list of valid
42 OpenPGP usage flags (see section 5.2.3.21 of RFC 4880 for what these
43 mean). The available choices are: certify, sign, encrypt_comms,
44 encrypt_storage, encrypt (this means both encrypt_comms and encrypt_stor‐
45 age), authenticate, split, shared. By default, pem2openpgp only sets the
46 certify flag.
47 PEM2OPENPGP_EXPIRATION sets an expiration (measured in seconds after the
49 creation time of the key) in each self-signature packet. By default, no
50 expiration subpacket is included.
51 PEM2OPENPGP_NEWKEY indicates that pem2openpgp should ignore stdin, and
53 instead generate a new key internally and build the certificate based on
54 this new key. Set this variable to the number of bits for the new RSA
55 key (e.g. 3072). By default (when this is unset), pem2openpgp will read
56 the key from stdin.
57
59 pem2openpgp and this man page were written by Daniel Kahn Gillmor
60 <dkg@fifthhorseman.net>.
61
63 Only handles RSA keys at the moment. It might be nice to handle DSA keys
64 as well.
65 Currently only creates certificates with a single User ID. Should be
67 able to create certificates with multiple User IDs.
68 Currently only accepts unencrypted RSA keys. It should be able to deal
70 with passphrase-locked key material.
71 Currently outputs OpenPGP certificates with cleartext secret key mate‐
73 rial. It would be good to be able to lock the output with a passphrase.
74 If you find other bugs, please report them at
76 https://labs.riseup.net/code/projects/show/monkeysphere
77
79 openpgp2ssh(1), monkeysphere(1), monkeysphere(7), ssh(1),
80 monkeysphere-host(8), monkeysphere-authentication(8)
81BSD June 22, 2019 BSD