1RNPKEYS(1) RNP Manual RNPKEYS(1)
2
3
4
6 RNPKEYS - OpenPGP key management utility.
7
9 rnpkeys [--homedir dir] [OPTIONS] COMMAND
10
12 The rnpkeys command-line utility is part of the RNP suite and provides
13 OpenPGP key management functionality, including:
14
15 • key listing;
16
17 • key generation;
18
19 • key import/export; and
20
21 • key editing.
22
23 BASICS
24 By default, rnp will apply a COMMAND, additionally configured with
25 OPTIONS, to all INPUT_FILE(s) or stdin if no INPUT_FILE is given. There
26 are some special cases for INPUT_FILE :
27
28 • - (dash) substitutes to stdin
29
30 • env:VARIABLE_NAME substitutes to the contents of environment
31 variable VARIABLE_NAME
32
33 Depending on the input, output may be written:
34
35 • to the specified file with a removed or added file extension (.pgp,
36 .asc, .sig); or
37
38 • to stdout.
39
40 Without the --armor option, output will be in binary.
41
42 If COMMAND requires public or private keys, rnp will look for the
43 keyrings in ~/.rnp. The options --homedir and --keyfile override this
44 (see below).
45
46 If COMMAND needs a password, rnp will ask for it via stdin or tty,
47 unless the --password or --pass-fd option was specified.
48
49 By default, rnpkeys will use keyrings stored in the ~/.rnp directory.
50
51 This behavior may be overridden with the --homedir option.
52
53 If COMMAND needs a password, the command will prompt the caller via
54 stdin or tty, unless the --password or --pass-fd options were also
55 used.
56
57 SPECIFYING KEYS
58 Most rnpkeys commands require a key locator or a filter, representing
59 one or more keys.
60
61 It may be specified in one of the following ways:
62
63 userid
64 Or just part of the userid. For "Alice alice@rnpgp.com the
65 following methods are considered identical:
66
67 • alice
68
69 • alice@rnpgp
70
71 • rnpgp.com
72
73 keyid
74 Or its right-most 8 characters. With or without 0x at the beginning
75 and spaces/tabs inside. Such as:
76
77 • 0x725F6F2D6D5F6120
78
79 • "725F6F2D 6D5F6120"
80
81 • 0x6D5F6120
82
83 key fingerprint: The 40-character key fingerprint, such as:
84
85 • "0x416E746F 6E537669 72696465 6E6B6F20"
86
88 INFORMATIONAL
89 -h, --help
90 Displays a short help message. No options are expected.
91
92 -V, --version
93 Displays version information. No options are expected.
94
95 -l, --list-keys
96 List out keys and some brief information about each.
97
98 Additional options:
99
100 --with-sigs
101 Additionally display signatures of listed keys.
102
103 KEY GENERATION
104 -g, --generate-key
105 Generate a new keypair.
106
107 Without additional options, an RSA primary key pair with an RSA
108 sub-key pair will be generated, and prompting for the encryption
109 password afterwards.
110
111 Additional options:
112
113 --numbits
114 Overrides the default RSA key size of 2048 bits.
115
116 --expiration TIME
117 Set key and subkey expiration time, counting from the creation
118 time.
119
120 By default generated keys do not expire.
121
122 Expiration time can be specified as:
123
124 • expiration date in the ISO 8601:2019 date format
125 (yyyy-mm-dd); or
126
127 • hours/days/months/years since creation time with the syntax
128 of 20h/30d/1m/1y;
129
130 • number of seconds.
131
132 --expert
133 Select key algorithms interactively and override default
134 settings.
135
136 --userid
137 Specifies the userid to be used in generation.
138
139 --hash
140 Specify the hash algorithm used in generation.
141
142 --cipher
143 Specify the encryption algorithm used in generation.
144
145 --s2k-iterations
146 Specify the number of iterations for the S2K (string-to-key)
147 process.
148
149 This is used during the derivation of the symmetric key, which
150 encrypts a secret key from the password.
151
152 --s2k-msec
153 Specify that rnpkeys should automatically pick a
154 --s2k-iterations value such that the single key derivation
155 operation would take NUMBER of milliseconds on the current
156 system.
157
158 For example, setting it to 2000 would mean that each secret key
159 decryption operation would take around 2 seconds (on the
160 current machine).
161
162 KEY/SIGNATURE IMPORT
163 --import, --import-keys, --import-sigs
164 Import keys or signatures.
165
166 While rnpkeys automatically detects the input data format, one may
167 still wish to specify whether the input provides keys or
168 signatures.
169
170 By default, the import process will stop on the first discovered
171 erroneous key or signature.
172
173 Additional options:
174
175 --permissive
176 Skip errored or unsupported packets during the import process.
177
178 KEY/SIGNATURE EXPORT
179 --export-key [--userid=FILTER] [FILTER]
180 Export key(s). Only export keys that match FILTER if FILTER is
181 given.
182
183 If filter matches a primary key, the subkeys of the primary key are
184 also exported.
185
186 By default, key data is written to stdout in ASCII-armored format.
187
188 Additional options:
189
190 --output PATH
191 Specifies output to be written to a file name instead of
192 stdout.
193
194 --secret
195 Without this option specified, the command will only export
196 public key(s). This option must be provided to export secret
197 key(s).
198
199 --export-rev KEY
200 Export the revocation signature for a specified secret key.
201
202 The revocation signature can be used later in a case of key loss or
203 compromise.
204
205 Additional options:
206
207 --rev-type
208 Specifies type of key revocation.
209
210 --rev-reason
211 Specifies reason for key revocation.
212
213 KEY MANIPULATION
214 --revoke-key KEY
215 Issue revocation signature for the secret key, and save it in the
216 keyring.
217
218 Revoked keys cannot be used further.
219
220 Additional options:
221
222 --rev-type
223 Specifies type of key revocation, see options section for the
224 available values.
225
226 --rev-reason
227 Specifies reason for key revocation.
228
229 --remove-key KEY
230 Remove the specified key.
231
232 If a primary key is specified, then all of its subkeys are also
233 removed.
234
235 If the specified key is a secret key, then it will not be deleted
236 without confirmation.
237
238 Additional options:
239
240 --force
241 Forces removal of a secret key without prompting the user.
242
243 --edit-key KEY
244 Edit or update information, associated with a key. Should be
245 accompanied with editing option.
246
247 Currently the following options are available:
248
249 --check-cv25519-bits
250 Check whether least significant/most significant bits of
251 Curve25519 ECDH subkey are correctly set. RNP internally sets
252 those bits to required values (3 least significant bits and
253 most significant bit must be zero) during decryption, however
254 other implementations (GnuPG) may require those bits to be set
255 in key material. KEY must specify the exact subkey via keyid or
256 fingerprint.
257
258 --fix-cv25519-bits
259 Set least significant/most significant bits of Curve25519 ECDH
260 subkey to the correct values, and save a key. So later export
261 of the key would ensure compatibility with other
262 implementations (like GnuPG). This operation would require the
263 password for your secret key. Since version 0.16.0 of RNP
264 generated secret key is stored with bits set to a needed value,
265 however, this may be needed to fix older keys or keys generated
266 by other implementations. KEY must specify the exact subkey via
267 keyid or fingerprint.
268
269 OPTIONS
270 --homedir DIR
271 Change homedir (where RNP looks for keyrings) to the specified
272 value.
273
274 The default homedir is ~/.rnp .
275
276 --output PATH
277 Write data processing related output to the file specified.
278
279 Combine it with --overwrite to overwrite file if it already exists.
280
281 --overwrite
282 Overwrite output file if it already exists.
283
284 --userid USERID
285 Use the specified userid during key generation and in some
286 key-searching operations.
287
288 --numbits BITS
289 Specify size in bits for the generated key and subkey.
290
291 bits may be in range 1024-16384, as long as the public key
292 algorithm does not place additional limits.
293
294 --cipher ALGORITHM
295 Set the key encryption algorithm. This is only used in key
296 generation.
297
298 The default value is AES256.
299
300 --hash ALGORITHM
301 Use the specified hash algorithm for signatures and derivation of
302 the encrypting key from password for secret key encryption.
303
304 The default value is SHA256.
305
306 --expert
307 Use the expert key generation mode, allowing the selection of
308 key/subkey algorithms.
309
310 The following types of keys can be generated in this mode:
311
312 • DSA key with ElGamal encryption subkey
313
314 • DSA key with RSA subkey
315
316 • ECDSA key with ECDH subkey
317
318 • EdDSA key with x25519 subkey
319
320 • SM2 key with subkey
321
322 Specifically, for ECDSA and ECDH the underlying curve can also be
323 specified:
324
325 • NIST P-256, NIST P-384, NIST P-521
326
327 • brainpoolP256r1, brainpoolP384r1, brainpoolP512r1
328
329 • secp256k1
330
331 --pass-fd FD
332 Specify a file descriptor to read passwords from instead of from
333 stdin/tty.
334
335 Useful for automated or non-interactive sessions.
336
337 --password PASSWORD
338 Use the specified password when it is needed.
339
340 Warning
341 Not recommended for production use due to potential
342 security issues. Use --pass-fd for batch operations instead.
343
344 --with-sigs
345 Print signature information when listing keys via the -l command.
346
347 --force
348 Force actions to happen without prompting the user.
349
350 This applies to cases such as secret key removal, revoking an
351 already revoked key and so on.
352
353 --permissive
354 Skip malformed or unknown keys/signatures during key import.
355
356 By default, rnpkeys will stop on the first erroring packet and exit
357 with an error.
358
359 --rev-type TYPE
360 Use the specified type during revocation signature generation
361 instead of the default 0.
362
363 The following values are supported:
364
365 • 0, or "no": no revocation type specified.
366
367 • 1, or "superseded": key was superseded with another key.
368
369 • 2, or "compromised": key was compromised and no longer valid.
370
371 • 3, or "retired": key is retired.
372
373 Please refer to IETF RFC 4880 for details.
374
375 --rev-reason REASON
376 Add the specified human-readable revocation REASON to the signature
377 instead of an empty string.
378
379 --s2k-iterations NUMBER
380 Specify the number of iterations for the S2K (string-to-key)
381 process.
382
383 This is used during the derivation of the symmetric key, which
384 encrypts a secret key from the password.
385
386 Please refer to IETF RFC 4880 for further details.
387
388 --s2k-msec NUMBER
389 Specify that rnpkeys should automatically pick a --s2k-iterations
390 value such that the single key derivation operation would take
391 NUMBER of milliseconds on the current system.
392
393 For example, setting it to 2000 would mean that each secret key
394 decryption operation would take around 2 seconds (on the current
395 machine).
396
397 --notty
398 Disable use of tty.
399
400 By default RNP would detect whether TTY is attached and use it for
401 user prompts.
402
403 This option overrides default behaviour so user input may be passed
404 in batch mode.
405
406 --current-time TIME
407 Override system’s time with a specified value.
408
409 By default RNP uses system’s time in all signature/key checks,
410 however in some scenarios it could be needed to override this.
411
412 TIME could be specified in the ISO 8601-1:2019 date format
413 (yyyy-mm-dd), or in the UNIX timestamp format.
414
416 0
417 Success.
418
419 Non-zero
420 Failure.
421
423 The following examples demonstrate method of usage of the rnpkeys
424 command.
425
426 EXAMPLE 1: IMPORT EXISTING KEYS FROM THE GNUPG
427 Following oneliner may be used to import all public keys from the
428 GnuPG:
429
430 gpg -a --export | rnpkeys --import -
431
432 To import all secret keys the following command should be used (please
433 note, that you’ll be asked for secret key password(s)):
434
435 gpg -a --export-secret-keys | rnpkeys --import -
436
437 EXAMPLE 2: GENERATE A NEW KEY
438 This example generates a new key with specified userid and expiration.
439 Also it enables "expert" mode, allowing the selection of key/subkey
440 algorithms.
441
442 rnpkeys --generate --userid "john@doe.com --expert --expiration 1y
443
445 Please report issues via the RNP public issue tracker at:
446 https://github.com/rnpgp/rnp/issues.
447
448 Security reports or security-sensitive feedback should be reported
449 according to the instructions at: https://www.rnpgp.org/feedback.
450
452 RNP is an open source project led by Ribose and has received
453 contributions from numerous individuals and organizations.
454
456 Web site: https://www.rnpgp.org
457
458 Source repository: https://github.com/rnpgp/rnp
459
461 Copyright (C) 2017-2021 Ribose. The RNP software suite is freely
462 licensed: please refer to the LICENSE file for details.
463
465 rnp(1), librnp(3)
466
468 RNP
469
470
471
472RNP 0.16.2 2022-11-04 RNPKEYS(1)