1RNP(1) RNP Manual RNP(1)
2
6 RNP - OpenPGP-compatible signatures and encryption.
7
9 rnp [--homedir dir] [OPTIONS] COMMAND [INPUT_FILE, ...] ...
10
12 The rnp command-line utility is part of the RNP suite and provides
13 OpenPGP signing and encryption functionality compliant with IETF RFC
14 4880.
15 rnp does not allow manipulation of keys or keyrings — please use
17 rnpkeys(1) for that purpose.
18 BASICS
20 By default, rnp will apply a COMMAND, additionally configured with
21 OPTIONS, to all INPUT_FILE(s) or stdin if no INPUT_FILE is given. There
22 are some special cases for INPUT_FILE :
23 • - (dash) substitutes to stdin
25 • env:VARIABLE_NAME substitutes to the contents of environment
27 variable VARIABLE_NAME
28 Depending on the input, output may be written:
30 • if --output option is given output is written to the path specified
32 (or to the stdout if - is used)
33 • to the INPUT_FILE with a removed or added file extension (.pgp,
35 .gpg, .asc, .sig), depending on operation.
36 • to the stdout if input was read from the stdin.
38 If output file already exists, it will not be overwritten, unless
40 --overwrite option is given.
41 Without the --armor option, output will be in binary.
43 If COMMAND requires public or private keys, rnp will look for the
45 keyrings in ~/.rnp. The options --homedir and --keyfile override this
46 (see below).
47 If COMMAND needs a password, rnp will ask for it via stdin or tty,
49 unless the --password or --pass-fd option was specified.
50
52 INFORMATIONAL
53 -h, --help
54 Displays a short help message. No options are expected.
55 -V, --version
57 Displays version information. No options are expected.
58 ENCRYPTION AND SIGNING
60 -e, --encrypt
61 Encrypt data with public key(s), and optionally sign, if the --sign
62 command is added.
63 You would likely want to specify one or more --recipient(s) or pick
65 a --cipher (instead of the default).
66 Additional options:
68 --recipient
70 Specify one or more recipients.
71 --cipher
73 Select a specific cipher.
74 -z 0..9, --zlib, --zip, --bzip
76 Select a compression algorithm and level.
77 --armor
79 Output ASCII data instead of binary via the --armor option. If
80 the input file is file.ext, and --output is not specified, then
81 the data will be written (depending on --armor option) to
82 file.ext.pgp or file.ext.asc.
83 --no-wrap
85 Do not wrap the output in literal data packet. This could be
86 used to encrypt a file which is already signed or encrypted. By
87 default this would also disable compression, use option -z to
88 override.
89 --overwrite
91 If the destination file already exists, and the --overwrite
92 option is not given, the caller will be asked for the
93 permission to overwrite or to provide a new file name. Please
94 see the OPTIONS section for more information.
95 -c, --symmetric
97 Encrypt data with password(s).
98 Can be combined with the commands --encrypt and --sign.
100 Options that apply to the --encrypt command also apply here.
102 Additional options:
104 --passwords
106 Encryption to multiple passwords is possible with --passwords
107 option. Each password would be asked via stdin/tty unless
108 --password or --pass-fd is specified.
109 -s, --sign
111 Digitally sign data, using one or more secret keys you own.
112 Public-key or password-based encryption may be added via the
114 --encrypt and --symmetric commands.
115 Additional options:
117 -u, --userid
119 By default, the first secret key you own will be selected for
120 signing. Apply this option to select a different key or to use
121 multiple keys.
122 --detach
124 By default, the signature is stored together with signed data.
125 This option detaches the data signature to a separate file
126 (file.ext.sig).
127 --hash
129 You may want to use --hash option to override default hash
130 algorithm settings. As with encryption, output may be converted
131 to ascii via the --armor option.
132 Compression options also apply here. Since the secret key is
134 usually stored encrypted, you will be asked for the password to
135 decrypt it via stdin/tty unless --password or --pass-fd is
136 specified.
137 --clearsign
139 Digitally sign text data, producing human-readable output with the
140 signature attached.
141 In this mode, data cannot be additionally encrypted or compressed.
143 Other signing options, --hash, -u, --password, can still be used
145 here.
146 DECRYPTION AND VERIFICATION
148 -d, --decrypt
149 Decrypt and verify data from the INPUT_FILE or stdin.
150 If the data is signed, signature verification information will be
152 printed to stdout/tty.
153 Additional options:
155 --output
157 Override the default output selection with a file name or
158 stdout specifier (-). For the default output path selection see
159 the BASICS section.
160 --password, --pass-fd
162 Depending on encryption options, you may be asked for the
163 password of one of your secret keys, or for the encryption
164 password. These options override that behavior such that you
165 can input the password through automated means.
166 -v, --verify
168 Verify signature(s) without writing embedded data out, if any
169 (unless option --output is specified).
170 To verify the detached signature of a file file.ext, the detached
172 signature file in the file name pattern of file.ext.sig or
173 file.ext.asc must exist.
174 Also you may use option --source to specify the exact source for
176 the signed data.
177 If data is encrypted, you may be asked for password as in the
179 --decrypt command.
180 OTHER COMMANDS
182 --list-packets
183 Show detailed information about the OpenPGP data in INPUT_FILE or
184 stdin. Useful for curiosity, troubleshooting or debugging.
185 Additional options can be used:
187 --json
189 output JSON data instead of human-readable information
190 --grips
192 print out key fingerprints and grips
193 --mpi
195 print out all MPI values
196 --raw
198 print raw, hex-encoded packets too
199 --enarmor[=msg|pubkey|seckey|sign]
201 Convert binary data to the ASCII-armored as per OpenPGP standard.
202 This includes the -----BEGIN PGP MESSAGE----- header and footer,
203 and Base64-encoded data.
204 Output for file.ext will be written to file.ext.asc (if it does not
206 exist) or to stdout.
207 The following OpenPGP headers may be specified:
209 msg (default)
211 -----BEGIN PGP MESSAGE-----
212 pubkey
214 -----BEGIN PGP PUBLIC KEY BLOCK-----
215 seckey
217 -----BEGIN PGP SECRET KEY BLOCK-----
218 sign
220 -----BEGIN PGP SIGNATURE-----
221 Additional options:
223 --overwrite
225 Forcefully overwrite existing destination file if it exists.
226 --output
228 Specify destination file path.
229 --dearmor
231 Attempts to convert data from an armored format to the binary
232 format.
233 The file.ext.asc output file would be written to file.ext. If the
235 destination file already exists, it will prompt the user for a new
236 filename.
237 Additional options:
239 --overwrite
241 Forcefully overwrite existing destination file if it exists.
242 --output
244 Specify destination file path.
245
247 --home, --homedir DIR
248 Change homedir (where RNP looks for keyrings) to the specified
249 value.
250 The default homedir is ~/.rnp .
252 -f, --keyfile PATH
254 Instead of loading keyrings, use key(s) from the file specified.
255 -u, --userid KEY
257 Specify one or more signing keys, searching for it via the given
258 value KEY. See rnpkeys(1) on how to find valid values.
259 -r, --recipient KEY
261 Add the message recipient, i.e. the public key to which message
262 will be encrypted to. See rnpkeys(1) on how to find valid values.
263 --armor, --ascii
265 Apply ASCII armoring to the output, so that the resulting output
266 can be transferred as plain text.
267 See IETF RFC 4880 for more details.
269 --detach, --detached
271 Create a detached signature.
272 --output PATH
274 Write data processing related output to the file specified.
275 If not specified, the output filename will be guessed from the
277 input filename/extension or the command will prompt the user via
278 stdin/tty.
279 --overwrite
281 Overwrite already existing files without prompt.
282 --source
284 Specify signed data for the detached signature verification (- and
285 env: substitutions may be used here).
286 --hash ALGORITHM
288 Set hash algorithm which to be used for signing and derivation of
289 the encryption key from a password.
290 The default value is SHA256.
292 --cipher ALGORITHM
294 Set the symmetric algorithm used during encryption.
295 The default value is AES256.
297 --aead [EAX, OCB]
299 Enable AEAD encryption and select algorithm to be used.
300 --aead-chunk-bits BITS
302 Change AEAD chunk size bits, from 0 to 16 (actual chunk size would
303 be 1 << (6 + bits)). See OpenPGP documentation for the details.
304 --zip, --zlib, --bzip2
306 Select corresponding algorithm to compress data with. Please refer
307 to IETF RFC 4880 for details.
308 -z 0..9
310 Set compression level for the compression algorithms.
311 9 is the highest compression level, where 0 disables compression.
313 The default value is 6.
315 --pass-fd FD
317 Specify a file descriptor to read passwords from instead of from
318 stdin/tty.
319 Useful for automated or non-interactive sessions.
321 --password PASSWORD
323 Use the specified password when it is needed.
324 Warning
326 Not recommended for production use due to potential security
327 issues. Use --pass-fd for batch operations instead.
328 --passwords COUNT
330 Set the number of passwords for --symmetric encryption.
331 While not commonly used, you may encrypt a message to any
333 reasonable number of passwords.
334 --creation TIME
336 Override signature creation time.
337 By default, creation time is set to the current local computer
339 time.
340 TIME could be specified in the ISO 8601-1:2019 date format
342 (yyyy-mm-dd), or in the UNIX timestamp format.
343 --expiration TIME
345 Set signature expiration time, counting from the creation time.
346 By default, signatures do not expire.
348 A specific expiration time can be specified as:
350 • expiration date in the ISO 8601:2019 date format (yyyy-mm-dd);
352 or
353 • hours/days/months/years since creation time with the syntax of
355 20h/30d/1m/1y;
356 • number of seconds.
358 --keystore-format GPG|KBX|G10|G21
360 Set keystore format.
361 RNP automatically detects the keystore format.
363 This option allows the auto-detection behavior to be overridden.
365 --notty
367 Disable use of tty.
368 By default RNP would detect whether TTY is attached and use it for
370 user prompts.
371 This option overrides default behaviour so user input may be passed
373 in batch mode.
374 --current-time TIME
376 Override system’s time with a specified value.
377 By default RNP uses system’s time in all signature/key checks,
379 however in some scenarios it could be needed to override this.
380 TIME may be specified in the same way as --creation.
382 --set-filename FNAME
384 Override or set a file name, stored inside of OpenPGP message.
385 By default RNP will store input filename (or empty string for
387 stdin/env input) in the resulting OpenPGP message during encryption
388 or embedded signing. This option allows to override this. Special
389 value _CONSOLE may be used for "for your eyes only"-message. Refer
390 OpenPGP documentation for the details.
391 --allow-hidden
393 Allow hidden recipient support.
394 Sender of an encrypted message may wish to hide recipient’s key by
396 setting a Key ID field to all zeroes. In this case receiver has to
397 try every available secret key, checking for a valid decrypted
398 session key. This option is disabled by default.
399
401 0
402 Success.
403 Non-zero
405 Failure.
406
408 The following examples demonstrate method of usage of the rnp command.
409 EXAMPLE 1
411 rnp --homedir .rnp --encrypt -r 0x6E69636B6F6C6179 --output
412 document.txt.encrypted document.txt
413 Load keyrings from the .rnp folder, encrypt the document.txt file using
415 the key with keyid 0x6E69636B6F6C6179.
416 EXAMPLE 2
418 rnp --keyfile john-sec.asc -s --detach --hash SHA512 document.txt
419 Generate a detached signature over the file document.txt, using the
421 secret key stored in the file. Additionally override the hash algorithm
422 to SHA512.
423 EXAMPLE 3
425 rnp --keyfile john-pub.asc --verify document.txt.sig
426 Verify detached signature, using the key stored in the john-pub.asc
428 file. The signed data is assumed to be available from the file
429 document.txt.
430 EXAMPLE 4
432 rnp -e -c -s --passwords 3 -r 0x526F6E616C642054 -r "john@doe.com" -u
433 0x44616E69656C2057 document.txt
434 Encrypt document.txt with 2 keys (specified via keyid
436 0x526F6E616C642054 and userid john@doe.com), and 3 passwords, so any of
437 these may be used to decrypt the resulting file.
438 Additionally, the message will be signed with key 0x44616E69656C2057.
440 EXAMPLE 5
442 printf "Message" | rnp --keyfile env:PGP_ENCRYPTION_KEY -e - --armor
443 Encrypt message, passed via stdin, using the key, stored in environment
445 variable PGP_ENCRYPTION_KEY, add ascii armoring, and print result to
446 the stdout.
447
449 Please report issues via the RNP public issue tracker at:
450 https://github.com/rnpgp/rnp/issues.
451 Security reports or security-sensitive feedback should be reported
453 according to the instructions at: https://www.rnpgp.org/feedback.
454
456 RNP is an open source project led by Ribose and has received
457 contributions from numerous individuals and organizations.
458
460 Web site: https://www.rnpgp.org
461 Source repository: https://github.com/rnpgp/rnp
463
465 Copyright (C) 2017-2021 Ribose. The RNP software suite is freely
466 licensed: please refer to the LICENSE file for details.
467
469 rnpkeys(1), librnp(3)
470
472 RNP
473RNP 0.17.0 2023-05-02 RNP(1)