RNPKEYS(1) | RNP Manual | RNPKEYS(1) |
NAME¶
RNPKEYS - OpenPGP key management utility.
SYNOPSIS¶
rnpkeys [--homedir dir] [OPTIONS] COMMAND
DESCRIPTION¶
The rnpkeys command-line utility is part of the RNP suite and provides OpenPGP key management functionality, including:
BASICS¶
By default, rnp will apply a COMMAND, additionally configured with OPTIONS, to all INPUT_FILE(s) or stdin if no INPUT_FILE is given. There are some special cases for INPUT_FILE :
Depending on the input, output may be written:
Without the --armor option, output will be in binary.
If COMMAND requires public or private keys, rnp will look for the keyrings in ~/.rnp. The options --homedir and --keyfile override this (see below).
If COMMAND needs a password, rnp will ask for it via stdin or tty, unless the --password or --pass-fd option was specified.
By default, rnpkeys will use keyrings stored in the ~/.rnp directory.
This behavior may be overridden with the --homedir option.
If COMMAND needs a password, the command will prompt the caller via stdin or tty, unless the --password or --pass-fd options were also used.
SPECIFYING KEYS¶
Most rnpkeys commands require a key locator or a filter, representing one or more keys.
It may be specified in one of the following ways:
userid
keyid
key fingerprint: The 40-character key fingerprint, such as:
COMMANDS¶
INFORMATIONAL¶
-h, --help
-V, --version
-l, --list-keys
Additional options:
--with-sigs
KEY GENERATION¶
-g, --generate-key
Without additional options, an RSA primary key pair with an RSA sub-key pair will be generated, and prompting for the encryption password afterwards.
Additional options:
--numbits
--expiration TIME
By default generated keys do not expire.
Expiration time can be specified as:
--expert
--userid
--hash
--cipher
--s2k-iterations
This is used during the derivation of the symmetric key, which
encrypts a secret key from the password.
--s2k-msec
For example, setting it to 2000 would mean that each secret key decryption operation would take around 2 seconds (on the current machine).
KEY/SIGNATURE IMPORT¶
--import, --import-keys, --import-sigs
While rnpkeys automatically detects the input data format, one may still wish to specify whether the input provides keys or signatures.
By default, the import process will stop on the first discovered erroneous key or signature.
Additional options:
--permissive
KEY/SIGNATURE EXPORT¶
--export-key [--userid=FILTER] [FILTER]
If filter matches a primary key, the subkeys of the primary key are also exported.
By default, key data is written to stdout in ASCII-armored format.
Additional options:
--output PATH
--secret
--export-rev KEY
The revocation signature can be used later in a case of key loss or compromise.
Additional options:
--rev-type
--rev-reason
KEY MANIPULATION¶
--revoke-key KEY
Revoked keys cannot be used further.
Additional options:
--rev-type
--rev-reason
--remove-key KEY
If a primary key is specified, then all of its subkeys are also removed.
If the specified key is a secret key, then it will not be deleted without confirmation.
Additional options:
--force
--edit-key KEY
Currently the following options are available:
--add-subkey
--check-cv25519-bits
--fix-cv25519-bits
--set-expire TIME
OPTIONS¶
--homedir DIR
The default homedir is ~/.rnp .
--output PATH
Combine it with --overwrite to overwrite file if it already exists.
--overwrite
--userid USERID
--numbits BITS
bits may be in range 1024-16384, as long as the public key algorithm does not place additional limits.
--cipher ALGORITHM
The default value is AES256.
--hash ALGORITHM
The default value is SHA256.
--expert
The following types of keys can be generated in this mode:
Specifically, for ECDSA and ECDH the underlying curve can also be specified:
--pass-fd FD
Useful for automated or non-interactive sessions.
--password PASSWORD
Warning
Not recommended for production use due to potential
security issues.
Use --pass-fd for batch operations instead.
--with-sigs
--force
This applies to cases such as secret key removal, revoking an already revoked key and so on.
--permissive
By default, rnpkeys will stop on the first erroring packet and exit with an error.
--rev-type TYPE
The following values are supported:
Please refer to IETF RFC 4880 for details.
--rev-reason REASON
--s2k-iterations NUMBER
This is used during the derivation of the symmetric key, which encrypts a secret key from the password.
Please refer to IETF RFC 4880 for further details.
--s2k-msec NUMBER
For example, setting it to 2000 would mean that each secret key decryption operation would take around 2 seconds (on the current machine).
--notty
By default RNP would detect whether TTY is attached and use it for user prompts.
This option overrides default behaviour so user input may be passed in batch mode.
--current-time TIME
By default RNP uses system’s time in all signature/key checks, however in some scenarios it could be needed to override this.
TIME could be specified in the ISO 8601-1:2019 date format (yyyy-mm-dd), or in the UNIX timestamp format.
EXIT STATUS¶
0
Non-zero
EXAMPLES¶
The following examples demonstrate method of usage of the rnpkeys command.
EXAMPLE 1: IMPORT EXISTING KEYS FROM THE GNUPG¶
Following oneliner may be used to import all public keys from the GnuPG:
gpg -a --export | rnpkeys --import -
To import all secret keys the following command should be used (please note, that you’ll be asked for secret key password(s)):
gpg -a --export-secret-keys | rnpkeys --import -
EXAMPLE 2: GENERATE A NEW KEY¶
This example generates a new key with specified userid and expiration. Also it enables "expert" mode, allowing the selection of key/subkey algorithms.
rnpkeys --generate --userid " <john@doe.com> --expert --expiration 1y
BUGS¶
Please report issues via the RNP public issue tracker at: <https://github.com/rnpgp/rnp/issues>.
Security reports or security-sensitive feedback should be reported according to the instructions at: <https://www.rnpgp.org/feedback>.
AUTHORS¶
RNP is an open source project led by Ribose and has received contributions from numerous individuals and organizations.
RESOURCES¶
Web site: <https://www.rnpgp.org>
Source repository: <https://github.com/rnpgp/rnp>
COPYING¶
Copyright (C) 2017-2021 Ribose. The RNP software suite is freely licensed: please refer to the LICENSE file for details.
SEE ALSO¶
AUTHOR¶
RNP
2024-10-29 | RNP 0.17.1 |