RNP(1) | RNP Manual | RNP(1) |
RNP - OpenPGP-compatible signatures and encryption.
rnp [--homedir dir] [OPTIONS] COMMAND [INPUT_FILE, ...] ...
The rnp command-line utility is part of the RNP suite and provides OpenPGP signing and encryption functionality compliant with IETF RFC 4880.
rnp does not allow manipulation of keys or keyrings — please use rnpkeys(1) for that purpose.
By default, rnp will apply a COMMAND, additionally configured with OPTIONS, to all INPUT_FILE(s) or stdin if no INPUT_FILE is given. There are some special cases for INPUT_FILE :
Depending on the input, output may be written:
If output file already exists, it will not be overwritten, unless --overwrite option is given.
Without the --armor option, output will be in binary.
If COMMAND requires public or private keys, rnp will look for the keyrings in ~/.rnp. The options --homedir and --keyfile override this (see below).
If COMMAND needs a password, rnp will ask for it via stdin or tty, unless the --password or --pass-fd option was specified.
-h, --help
-V, --version
-e, --encrypt
You would likely want to specify one or more --recipient(s) or pick a --cipher (instead of the default).
Additional options:
--recipient
--cipher
-z 0..9, --zlib, --zip, --bzip
--armor
--no-wrap
--overwrite
-c, --symmetric
Can be combined with the commands --encrypt and --sign.
Options that apply to the --encrypt command also apply here.
Additional options:
--passwords
-s, --sign
Public-key or password-based encryption may be added via the --encrypt and --symmetric commands.
Additional options:
-u, --userid
--detach
--hash
Compression options also apply here. Since the secret key is usually stored encrypted, you will be asked for the password to decrypt it via stdin/tty unless --password or --pass-fd is specified.
--clearsign
In this mode, data cannot be additionally encrypted or compressed.
Other signing options, --hash, -u, --password, can still be used here.
-d, --decrypt
If the data is signed, signature verification information will be printed to stdout/tty.
Additional options:
--output
--password, --pass-fd
-v, --verify
To verify the detached signature of a file file.ext, the detached signature file in the file name pattern of file.ext.sig or file.ext.asc must exist.
Also you may use option --source to specify the exact source for the signed data.
If data is encrypted, you may be asked for password as in the --decrypt command.
--list-packets
Additional options can be used:
--json
--grips
--mpi
--raw
--enarmor[=msg|pubkey|seckey|sign]
Output for file.ext will be written to file.ext.asc (if it does not exist) or to stdout.
The following OpenPGP headers may be specified:
msg
pubkey
seckey
sign
Additional options:
--overwrite
--output
--dearmor
The file.ext.asc output file would be written to file.ext. If the destination file already exists, it will prompt the user for a new filename.
Additional options:
--overwrite
--output
--home, --homedir DIR
The default homedir is ~/.rnp .
-f, --keyfile PATH
-u, --userid KEY
-r, --recipient KEY
--armor, --ascii
See IETF RFC 4880 for more details.
--detach, --detached
--output PATH
If not specified, the output filename will be guessed from the input filename/extension or the command will prompt the user via stdin/tty.
--overwrite
--source
--hash ALGORITHM
The default value is SHA256.
--cipher ALGORITHM
The default value is AES256.
--aead [EAX, OCB]
--aead-chunk-bits BITS
--zip, --zlib, --bzip2
-z 0..9
9 is the highest compression level, where 0 disables compression.
The default value is 6.
--pass-fd FD
Useful for automated or non-interactive sessions.
--password PASSWORD
Not recommended for production use due to potential security
issues.
Use --pass-fd for batch operations instead.
--passwords COUNT
While not commonly used, you may encrypt a message to any reasonable number of passwords.
--creation TIME
By default, creation time is set to the current local computer time.
TIME could be specified in the ISO 8601-1:2019 date format (yyyy-mm-dd), or in the UNIX timestamp format.
--expiration TIME
By default, signatures do not expire.
A specific expiration time can be specified as:
--keystore-format GPG|KBX|G10|G21
RNP automatically detects the keystore format.
This option allows the auto-detection behavior to be overridden.
--notty
By default RNP would detect whether TTY is attached and use it for user prompts.
This option overrides default behaviour so user input may be passed in batch mode.
--current-time TIME
By default RNP uses system’s time in all signature/key checks, however in some scenarios it could be needed to override this.
TIME may be specified in the same way as --creation.
0
Non-zero
The following examples demonstrate method of usage of the rnp command.
rnp --homedir .rnp --encrypt -r 0x6E69636B6F6C6179 --output document.txt.encrypted document.txt
Load keyrings from the .rnp folder, encrypt the document.txt file using the key with keyid 0x6E69636B6F6C6179.
rnp --keyfile john-sec.asc -s --detach --hash SHA512 document.txt
Generate a detached signature over the file document.txt, using the secret key stored in the file. Additionally override the hash algorithm to SHA512.
rnp --keyfile john-pub.asc --verify document.txt.sig
Verify detached signature, using the key stored in the john-pub.asc file. The signed data is assumed to be available from the file document.txt.
rnp -e -c -s --passwords 3 -r 0x526F6E616C642054 -r "john@doe.com" -u 0x44616E69656C2057 document.txt
Encrypt document.txt with 2 keys (specified via keyid 0x526F6E616C642054 and userid john@doe.com), and 3 passwords, so any of these may be used to decrypt the resulting file.
Additionally, the message will be signed with key 0x44616E69656C2057.
printf "Message" | rnp --keyfile env:PGP_ENCRYPTION_KEY -e - --armor
Encrypt message, passed via stdin, using the key, stored in environment variable PGP_ENCRYPTION_KEY, add ascii armoring, and print result to the stdout.
Please report issues via the RNP public issue tracker at: <https://github.com/rnpgp/rnp/issues>.
Security reports or security-sensitive feedback should be reported according to the instructions at: <https://www.rnpgp.org/feedback>.
RNP is an open source project led by Ribose and has received contributions from numerous individuals and organizations.
Web site: <https://www.rnpgp.org>
Source repository: <https://github.com/rnpgp/rnp>
Copyright (C) 2017-2021 Ribose. The RNP software suite is freely licensed: please refer to the LICENSE file for details.
RNP
2023-05-24 | RNP 0.16.3 |