RNPKEYS(1) | RNP Manual | RNPKEYS(1) |
RNPKEYS - OpenPGP key management utility.
rnpkeys [--homedir dir] [OPTIONS] COMMAND
The rnpkeys command-line utility is part of the RNP suite and provides OpenPGP key management functionality, including:
By default, rnp will apply a COMMAND, additionally configured with OPTIONS, to all INPUT_FILE(s) or stdin if no INPUT_FILE is given. There are some special cases for INPUT_FILE :
Depending on the input, output may be written:
Without the --armor option, output will be in binary.
If COMMAND requires public or private keys, rnp will look for the keyrings in ~/.rnp. The options --homedir and --keyfile override this (see below).
If COMMAND needs a password, rnp will ask for it via stdin or tty, unless the --password or --pass-fd option was specified.
By default, rnpkeys will use keyrings stored in the ~/.rnp directory.
This behavior may be overridden with the --homedir option.
If COMMAND needs a password, the command will prompt the caller via stdin or tty, unless the --password or --pass-fd options were also used.
Most rnpkeys commands require a key locator or a filter, representing one or more keys.
It may be specified in one of the following ways:
userid
keyid
key fingerprint: The 40-character key fingerprint, such as:
-h, --help
-V, --version
-l, --list-keys
Additional options:
--with-sigs
-g, --generate-key
Without additional options, an RSA primary key pair with an RSA sub-key pair will be generated, and prompting for the encryption password afterwards.
Additional options:
--numbits
--expiration TIME
By default generated keys do not expire.
Expiration time can be specified as:
--expert
--userid
--hash
--cipher
--s2k-iterations
This is used during the derivation of the symmetric key, which
encrypts a secret key from the password.
--s2k-msec
For example, setting it to 2000 would mean that each secret key decryption operation would take around 2 seconds (on the current machine).
--import, --import-keys, --import-sigs
While rnpkeys automatically detects the input data format, one may still wish to specify whether the input provides keys or signatures.
By default, the import process will stop on the first discovered erroneous key or signature.
Additional options:
--permissive
--export-key [--userid=FILTER] [FILTER]
If filter matches a primary key, the subkeys of the primary key are also exported.
By default, key data is written to stdout in ASCII-armored format.
Additional options:
--output PATH
--secret
--export-rev KEY
The revocation signature can be used later in a case of key loss or compromise.
Additional options:
--rev-type
--rev-reason
--revoke-key KEY
Revoked keys cannot be used further.
Additional options:
--rev-type
--rev-reason
--remove-key KEY
If a primary key is specified, then all of its subkeys are also removed.
If the specified key is a secret key, then it will not be deleted without confirmation.
Additional options:
--force
--edit-key KEY
Currently the following options are available:
--check-cv25519-bits
--fix-cv25519-bits
--homedir DIR
The default homedir is ~/.rnp .
--output PATH
Combine it with --overwrite to overwrite file if it already exists.
--overwrite
--userid USERID
--numbits BITS
bits may be in range 1024-16384, as long as the public key algorithm does not place additional limits.
--cipher ALGORITHM
The default value is AES256.
--hash ALGORITHM
The default value is SHA256.
--expert
The following types of keys can be generated in this mode:
Specifically, for ECDSA and ECDH the underlying curve can also be specified:
--pass-fd FD
Useful for automated or non-interactive sessions.
--password PASSWORD
Not recommended for production use due to potential
security issues.
Use --pass-fd for batch operations instead.
--with-sigs
--force
This applies to cases such as secret key removal, revoking an already revoked key and so on.
--permissive
By default, rnpkeys will stop on the first erroring packet and exit with an error.
--rev-type TYPE
The following values are supported:
Please refer to IETF RFC 4880 for details.
--rev-reason REASON
--s2k-iterations NUMBER
This is used during the derivation of the symmetric key, which encrypts a secret key from the password.
Please refer to IETF RFC 4880 for further details.
--s2k-msec NUMBER
For example, setting it to 2000 would mean that each secret key decryption operation would take around 2 seconds (on the current machine).
--notty
By default RNP would detect whether TTY is attached and use it for user prompts.
This option overrides default behaviour so user input may be passed in batch mode.
--current-time TIME
By default RNP uses system’s time in all signature/key checks, however in some scenarios it could be needed to override this.
TIME could be specified in the ISO 8601-1:2019 date format (yyyy-mm-dd), or in the UNIX timestamp format.
0
Non-zero
The following examples demonstrate method of usage of the rnpkeys command.
Following oneliner may be used to import all public keys from the GnuPG:
gpg -a --export | rnpkeys --import -
To import all secret keys the following command should be used (please note, that you’ll be asked for secret key password(s)):
gpg -a --export-secret-keys | rnpkeys --import -
This example generates a new key with specified userid and expiration. Also it enables "expert" mode, allowing the selection of key/subkey algorithms.
rnpkeys --generate --userid " <john@doe.com> --expert --expiration 1y
Please report issues via the RNP public issue tracker at: <https://github.com/rnpgp/rnp/issues>.
Security reports or security-sensitive feedback should be reported according to the instructions at: <https://www.rnpgp.org/feedback>.
RNP is an open source project led by Ribose and has received contributions from numerous individuals and organizations.
Web site: <https://www.rnpgp.org>
Source repository: <https://github.com/rnpgp/rnp>
Copyright (C) 2017-2021 Ribose. The RNP software suite is freely licensed: please refer to the LICENSE file for details.
RNP
2023-05-24 | RNP 0.16.3 |