PGP -e [options] file user ...
PGP (Pretty Good Privacy) is a public key encryption package to protect E-mail and data files. It lets you communicate securely with people you've never met, with no secure channels needed for prior exchange of keys. It's well featured and fast, with sophisticated key management, digital signatures, data compression, and good ergonomic design. If you really want to learn how to use it properly, it's best to read the full documentation that comes with the system, which is very complete. This is a "quick start" guide and reference manual; it is necessarily incomplete, and assumes you are already familiar with most of the basic concepts, including the concepts behind public key cryptography.
user id: an ascii string used to identify a user. User IDs tend to look like "John Q. Public <jqp@xyzcorp.com>"; please try sticking to that format. When giving a user id to PGP, you may specify any unique (case-insensitive) substring. E.g. john, or jqp@xyz.
pass phrase: the secret string used to conventionally encypher your private key; it's important that this be kept secret.
keyring: a file containing a set of public or secret keys. Default names for public and secret rings are "pubring.pgp" and "secring.pgp" respectively.
ascii armor: the ascii radix 64 format PGP uses for transmitting messages over channels like E-Mail; similar in concept to uuencoding.
To see a quick command usage summary for PGP, just type:
pgp -h
To encrypt a plaintext file with the recipient's public key:
pgp -e textfile her_userid [his_userid ...]
To sign a plaintext file with your secret key:
pgp -s textfile [-u your_userid]
To sign a plaintext file with your secret key, and then encrypt it
with the recipient's public key:
pgp -es textfile her_userid [his_userid ...] [-u your_userid]
To create a signature certificate that is detached from the document:
pgp -sb textfile [-u your_userid]
To encrypt a plaintext file with just conventional cryptography, type:
pgp -c textfile
To decrypt an encrypted file, or to check the signature integrity of a
signed file:
pgp ciphertextfile [-o plaintextfile]
To see a quick summary of PGP's key-management commands, just type:
pgp -k
To generate your own unique public/secret key pair:
pgp -kg
To add a public or secret key file's contents to your public or
secret key ring:
pgp -ka keyfile [keyring]
To remove a key from your public key ring:
pgp -kr userid [keyring]
To extract (copy) a key from your public or secret key ring:
pgp -kx userid keyfile [keyring]
or: pgp -kxa userid keyfile [keyring]
To view the contents of your public key ring:
pgp -kv[v] [userid] [keyring]
To view the "fingerprint" of a public key, to help verify it over
the telephone with its owner:
pgp -kvc [userid] [keyring]
To view the contents and check the certifying signatures of your
public key ring:
pgp -kc [userid] [keyring]
To edit the userid or pass phrase for your secret key:
pgp -ke userid [keyring]
To edit the trust parameters for a public key:
pgp -ke userid [keyring]
To remove a key or just a userid from your public key ring:
pgp -kr userid [keyring]
To sign and certify someone else's public key on your public key ring:
pgp -ks her_userid [-u your_userid] [keyring]
To remove selected signatures from a userid on a keyring:
pgp -krs userid [keyring]
Command options that can be used in combination with other command
options (sometimes even spelling interesting words!):
To produce a ciphertext file in ASCII radix-64 format, just add the
-a option when encrypting or signing a message or extracting a key:
pgp -sea textfile her_userid
or: pgp -kxa userid keyfile [keyring]
To wipe out the plaintext file after producing the ciphertext file,
just add the -w (wipe) option when encrypting or signing a message:
pgp -sew message.txt her_userid
To specify that a plaintext file contains ASCII text, not binary, and
should be converted to recipient's local text line conventions, add
the -t (text) option to other options:
pgp -seat message.txt her_userid
To view the decrypted plaintext output on your screen (like the
Unix-style "more" command), without writing it to a file, use
the -m (more) option while decrypting:
pgp -m ciphertextfile
To specify that the recipient's decrypted plaintext will be shown
ONLY on her screen and cannot be saved to disk, add the -m option:
pgp -steam message.txt her_userid
To recover the original plaintext filename while decrypting, add
the -p option:
pgp -p ciphertextfile
To use a Unix-style filter mode, reading from standard input and
writing to standard output, add the -f option:
pgp -feast her_userid <inputfile >outputfile
PGP uses a fairly complete configuration database that is stored in the file "config.txt"; please see the manual for complete details. Some highlights:
MYNAME - Default User ID for Making Signatures
Default setting: MYNAME = ""
The configuration parameter MYNAME specifies the default user ID to
use to select the secret key for making signatures. If MYNAME is not
defined, the most recent secret key you installed on your secret key
ring is used. The user may also override this setting by
specifying a user ID on the PGP command line with the -u option.
TEXTMODE - Assuming Plaintext is a Text File
Default setting: TEXTMODE = off
The configuration parameter TEXTMODE is equivalent to the -t command
line option. If enabled, it causes PGP to assume the plaintext is a
text file, not a binary file, and converts it to "canonical text"
before encrypting it. Canonical text has a carriage return and a
linefeed at the end of each line of text.
This mode is automatically turned off if PGP detects that the
plaintext file contains 8-bit binary data.
ARMOR - Enable ASCII Armor Output
Default setting: ARMOR = off
The configuration parameter ARMOR is equivalent to the -a command
line option. If enabled, it causes PGP to emit ciphertext or keys in
ASCII Radix-64 format suitable for transporting through E-mail
channels. Output files are named with the ".asc" extension.
If you tend to use PGP mostly for E-mail, it may be a good idea to
enable this parameter.
KEEPBINARY - Preserve Internediate .pgp File
Default setting: KEEPBINARY = off
If KEEPBINARY is enabled, then PGP will produce a .pgp file in addition to a .asc file when ASCII armor is enabled.
COMPRESS - Compress Plaintext Before Encrypting
Default setting: COMPRESS = on
PGP usually compresses the plaintext before encrypting it, so it will have less to encrypt and the file you send will be smaller. This is usually only turned off for debugging purposes.
SHOWPASS - Echo Pass Phrase During Entry
Default setting: SHOWPASS = off
If someone is unable to type a long pass phrase reliably without seeing it, this can be turned on, at the cost of security.
INTERACTIVE - Prompt Before Adding Each Key
Default setting: INTERACTIVE = off
By default, when given a file containing new keys, PGP asks if you would like to add them to your public key ring. Since adding keys does not imply that you trust them, adding more just wakes up space. If this option is set, PGP asks about each key in a key file.
VERBOSE - Level of Detail Printed
Default setting: VERBOSE = 1
When set to 0, pgp only prints messages that are necessary or indicate an error. When set to 2, PGP prints a significant amount of debugging information describing what it's doing. Values above 2 have no effect.
PGP employs a system where users specify trusted users who may sign other people's public keys. It is important that you understand how this mechanism works; a full description is in the manual.
IMPORTANT: The manual also describes how to generate and send a "key compromise" certificate that tells readers that your private key has been compromised. If your key has been compromised, please read the manual section on key compromise certificates and how to create them; the faster you send out a key compromise certificate, the smaller the window of opportunity for "bad guys" to send forged messages.
PGP automatically tries compressing your input file; there is no point in precompressing input for transmission.
PGP "ascii armor" is only needed on the outer transmitted message; as an example, if you are, say, sending a public key to someone else and you are for some reason signing it, simply armor the outer message; it's better to sign the binary form of the key.
PGP is easily customized for foreign language help and error messages; it has been translated into a number of non-english languages. See the manual for details on the file "language.txt".
PGP uses several special files for its purposes, such as your standard key ring files "pubring.pgp" and "secring.pgp", the random number seed file "randseed.bin", the PGP configuration file "config.txt", and the foreign language string translation file "language.txt". These special files can be kept in any directory, by setting the environment variable "PGPPATH" to the desired pathname. If PGPPATH remains undefined, these special files are assumed to be in the current directory.
Normally, PGP prompts the user to type a pass phrase whenever PGP needs a pass phrase to unlock a secret key. But it is possible to store the pass phrase in an environment variable from your operating system's command shell. The environment variable PGPPASS can be used to hold the pass phrase that PGP attempts to use first. If the pass phrase stored in PGPPASS is incorrect, PGP recovers by prompting the user for the correct pass phrase. This dangerous feature makes your life more convenient if you have to regularly deal with a large number of incoming messages addressed to your secret key, by eliminating the need for you to repeatedly type in your pass phrase every time you run PGP. THIS IS A VERY DANGEROUS FEATURE; on UNIX it is trivial to read someone else's environment using the ps(1) command. If you are contemplating using this feature, be sure to read the sections "How to Protect Secret Keys from Disclosure" and "Exposure on Multi-user Systems" in the full PGP manual.
If the environment variable PGPPASSFD is defined, it must have a numeric value, which PGP uses as a file descriptor number to read a pass phrase from. This is done before anything else, so it can be combined with an input file on standard input. This is mainly for use by shell scripts, since under Unix it is difficult to read the contents of other people's pipes.
PGP returns a 0 to the shell on success, and a nonzero error code on failure. See the source code for details on nonzero status return values.
*.pgp ciphertext, signature, or key file *.asc ascii armor file pubring.pgp public key ring secring.pgp secret key ring language.txt foreign language string translation file config.txt configuration file pgp.hlp online help text file
The manual is really good, and it's really important in the long run that you read it. It may not be important to read the fine print on a box of breakfast cereal, but it may be crucial to read the label of a prescription drug. Cryptography software is like pharmaceuticals-- so read the manual!
It is impossible to overemphasize the importance of protecting your secret key. Anyone gaining access to it can forge messages from you or read mail addressed to you. Be EXTREMELY cautious in using PGP on any multi-user unix system.
PGP is believed by its authors to be secure when used as directed, but then again everyone always claims their pet encryption system is secure. Read the section in the manual on "Trusting Snake Oil" and the section on "Vulnerabilities" for caveats.
Mostly self explanatory.
PGP was initially written for the PC, and behaves very PCish. In particular, its automagic file selection, file extensions, and the like all make it somewhat alien in the UNIX environment.
This man page needs to be updated to reflect all the latest features.
Originally written by Philip R. Zimmermann. Later augmented by a cast of thousands, especially including Hal Finney, Branko Lankester, and Peter Gutmann.
For detailed information on PGP licensing, distribution, copyrights, patents, trademarks, liability limitations, and export controls, see the "Legal Issues" section in the "PGP User's Guide, Volume II: Special Topics".
PGP uses a public key algorithm claimed by U.S. patent #4,405,829. The exclusive rights to this patent are held by a California company called Public Key Partners, and you may be infringing this patent if you use PGP in the USA. This is explained in the PGP User's Guide, Volume II.
PGP is "guerrilla" freeware, and the authors don't mind if you distribute it widely. Just don't ask Philip Zimmermann to send you a copy. Instead, you can get it yourself from many BBS systems and a number of Internet FTP sites.