Using PGP Command Line to create and manage PGP keys (2024)

PGP uses Keys and Keyrings. Individual Keys, which are the unique identities to each PGP user are created and can be used for encryption and decryption.
These keys are then stored in Keyrings. Keyrings are basically files that contain the individual keys.

PGP Command Line uses the Keyrings and Keys paradigm, so the first step to get started with PGP Command Line is to create a Keyring.

pgp --create-keyrings

This will create a pubring.pkr (public keyring) and secring.skr (private keyring) file in the default keyring location.

For Windows this is in the Documents>PGP folder. This article will use [ ] to identify information that you will need to enter that is specific to your individual keys.

Pubring.pkr indicates a keyring that contains only public keys.

To create a key pair using PGP Command Line follow these steps:

1. Open a command shell or DOS prompt.
2. On the command line, enter:
   

   pgp --gen-key [user ID] --key-type [key type] --bits [bits #] --passphrase [passphrase]

   NOTE: Any information that contains spaces must be contained inside quotation marks. See the example below step 3.
3. Press "Enter" when the command is complete.

   Example: The following example will show you how to create a 2048 Bit RSA key for Joe User, an employee of ACME Corp, with the passphrase "my passphrase".

   1. Open a command prompt and enter the following:
      

      pgp --gen-key "Joe User" --key-type RSA --bits 2048 --passphrase "my passphrase"

   2. Press "Enter"
4. PGP Command line will now generate your keypair. You should see your Key ID (i.e. 0X12345678), and a message that the key was successfully generated.
5. To display your new keypair enter the following command:

   pgp --list-keys

This will display all the keys that are found on your keyring.

Tip: Short version of listing a key is "pgp -l"

After the key pair is generated and identified, it is important to export the public portion (public key) of the key pair so others can import your public key and encrypt to you.

NOTE: Once you have exported your public key to a file, it is easy to distribute. You can attach it to an email, paste the public key block text into the body of an email message (open with Notepad), or copy to a CD, for example.
To export your public key you will need to have information about the key in order to identify it, which will be referred to in this document as (input). You can use the key ID (i.e. 0x12345678), user ID (i.e. "Joe User"), or a portion of the user ID, (i.e. Joe).

Display the keys

To display the keys on your keyrings, open a command prompt and type the following:

pgp --list-keys

Press Enter and the keys will be displayed. Make note of the key's username or number ID that you wish to export.

Export the key

To export the key, do the following:

1. Open a command prompt.
2. From the command prompt, enter:
   

   pgp --export (input)

   NOTE: Remember that any information that contains spaces must be contained inside quotes.
3. Press "Enter" when the command is complete.

PGP Command Line responds by exporting keys as ASCII armor (.asc) files into the directory currently active on the command line.

Example 1 The following example will show you how to export your public key using your key ID.

1. From the command prompt, enter:

   pgp --export 0x12345678

2. Press "Enter".

pgp --export "Joe User"

Export The Private Key or Keypair

After the key pair is generated and identified, it is also highly recommended to export your keypair so you have a full backup of it and then store it in a safe location.

This will export the keypair to the c:\ drive, and will be called "my-own-keypair.asc", but you can use any path or filename that will work for you.

You may import a public key from an ASCII Armor file (.asc) or from a text file, the process is the same for both. The file containing the key(s) to be imported must be in the current directory. As with exporting a key, this will be referred to as (input) in the examples. Both public and private keys will be imported if they exist in the file. If a key being imported already exists in the local keyring, the keys are merged.

Import Key From File:

1. Open a command prompt.
2. From the command prompt, enter:
   

   pgp --import (input)

3. Press "Enter" when the command is complete.

PGP Command Line responds as follows: Joe User.asc:import key {0:key imported as 0x12345678 Joe User}

Example 1 The following example will show you how to import a key from an ASCII Armor file (.asc).

1. From the command prompt, enter:

   pgp --import "Joe User.asc"

2. Press "Enter".

From the command prompt, enter:

pgp --import "PGP Joe.txt"

Press "Enter".

All of the above commands are how to create, and import keys to your keyring. There are other commands are more destructive, such as the ability to remove keys from your keyring.

For example, if you have a key in your keyring that is no longer a valid key, you can remove it so that you do not ever encrypt to that key again.

You want to be careful about deleting keys from your keyring, but it is useful to be able to do in case some keys are no longer valid.

If the Key ID for a key you wish to remove is "0x1234ABCD", then to remove the key from your keyring, you use the following command:

pgp --remove 0x1234ABCD

This will remove the public key from your keyring.

If you have a keypair that you no longer would like to use, you can issue the following command:

pgp --remove-key-pair 0x1234ABCD --force

CAUTION: It is a good idea to export your keypair first! Once you delete your keypair, you will no longer have it. Export the keypair first, and then you can delete it.

These are all the basic commands for using PGP Command Line to get started, but there are so many more commands available to use that offer a plethora of functionality to meet all your encryption/decryption needs. For more information on these additional commands and operations, see the following article:

158454 - Using PGP Command Line

PGP Command Line also has some very powerful functionality when combined with the Symantec Encryption Management Server, or PGP Server. When used in this way, you can store all your keys on the centralized PGP server, and then none of your keys need to be held locally. This is useful for scenarios where you may have multiple servers with PGP Command Line installed, and you want to have access to all the same keys. The PGP server can be the central repository to securely store your keys, which means better security for where the PGP Command Lice application is stored!

For more information on this functionality, see the following article:

159237 - Using PGP Command Line with Symantec Encryption Management Server (PGP Server)

The PGP Command Line uses keyring files to store each individual key. There are two keyring files:
pubring.pkr and secring.skr.

The pubring.pkr file contains only public keys. The secring.skr keyring file will contain private keys, or keypairs.

This will display the location of your keyring files. This is handy to know as you can simply copy these files for backup.

Example:

Public Keyring: c:\Users\user1\Documents\PGP\pubring.pkr
Private Keyring: c:\Users\user1\Documents\PGP\secring.pkr

To make a backup of these files, simply copy them to another location.

To use PGP Command Line in FIPS mode, see the following article:

267847 - Enable FIPS mode with PGP Command Line Permanently