1= rnp(1) 2RNP 3:doctype: manpage 4:release-version: {component-version} 5:man manual: RNP Manual 6:man source: RNP {release-version} 7 8== NAME 9 10RNP - OpenPGP-compatible signatures and encryption. 11 12== SYNOPSIS 13 14*rnp* [_--homedir_ _dir_] [_OPTIONS_] _COMMAND_ [_INPUT_FILE_, ...] ... 15 16 17== DESCRIPTION 18 19The _rnp_ command-line utility is part of the _RNP_ suite and 20provides OpenPGP signing and encryption functionality 21compliant with IETF RFC 4880. 22 23_rnp_ does not allow manipulation of keys or keyrings -- 24please use _rnpkeys(1)_ for that purpose. 25 26=== BASICS 27 28By default, *rnp* will apply a _COMMAND_, additionally configured with _OPTIONS_, 29to all _INPUT_FILE_(s) or _stdin_ if no _INPUT_FILE_ is given. 30There are some special cases for _INPUT_FILE_ : 31 32* _-_ (dash) substitutes to _stdin_ 33* env:VARIABLE_NAME substitutes to the contents of environment variable VARIABLE_NAME 34 35Depending on the input, output may be written: 36 37* if *--output* option is given output is written to the path specified (or to the *stdout* if *-* is used) 38* to the _INPUT_FILE_ with a removed or added file extension (_.pgp_, _.asc_, _.sig_); or 39* to the _stdout_ if input was read from the _stdin_. 40 41Without the *--armor* option, output will be in binary. 42 43If _COMMAND_ requires public or private keys, *rnp* will look for the keyrings in *~/.rnp*. The options *--homedir* and *--keyfile* override this (see below). 44 45If _COMMAND_ needs a password, *rnp* will ask for it via *stdin* or *tty*, 46unless the *--password* or *--pass-fd* option was specified. 47 48 49== COMMANDS 50 51=== INFORMATIONAL 52 53*-h*, *--help*:: 54Displays a short help message. No options are expected. 55 56*-V*, *--version*:: 57Displays version information. No options are expected. 58 59 60=== ENCRYPTION AND SIGNING 61 62*-e*, *--encrypt*:: 63Encrypt data with public key(s), and optionally sign, if the *--sign* command is added. + 64+ 65You would likely want to specify one or more *--recipient*(s) or pick a *--cipher* (instead of the default). 66+ 67Additional options: 68 69*--recipient*::: 70Specify one or more recipients. 71 72*--cipher*::: 73Select a specific cipher. 74 75*-z 0..9*, *--zlib*, *--zip*, *--bzip*::: 76Select a compression algorithm and level. 77 78*--armor*::: 79Output ASCII data instead of binary via the *--armor* option. If the input file is _file.ext_, and *--output* is not specified, then the data will be written (depending on *--armor* option) to _file.ext.pgp_ or _file.ext.asc_. + 80 81*--overwrite*::: 82If the destination file already exists, and the *--overwrite* option is not given, the caller will be asked for the permission to overwrite or to provide a new file name. Please see the *OPTIONS* section for more information. 83 84*-c*, *--symmetric*:: 85Encrypt data with password(s). + 86+ 87Can be combined with the commands *--encrypt* and *--sign*. 88+ 89Options that apply to the *--encrypt* command also apply here. 90+ 91Additional options: 92 93*--passwords*::: 94Encryption to multiple passwords is possible with *--passwords* option. Each password would be asked via stdin/tty unless *--password* or *--pass-fd* is specified. + 95 96*-s*, *--sign*:: 97Digitally sign data, using one or more secret keys you own. + 98+ 99Public-key or password-based encryption may be added via the *--encrypt* and *--symmetric* commands. + 100+ 101Additional options: 102 103*-u*, *--userid*::: 104By default, the first secret key you own will be selected for signing. Apply this option to select a different key or to use multiple keys. 105 106*--detach*::: 107By default, the signature is stored together with signed data. This option detaches the data signature to a separate file (_file.ext.sig_). 108 109*--hash*::: 110You may want to use *--hash* option to override default hash algorithm settings. As with encryption, output may be converted to ascii via the *--armor* option. + 111+ 112Compression options also apply here. Since the secret key is usually stored encrypted, you will be asked for the password to decrypt it via _stdin_/_tty_ unless *--password* or *--pass-fd* is specified. 113 114*--clearsign*:: 115Digitally sign text data, producing human-readable output with the signature attached. + 116+ 117In this mode, data cannot be additionally encrypted or compressed. 118+ 119Other signing options, *--hash*, *-u*, *--password*, can still be used here. 120 121=== DECRYPTION AND VERIFICATION 122 123*-d*, *--decrypt*:: 124Decrypt and verify data from the _INPUT_FILE_ or stdin. + 125+ 126If the data is signed, signature verification information will be printed to _stdout_/_tty_. 127+ 128Additional options: 129 130*--output*::: 131Output, if not overridden with this option, will be written to the file with stripped _.pgp_ extension or stdout. If _INPUT_FILE_ does not end with the _.pgp_ extension, then output file name will be asked via _stdin_/_tty_. 132 133*--password*, *--pass-fd*::: 134Depending on encryption options, you may be asked for the password of one of your secret keys, or for the encryption password. These options override that behavior such that you can input the password through automated means. 135 136*-v*, *--verify*:: 137Verify signature(s) without writing embedded data out, if any (unless option _--output_ is specified). + 138+ 139To verify the detached signature of a file _file.ext_, the detached signature file in the file name pattern of _file.ext.sig_ or _file.ext.asc_ must exist. + 140+ 141If data is encrypted, you may be asked for password as in the *--decrypt* command. 142 143=== OTHER COMMANDS 144 145*--list-packets*:: 146Show detailed information about the OpenPGP data in _INPUT_FILE_ or stdin. 147Useful for curiosity, troubleshooting or debugging. + 148+ 149Additional options can be used: 150 151*--json*::: output JSON data instead of human-readable information 152*--grips*::: print out key fingerprints and grips 153*--mpi*::: print out all MPI values 154*--raw*::: print raw, hex-encoded packets too 155 156*--enarmor*[=_msg_|_pubkey_|_seckey_|_sign_]:: 157Convert binary data to the ASCII-armored as per OpenPGP standard. 158This includes the `-----BEGIN PGP MESSAGE-----` header and footer, 159and Base64-encoded data. + 160+ 161Output for _file.ext_ will be written to _file.ext.asc_ (if it does not exist) 162or to _stdout_. + 163+ 164The following OpenPGP headers may be specified: 165+ 166-- 167*msg*::: _-----BEGIN PGP MESSAGE-----_ 168*pubkey*::: _-----BEGIN PGP PUBLIC KEY BLOCK-----_ 169*seckey*::: _-----BEGIN PGP SECRET KEY BLOCK-----_ 170*sign*::: _-----BEGIN PGP SIGNATURE-----_ 171-- 172+ 173Additional options: 174 175*--overwrite*::: 176Forcefully overwrite existing destination file if it exists. 177 178*--output*::: 179Specify destination file path. 180 181 182*--dearmor*:: 183Attempts to convert data from an armored format to the binary format. + 184+ 185The _file.ext.asc_ output file would be written to _file.ext_. 186If the destination file already exists, it will prompt the user 187for a new filename. 188+ 189Additional options: 190 191*--overwrite*::: 192Forcefully overwrite existing destination file if it exists. 193 194*--output*::: 195Specify destination file path. 196 197 198== OPTIONS 199 200*--home*, *--homedir* _DIR_:: 201Change homedir (where RNP looks for keyrings) to the specified value. + 202+ 203The default homedir is _~/.rnp_ . 204 205*-f*, *--keyfile* _PATH_:: 206Instead of loading keyrings, use key(s) from the file specified. 207 208*-u*, *--userid* _KEY_:: 209Specify one or more signing keys, searching for it via the given value _KEY_. 210See *rnpkeys(1)* on how to find valid values. 211 212*-r*, *--recipient* _KEY_:: 213Add the message recipient, i.e. the public key to which message will be encrypted to. 214See *rnpkeys(1)* on how to find valid values. 215 216*--armor*, *--ascii*:: 217Apply ASCII armoring to the output, so that the resulting output 218can be transferred as plain text. + 219+ 220See IETF RFC 4880 for more details. 221 222*--detach*, *--detached*:: 223Create a detached signature. 224 225*--output* _PATH_:: 226Write data processing related output to the file specified. + 227+ 228If not specified, the output filename will be guessed from 229the input filename/extension or the command will prompt the user 230via _stdin_/_tty_. 231 232*--overwrite*:: 233Overwrite already existing files without prompt. 234 235*--hash* _ALGORITHM_:: 236Set hash algorithm which to be used for signing and derivation 237of the encryption key from a password. + 238+ 239The default value is _SHA256_. 240 241*--cipher* _ALGORITHM_:: 242Set the symmetric algorithm used during encryption. + 243+ 244The default value is _AES256_. 245 246*--aead* [_EAX_, _OCB_]:: 247Enable AEAD encryption and select algorithm to be used. 248 249*--aead-chunk-bits* _BITS_:: 250Change AEAD chunk size. This is used for testing or debugging. 251 252*--zip*, *--zlib*, *--bzip2*:: 253Select corresponding algorithm to compress data with. 254Please refer to IETF RFC 4880 for details. 255 256*-z* _0..9_:: 257Set compression level for the compression algorithms. + 258+ 259*9* is the highest compression level, where *0* disables compression. 260+ 261The default value is *6*. 262 263*--pass-fd* _FD_:: 264Specify a file descriptor to read passwords from instead of from _stdin_/_tty_. + 265+ 266Useful for automated or non-interactive sessions. 267 268*--password* _PASSWORD_:: 269Use the specified password when it is needed. + 270+ 271WARNING: Not recommended for production use due to potential security issues. 272Use *--pass-fd* for batch operations instead. 273 274*--passwords* _COUNT_:: 275Set the number of passwords for *--symmetric* encryption. + 276+ 277While not commonly used, you may encrypt a message to any reasonable number of passwords. 278 279*--creation* _TIME_:: 280Override signature creation time. + 281+ 282By default, creation time is set to current local computer time. + 283+ 284A specific time could be specified in the 285ISO 8601-1:2019 date format (_yyyy-mm-dd_), 286or in the UNIX timestamp format. 287 288*--expiration* _TIME_:: 289Set signature expiration time, counting from the creation time. + 290+ 291By default, signatures do not expire. + 292+ 293A specific expiration time can be specified as: 294 295*** expiration date in the ISO 8601:2019 date format (_yyyy-mm-dd_); or 296*** hours/days/months/years since creation time with the syntax of _20h_/_30d_/_1m_/_1y_; 297*** number of seconds. 298 299*--keystore-format* _GPG_|_KBX_|_G10_|_G21_:: 300Set keystore format. + 301+ 302RNP automatically detects the keystore format. + 303+ 304This option allows the auto-detection behavior to be overridden. 305 306*--notty*:: 307Disable use of tty. + 308+ 309By default RNP would detect whether TTY is attached and use it for user prompts. + 310+ 311This option overrides default behaviour so user input may be passed in batch mode. 312 313== EXIT STATUS 314 315_0_:: 316 Success. 317 318_Non-zero_:: 319 Failure. 320 321 322== EXAMPLES 323 324The following examples demonstrate method of usage of the _rnp_ command. 325 326=== EXAMPLE 1 327 328*rnp* *--homedir* _.rnp_ *--encrypt* *-r* _0x6E69636B6F6C6179_ 329*--output* _document.txt.encrypted_ _document.txt_ 330 331Load keyrings from the _.rnp_ folder, 332encrypt the _document.txt_ file using the 333key with keyid _0x6E69636B6F6C6179_. 334 335=== EXAMPLE 2 336 337*rnp* *--keyfile* _john-sec.asc_ *-s* *--detach* *--hash* _SHA512_ _document.txt_ 338 339Generate a detached signature over the file _document.txt_, using the 340secret key stored in the file. 341Additionally override the hash algorithm to _SHA512_. 342 343=== EXAMPLE 3 344 345*rnp* *--keyfile* _john-pub.asc_ *--verify* _document.txt.sig_ 346 347Verify detached signature, using the key stored in the _john-pub.asc_ file. 348The signed data is assumed to be available from the file _document.txt_. 349 350=== EXAMPLE 4 351 352*rnp* *-e* *-c* *-s* *--passwords* _3_ 353*-r* _0x526F6E616C642054_ 354*-r* "_john@doe.com_" 355*-u* _0x44616E69656C2057_ 356_document.txt_ 357 358Encrypt _document.txt_ with 2 keys (specified via _keyid_ 359_0x526F6E616C642054_ and _userid_ _john@doe.com_), and 3 passwords, 360so *any* of these may be used to decrypt the resulting file. 361 362Additionally, the message will be signed with key _0x44616E69656C2057_. 363 364=== EXAMPLE 5 365 366*printf* _"Message"_ | *rnp* *--keyfile* _env:PGP_ENCRYPTION_KEY_ *-e* *-* *--armor* 367 368Encrypt message, passed via stdin, using the key, stored in environment variable *PGP_ENCRYPTION_KEY*, add ascii armoring, and print result to the stdout. 369 370== BUGS 371 372Please report _issues_ via the RNP public issue tracker at: 373https://github.com/rnpgp/rnp/issues. 374 375_Security reports_ or _security-sensitive feedback_ should be reported 376according to the instructions at: 377https://www.rnpgp.org/feedback. 378 379 380== AUTHORS 381 382*RNP* is an open source project led by Ribose and has 383received contributions from numerous individuals and 384organizations. 385 386 387== RESOURCES 388 389*Web site*: https://www.rnpgp.org 390 391*Source repository*: https://github.com/rnpgp/rnp 392 393 394== COPYING 395 396Copyright \(C) 2017-2021 Ribose. 397The RNP software suite is _freely licensed_: 398please refer to the *LICENSE* file for details. 399 400 401== SEE ALSO 402 403*rnpkeys(1)*, *librnp(3)* 404