1= rnpkeys(1) 2RNP 3:doctype: manpage 4:release-version: {component-version} 5:man manual: RNP Manual 6:man source: RNP {release-version} 7 8== NAME 9 10RNPKEYS - OpenPGP key management utility. 11 12== SYNOPSIS 13 14*rnpkeys* [_--homedir_ _dir_] [_OPTIONS_] _COMMAND_ 15 16== DESCRIPTION 17 18The _rnpkeys_ command-line utility is part of the _RNP_ suite and 19provides OpenPGP key management functionality, including: 20 21* key listing; 22* key generation; 23* key import/export; and 24* key editing. 25 26 27=== BASICS 28 29By default, *rnp* will apply a _COMMAND_, additionally configured with _OPTIONS_, 30to all _INPUT_FILE_(s) or _stdin_ if no _INPUT_FILE_ is given. 31 32Depending on the input, output may be written: 33 34* to the specified file with a removed or added file extension (_.pgp_, _.asc_, _.sig_); or 35* to _stdout_. 36 37Without the *--armor* option, output will be in binary. 38 39If _COMMAND_ requires public or private keys, *rnp* will look for the keyrings in *~/.rnp*. The options *--homedir* and *--keyfile* override this (see below). 40 41If _COMMAND_ needs a password, *rnp* will ask for it via *stdin* or *tty*, 42unless the *--password* or *--pass-fd* option was specified. 43 44 45By default, *rnpkeys* will use keyrings stored in the _~/.rnp_ directory. 46 47This behavior may be overridden with the _--homedir_ option. 48 49If _COMMAND_ needs a password, the command will prompt the caller 50via _stdin_ or _tty_, unless the *--password* or *--pass-fd* 51options were also used. 52 53=== SPECIFYING KEYS 54 55Most *rnpkeys* commands require a key locator or a filter, 56representing one or more keys. 57 58It may be specified in one of the following ways: 59 60*userid*:: 61Or just part of the *userid*. 62For *"Alice <alice@rnpgp.com>"*, the following methods are considered identical: 63 64** _alice_ 65** _alice@rnpgp_ 66** _rnpgp.com_ 67 68*keyid*:: 69Or its right-most 8 characters. With or without _0x_ at the beginning and spaces/tabs inside. Such as: 70 71** _0x725F6F2D6D5F6120_ 72** _"725F6F2D 6D5F6120"_ 73** _0x6D5F6120_ 74 75*key fingerprint*: The 40-character key fingerprint, such as: 76 77** _"0x416E746F 6E537669 72696465 6E6B6F20"_ 78 79 80 81== COMMANDS 82 83=== INFORMATIONAL 84 85*-h*, *--help*:: 86Displays a short help message. No options are expected. 87 88*-V*, *--version*:: 89Displays version information. No options are expected. 90 91*-l*, *--list-keys*:: 92List out keys and some brief information about each. + 93+ 94Additional options: 95 96*--with-sigs*::: 97Additionally display signatures of listed keys. 98 99 100=== KEY GENERATION 101 102*-g*, *--generate-key*:: 103Generate a new keypair. + 104+ 105Without additional options, an RSA primary key pair with an RSA sub-key pair will be generated, and prompting for the encryption password afterwards. 106+ 107Additional options: 108 109*--numbits*::: 110Overrides the default RSA key size of *2048* bits. 111 112*--expiration* _TIME_::: 113Set key and subkey expiration time, counting from the creation time. + 114+ 115By default generated keys do not expire. + 116+ 117Expiration time can be specified as: 118 119* expiration date in the ISO 8601:2019 date format (_yyyy-mm-dd_); or 120* hours/days/months/years since creation time with the syntax of _20h_/_30d_/_1m_/_1y_; 121* number of seconds. 122 123*--expert*::: 124Select key algorithms interactively and override default settings. 125 126*--userid*::: 127Specifies the _userid_ to be used in generation. 128 129*--hash*::: 130Specify the hash algorithm used in generation. 131 132*--cipher*::: 133Specify the encryption algorithm used in generation. 134 135*--s2k-iterations*::: 136Specify the number of iterations for the S2K (string-to-key) process. + 137+ 138This is used during the derivation of the symmetric key, which 139encrypts a secret key from the password. + 140 141*--s2k-msec*::: 142Specify that *rnpkeys* should automatically pick a 143*--s2k-iterations* value such that the single key derivation operation 144would take _NUMBER_ of milliseconds on the current system. + 145+ 146For example, setting it to _2000_ would mean that each secret key 147decryption operation would take around 2 seconds (on the current machine). 148 149 150=== KEY/SIGNATURE IMPORT 151 152*--import*, *--import-keys*, *--import-sigs*:: 153Import keys or signatures. + 154+ 155While *rnpkeys* automatically detects the input data format, 156one may still wish to specify whether the input provides keys or signatures. + 157+ 158By default, the import process will stop on the first discovered 159erroneous key or signature. + 160+ 161Additional options: 162 163*--permissive*::: 164Skip errored or unsupported packets during the import process. 165 166=== KEY/SIGNATURE EXPORT 167 168*--export-key* [*--userid*=_FILTER_] [_FILTER_]:: 169Export key(s). Only export keys that match _FILTER_ if _FILTER_ is given. + 170+ 171If filter matches a primary key, the subkeys of the primary key are also exported. 172+ 173By default, key data is written to _stdout_ in ASCII-armored format. 174+ 175Additional options: 176 177*--output* _PATH_::: 178Specifies output to be written to a file name instead of _stdout_. 179 180*--secret*::: 181Without this option specified, the command will only export public key(s). 182This option must be provided to export secret key(s). 183 184*--export-rev* _KEY_:: 185Export the revocation signature for a specified secret key. + 186+ 187The revocation signature can be used later in a case of key loss or compromise. 188+ 189Additional options: 190 191*--rev-type*::: 192Specifies type of key revocation. 193 194*--rev-reason*::: 195Specifies reason for key revocation. 196 197 198=== KEY MANIPULATION 199 200*--revoke-key* _KEY_:: 201Issue revocation signature for the secret key, and save it in the keyring. + 202+ 203Revoked keys cannot be used further. + 204+ 205Additional options: 206 207*--rev-type*::: 208Specifies type of key revocation. 209 210*--rev-reason*::: 211Specifies reason for key revocation. 212 213 214*--remove-key* _KEY_:: 215Remove the specified key. + 216+ 217If a primary key is specified, then all of its subkeys are also removed. + 218+ 219If the specified key is a secret key, then it will not be deleted without 220confirmation. 221+ 222Additional options: 223 224*--force*::: 225Forces removal of a secret key without prompting the user. 226 227 228=== OPTIONS 229 230*--homedir* _DIR_:: 231Change homedir (where RNP looks for keyrings) to the specified value. + 232+ 233The default homedir is _~/.rnp_ . 234 235*--output* _PATH_:: 236Write data processing related output to the file specified. + 237+ 238Combine it with *--force* to overwrite file if it already exists. 239 240*--userid* _USERID_:: 241Use the specified _userid_ during key generation and in some 242key-searching operations. 243 244*--numbits* _BITS_:: 245Specify size in bits for the generated key and subkey. + 246+ 247_bits_ may be in range *1024*-*16384*, as long as the public key algorithm 248does not place additional limits. 249 250*--cipher* _ALGORITHM_:: 251Set the key encryption algorithm. This is only used in key generation. + 252+ 253The default value is _AES256_. 254 255*--hash* _ALGORITHM_:: 256Use the specified hash algorithm for signatures and derivation of the encrypting key from password for secret key encryption. + 257+ 258The default value is _SHA256_. 259 260*--expert*:: 261Use the *expert key generation* mode, allowing the selection of 262key/subkey algorithms. + 263+ 264The following types of keys can be generated in this mode: + 265+ 266-- 267** *DSA* key with *ElGamal* encryption subkey 268** *DSA* key with *RSA* subkey 269** *ECDSA* key with *ECDH* subkey 270** *EdDSA* key with *x25519* subkey 271** *SM2* key with subkey 272-- 273+ 274Specifically, for *ECDSA* and *ECDH* the underlying curve can also be specified: + 275+ 276-- 277** _NIST P-256_, _NIST P-384_, _NIST P-521_ 278** _brainpoolP256r1_, _brainpoolP384r1_, _brainpoolP512r1_ 279** _secp256k1_ 280-- 281 282*--pass-fd* _FD_:: 283Specify a file descriptor to read passwords from instead of from _stdin_/_tty_. + 284+ 285Useful for automated or non-interactive sessions. 286 287*--password* _PASSWORD_:: 288Use the specified password when it is needed. + 289+ 290WARNING: Not recommended for production use due to potential security issues. 291Use *--pass-fd* for batch operations instead. 292 293*--with-sigs*:: 294Print signature information when listing keys via the *-l* command. 295 296*--force*:: 297Force actions to happen without prompting the user. + 298+ 299This applies to cases such as output file overwrite, secret key removal, and revoking an already revoked key. 300 301*--permissive*:: 302Skip malformed or unknown keys/signatures during key import. + 303+ 304By default, *rnpkeys* will stop on the first erroring packet 305and exit with an error. 306 307*--rev-type* _TYPE_:: 308Use the specified type during revocation signature generation instead of the default _0_. + 309+ 310The following values are supported: + 311+ 312-- 313** 0, or "no": no revocation type specified. 314** 1, or "superseded": key was superseded with another key. 315** 2, or "compromised": key was compromised and no longer valid. 316** 3, or "retired": key is retired. 317-- 318+ 319Please refer to *IETF RFC 4880* for details. 320 321*--rev-reason* _REASON_:: 322Add the specified human-readable revocation _REASON_ to the 323signature instead of an empty string. 324 325*--s2k-iterations* _NUMBER_:: 326Specify the number of iterations for the S2K (string-to-key) process. + 327+ 328This is used during the derivation of the symmetric key, which 329encrypts a secret key from the password. + 330+ 331Please refer to IETF RFC 4880 for further details. 332 333*--s2k-msec* _NUMBER_:: 334Specify that *rnpkeys* should automatically pick a 335*--s2k-iterations* value such that the single key derivation operation 336would take _NUMBER_ of milliseconds on the current system. + 337+ 338For example, setting it to _2000_ would mean that each secret key 339decryption operation would take around 2 seconds (on the current machine). 340 341 342== EXIT STATUS 343 344_0_:: 345 Success. 346 347_Non-zero_:: 348 Failure. 349 350 351== BUGS 352 353Please report _issues_ via the RNP public issue tracker at: 354https://github.com/rnpgp/rnp/issues. 355 356_Security reports_ or _security-sensitive feedback_ should be reported 357according to the instructions at: 358https://www.rnpgp.org/feedback. 359 360 361== AUTHORS 362 363*RNP* is an open source project led by Ribose and has 364received contributions from numerous individuals and 365organizations. 366 367 368== RESOURCES 369 370*Web site*: https://www.rnpgp.org 371 372*Source repository*: https://github.com/rnpgp/rnp 373 374 375== COPYING 376 377Copyright \(C) 2017-2021 Ribose. 378The RNP software suite is _freely licensed_: 379please refer to the *LICENSE* file for details. 380 381 382 383== SEE ALSO 384 385*rnp(1)*, *librnp(3)* 386