PGP Quick Reference
For many users, especially novice users and those unfamiliar
with DOS or UNIX, the cryptic UNIX commands make PGP difficult to use.
Windows front ends (or a Windows version) are not the answer as
they cripple the security
which is the rationale for using PGP.
To help such users (maybe even experienced users) I have created
this quick reference, which is loosely based
on the crib card at the back of
PGP: Pretty Good Privacy,
excellent guide to PGP.
Square brackets [ ] indicate optional parameters, do not
type the square brackets.
- pgp -h
- Help: Display a summary of PGP's encryption,
decryption, and digital signature options.
- pgp -?
- Help: Display a summary of PGP's encryption,
decryption, and digital signature options.
- pgp -k
- Key: Display a summary of PGP's key
- pgp -c myfile
- Cypher: Encrypt myfile with conventional
(private key) cryptography.
- pgp -cw myfile
- Cypher and Wipe: Encrypt myfile and erase the
original plaintext file.
Warning -w leaves evidence that myfile existed.
- pgp -ca myfile
- Cypher ASCII: Encrypt myfile with conventional
cryptography, then encode it in ASCII Radix 64
so you can e-mail it. Though I can't see why
you'd want to do this - makes more sense to use
- pgp -caw myfile
- Cypher, ASCII and Wipe: Encrypt myfile, encode
it in ASCII, and erases the original plaintext.
- pgp -e message userID
- Encrypt: Encrypt the message file with
userID's public key. You can specify multiple
userIDs to encrypt for several
people. Only the userID can
read the encrypted file.
- pgp -ew message userID
- Encrypt and Wipe: Encrypt the message file
with userID's public key and erase the original
message. Warning -w leaves
evidence that myfile existed.
- pgp -eat message userID
- Encrypt, ASCII and Text: Encrypt the message
file with userID's public key, and make the
result ASCII and and retain the text structure.
You can specify multiple userID's.
- pgp -eatf userID
- Encrypt, ASCII, Text, Filter: Encrypt the message
(read from standard input) with userID's public
key, and makes the result ASCII
and retains the text format.
You can specify multiple userIDs.
- pgp -s message [-u myID]
- Sign: Sign the message file with your secret
key. Use -u myID to specify
which secret key to use to create the signature.
- pgp -sb message [-u myID]
- Sign By itself: Create a
signature certificate for message
that is in a file by itself. Use
-u myID to specify
which secret key to use to create
the signature. This is used to
sign a binary file such as an
executable file or a file in a
- pgp -sat message [-u myID]
- Sign, ASCII, Text. Used to clear sign a text file. The
signature is appended to the end of the file, assuming
clearsig=on others can read the file.
- pgp -se message userID [-u myID]
- Sign and Encrypt. Sign the message file with
your secret key, then encrypt it with userID's
public key Use -u myID to
specify which secret key to use to
create the signature.
- pgp -sea message userID
- Sign and Encrypt with ASCII: Sign the message
file with your secret key, encrypt it for userID,
and ASCII armour the result so that
it can be e-mailed.
- pgp -seat message userID [-u myID]
- Sign and Encrypt with ASCII and Text: Sign the
message file with your secret key, encrypt it for
userID, and make the result ASCII and
preserve the text structure. Use
-u myID to specify which
secret key to use to create the signature.
- pgp -seaw message userID
- Sign and Encrypt with ASCII, then Wipe: Sign
the message file with your secret key, encrypt it
for userID, wrap in ASCII armour, and erase
the original message.
Specify in conjunction with other options.
- ASCII Armour: Code all PGP output files in
printable ASCII characters using Radix 64.
-a can be used on its own to convert
any file to ASCII-armoured.
Note -ka key add.
- Filter: Read files from standard input and
write files to standard output.
Useful if you wish to output key
check, signatures or fingerprints
to a file.
- More: When decrypting: display the decrypted
file on the screen, but does not save it to disk.
When encrypting: tells the recipient not to save
the unencrypted file contents. When viewing
key contents display a screen at a time.
- -o outputfile
- Output: Specify the name to use for the
- -p encryptedfile
- Preserve: Restore original file name.
- Text: Considers all PGP plaintext files to be text
files. Preserves the internal text
structure and converts to local text conventions.
- -u myID
- User: Specify which secret key to use to create
- Wipe: Erase the original plaintext file after
encryption. May also be used on its
own for secure file deletion. Warning leaves tell
tale signs of where the file resided and
not all that secure.
- -@ userIDfile
- Specify additional userIDs when
encrypting, these are contained
in the userID file. New with version 2.6.3i.
- -z "pass phrase"
- Specify your pass phrase. For
those users who have difficulty typing
in their pass phrase when
prompted. Highly dangerous, do
- Used for errorlevel returns.
- Force YES to all responses.
Decryption, signature checking, adding key files
- pgp encryptedfile [-o outputfile]
- Decrypt the encryptedfile.
-o outputfile specifies
the name to use for the decrypted file.
- pgp -d encryptedfile
- Decrypt only. Decrypt the encryptedfile,
leave the signature intact.
- pgp -m encryptedfile
- Decrypt the encryptedfile and display it on
the screen, but do not save it on the
computer's disk. Not secure, but useful
as a hint to the recipient
not to retain the
- pgp signedfile [-o outputfile]
- Check the signature on the signed file.
-o outputfile specifies
the name to use for the
- pgp signaturefile originalfile
- Check detached signature. PGP
checks that the signature in the detached
signature file matches the signed
- pgp -b signedfile
- Check signed file, break away signature.
After checking the signature it is stripped
off and stored in a separate signature file.
- pgp keyfile
- Check keyfile. PGP notifies the user of the keys
in the file, then prompts to add.
If you do not specify a key ring in a key management command, the
command operates on the default public key ring.
- pgp -k
- Display the key management commands.
- pgp -kg
- Key Generate: Create a new public key/secret
- pgp -km [keyring]
- Key Maintenance: Perform a
maintenance pass, then display the
Web of Trust.
- pgp -ke [userID] [keyring]
- Key Edit: Edit your pass phrase, add a new
userID to your key, or change the trust of
someone else's public key.
- pgp -ka keyfile [keying]
- Key Add: Add the keys in keyfile to keyring.
- pgp -kr [userID] [keyring]
- Key Remove: Remove a key from keying, will
prompt for necessary input. Also
used to remove a userID from a
- pgp -kv [userID] [keyring]
- Key View: View the contents of keyring. If
userID is specified, lists only that user's keys.
- pgp -kvv [userID] [keyring]
- Key View Verbose: View the contents of keyring
and shows who signed each key. If userID is
specified, lists only that user's keys,
- pgp -kc [userID] [keyring]
- Key Check: View the contents of the key ring,
checks the signatures, and show the trust in
each signature. If a backup ring
is specified (in the
BAKRING configuration variable),
compare the keys on the backup ring with the
keys on the primary ring. If userID is specified,
checks only that user's keys.
- pgp -kvc [userID] [keyring]
- Key View and Check: View the contents of
keyring and displays each key's electronic
fingerprint. If userID is
specified, check only that user's
keys. Used to verify a key via a
tamper proof route.
- pgp -ks userID [-u anotherID] [keyring]
- Key Sign: Sign and certify userID's key with
your secret key (or with anotherID), will
prompt for userID if omitted.
- pgp -krs userID [keyring]
- Key Remove Signature: Remove a signature
from userID's public-key.
- pgp -kx userID keyfile [keyring]
- Key Extract: Copy userID's key out of keyring
into a separate keyfile, will prompt for
- pgp -kxa userID keyfile [keying]
- Key Extract ASCII: Copy userID's key out of
keyring into a separate ASCII armoured keyfile.
- pgp -kd userID [keyring]
- Key Disable: Revoke or disable a key.
- Holds your pass phrase.
PGPPASS stops PGP
requesting the pass phrase when
encryption or document signing is
required. Extremely dangerous, it is very
easy for someone else to learn your pass
phrase by looking at your environment
variables. Do not use.
- Specifies a file descriptor from which your pass
phrase should be read (an advanced PGP
feature normally used with UNIX shell scripts).
As above - do not use.
- Specifies the directory used to store PGP files
- Specifies the directories used to store PGP's
temporary files (if the TMP option is not set in
the configuration file).
- Specifies your current time zone (DOS only).
You can specify configuration variables in the configuration file
(config.txt) or on the command line. The command line overrides
the configuration file. For example
pgp -sat message +clearsig=on
Default values are shown in brackets (...).
- AutoSign (ON)
- Sign new userIDs. Will automatically
sign a new key when it is generated.
Leave on as a key should always be
self-signed. I have seen too many keys
that have no signatures, often from
people who should know better.
- armor (OFF)
- Use ASCII armor for messages. Use
-a option to turn on.
- armorlines (0)
- Maximum number of lines in e-mail
message. Some mailers place a
limit on the number of
lines in any one message.
Message will be sent as a series
of packets. The default is for
this to be turned off armorlines=0.
- bakring (none)
- Location of backup copy of secret key
ring. This can be specified when
performing a complete keyring check -kc to
ensure that the keyrings have not become
corrupted, though it is just as easy to
perform a file comparison check on the files.
- cert-depth (4)
- Levels of introducers permitted to certify a key.
- charset ("noconv")
- Character set to use
- clearsig (ON)
- Append signatures on text files
to the end of the
files. Applies when -sat.
- comment ("")
- An optional comment to place in every
- completes_needed (1)
- Number of completely trusted signatures needed
to make a key valid.
- compress (ON)
- Compresses files before
encrypting. Removes redundancy
and reduces file size. Always
- encrypttoself (OFF)
- Automatically sends copies of all encrypted
messages to self. Do not use.
Extremely dangerous, pressure can be exerted on sender
to reveal message.
- interactive (OFF)
- Asks for confirmation before adding new
keys. It can be useful to have this left on.
- keepbinary (OFF)
- PGP keeps intermediate pgp files. Default
do not keep intermediate binary files.
- language ("en")
- Language of PGP prompts and messages. Default English.
Additional language modules
- Legal_Kludge (ON)
- Enable backwards-compatible format. Allows
earlier formats to be used. A standard
feature of International versions of PGP.
- marginals_needed (2)
- Number of marginally trusted signatures
needed to make a key valid.
- myname ("")
- Default User ID to use for secret key. Equivalent
to -u option. Necessary if you
wish to use an ID other than the default
(the last on the keyring).
- nomanual (OFF)
- Generates key pairs without requiring that the
PGP user documentation be on
disk. This does not appear in
the configuration file. It can only be
disabled on the command line.
That is the default is for the
manuals to always be present.
- pager ("")
- Paging program for -m option. An
external utility for display of output,
for example list.
- pkcs_compat (1)
- None standard format for
message digests and
session keys (for old PGP versions).
- pubring ($PGPPATH/pubring.pgp)
- Location of default public key ring.
- randseed ($PGPPATH/randseed.bin)
- Location of random number seed file.
- secring ($PGPPATH/secring.pgp)
- Location of secret key ring.
- showpass (OFF)
- Echoes user's pass phrase. Always leave off,
unless you wish the world and his dog to see your
- textmode (OFF for DOS and UNIX, ON for VAX/VMS)
- Plaintext files are text files.
Turn on with -t option on the
- tmp ("")
- Location of temporary file
directory. Overridden by the
environment variable TMP.
- tzfix (none)
- Increment for setting time. Alternative to TZ
environment variable. Use TZ for time zone settings.
The only time this is likely to be required, is
if PGP is being run from floppy on a common system
and access to the system files is not permitted.
- verbose (1)
- Amount of information PGP displays (0 only
prompts and errors, 1 normal, 2 debugging
- Text file (before encryption).
- Binary PGP file (after encryption), used for key
rings and encrypted messages.
- ASCII-armored file (created with -a option).
- Used for PGP's
randseed.bin file (created with
-kg option). This is washed
and laundered after use, nevertheless is best
protected from exposure.
has a pretty good crib card at the back of his book
PGP: Pretty Good Privacy. This proved the
inspiration for this Quick Reference.
Kurt Huwig has produced
ultimate one line crib sheet.
I'm grateful to Kurt for
highlighting the undocumented -km which I have found very useful.
My primary source
was the documentation distributed with the International version
of PGP, plus my own experience of using PGP.
Web page designers may wish to read my
HTML 3.2 Quick Reference.
What is PGP ~
Why use PGP ~
Beginners Guide ~
(c) Keith Parkins 1996-1997 --
April rev 11