PGP Quick Reference


For many users, especially novice users and those unfamiliar with DOS or UNIX, the cryptic UNIX commands make PGP difficult to use. Windows front ends (or a Windows version) are not the answer as they cripple the security which is the rationale for using PGP.

To help such users (maybe even experienced users) I have created this quick reference, which is loosely based on the crib card at the back of PGP: Pretty Good Privacy, Simson Garfinkel's excellent guide to PGP.

Square brackets [ ] indicate optional parameters, do not type the square brackets.

PGP Help

pgp -h
Help: Display a summary of PGP's encryption, decryption, and digital signature options.
pgp -?
Help: Display a summary of PGP's encryption, decryption, and digital signature options.
pgp -k
Key: Display a summary of PGP's key management options.

Encryption

pgp -c myfile
Cypher: Encrypt myfile with conventional (private key) cryptography.
pgp -cw myfile
Cypher and Wipe: Encrypt myfile and erase the original plaintext file. Warning -w leaves evidence that myfile existed.
pgp -ca myfile
Cypher ASCII: Encrypt myfile with conventional cryptography, then encode it in ASCII Radix 64 so you can e-mail it. Though I can't see why you'd want to do this - makes more sense to use -ea.
pgp -caw myfile
Cypher, ASCII and Wipe: Encrypt myfile, encode it in ASCII, and erases the original plaintext.
pgp -e message userID
Encrypt: Encrypt the message file with userID's public key. You can specify multiple userIDs to encrypt for several people. Only the userID can read the encrypted file.
pgp -ew message userID
Encrypt and Wipe: Encrypt the message file with userID's public key and erase the original message. Warning -w leaves evidence that myfile existed.
pgp -eat message userID
Encrypt, ASCII and Text: Encrypt the message file with userID's public key, and make the result ASCII and and retain the text structure. You can specify multiple userID's.
pgp -eatf userID
Encrypt, ASCII, Text, Filter: Encrypt the message (read from standard input) with userID's public key, and makes the result ASCII and retains the text format. You can specify multiple userIDs.

Digital Signatures

pgp -s message [-u myID]
Sign: Sign the message file with your secret key. Use -u myID to specify which secret key to use to create the signature.
pgp -sb message [-u myID]
Sign By itself: Create a signature certificate for message that is in a file by itself. Use -u myID to specify which secret key to use to create the signature. This is used to sign a binary file such as an executable file or a file in a propriety format.
pgp -sat message [-u myID]
Sign, ASCII, Text. Used to clear sign a text file. The signature is appended to the end of the file, assuming clearsig=on others can read the file.
pgp -se message userID [-u myID]
Sign and Encrypt. Sign the message file with your secret key, then encrypt it with userID's public key Use -u myID to specify which secret key to use to create the signature.
pgp -sea message userID
Sign and Encrypt with ASCII: Sign the message file with your secret key, encrypt it for userID, and ASCII armour the result so that it can be e-mailed.
pgp -seat message userID [-u myID]
Sign and Encrypt with ASCII and Text: Sign the message file with your secret key, encrypt it for userID, and make the result ASCII and preserve the text structure. Use -u myID to specify which secret key to use to create the signature.
pgp -seaw message userID
Sign and Encrypt with ASCII, then Wipe: Sign the message file with your secret key, encrypt it for userID, wrap in ASCII armour, and erase the original message.

Options

Specify in conjunction with other options.

-a
ASCII Armour: Code all PGP output files in printable ASCII characters using Radix 64. -a can be used on its own to convert any file to ASCII-armoured. Note -ka key add.
-f
Filter: Read files from standard input and write files to standard output. Useful if you wish to output key check, signatures or fingerprints to a file.
-m
More: When decrypting: display the decrypted file on the screen, but does not save it to disk. When encrypting: tells the recipient not to save the unencrypted file contents. When viewing key contents display a screen at a time.
-o outputfile
Output: Specify the name to use for the decrypted file.
-p encryptedfile
Preserve: Restore original file name.
-t
Text: Considers all PGP plaintext files to be text files. Preserves the internal text structure and converts to local text conventions.
-u myID
User: Specify which secret key to use to create a signature.
-w
Wipe: Erase the original plaintext file after encryption. May also be used on its own for secure file deletion. Warning leaves tell tale signs of where the file resided and not all that secure.
-@ userIDfile
Specify additional userIDs when encrypting, these are contained in the userID file. New with version 2.6.3i.
-z "pass phrase"
Specify your pass phrase. For those users who have difficulty typing in their pass phrase when prompted. Highly dangerous, do not use.
+batchmode
Used for errorlevel returns.
+force
Force YES to all responses.

Decryption, signature checking, adding key files

pgp encryptedfile [-o outputfile]
Decrypt the encryptedfile. -o outputfile specifies the name to use for the decrypted file.
pgp -d encryptedfile
Decrypt only. Decrypt the encryptedfile, leave the signature intact.
pgp -m encryptedfile
Decrypt the encryptedfile and display it on the screen, but do not save it on the computer's disk. Not secure, but useful as a hint to the recipient not to retain the decrypted file.
pgp signedfile [-o outputfile]
Check the signature on the signed file. -o outputfile specifies the name to use for the output file.
pgp signaturefile originalfile
Check detached signature. PGP checks that the signature in the detached signature file matches the signed original file.
pgp -b signedfile
Check signed file, break away signature. After checking the signature it is stripped off and stored in a separate signature file.
pgp keyfile
Check keyfile. PGP notifies the user of the keys in the file, then prompts to add.

Key Management

If you do not specify a key ring in a key management command, the command operates on the default public key ring.

pgp -k
Display the key management commands.
pgp -kg
Key Generate: Create a new public key/secret key pair.
pgp -km [keyring]
Key Maintenance: Perform a maintenance pass, then display the Web of Trust.
pgp -ke [userID] [keyring]
Key Edit: Edit your pass phrase, add a new userID to your key, or change the trust of someone else's public key.
pgp -ka keyfile [keying]
Key Add: Add the keys in keyfile to keyring.
pgp -kr [userID] [keyring]
Key Remove: Remove a key from keying, will prompt for necessary input. Also used to remove a userID from a public key.
pgp -kv [userID] [keyring]
Key View: View the contents of keyring. If userID is specified, lists only that user's keys.
pgp -kvv [userID] [keyring]
Key View Verbose: View the contents of keyring and shows who signed each key. If userID is specified, lists only that user's keys,
pgp -kc [userID] [keyring]
Key Check: View the contents of the key ring, checks the signatures, and show the trust in each signature. If a backup ring is specified (in the BAKRING configuration variable), compare the keys on the backup ring with the keys on the primary ring. If userID is specified, checks only that user's keys.
pgp -kvc [userID] [keyring]
Key View and Check: View the contents of keyring and displays each key's electronic fingerprint. If userID is specified, check only that user's keys. Used to verify a key via a tamper proof route.
pgp -ks userID [-u anotherID] [keyring]
Key Sign: Sign and certify userID's key with your secret key (or with anotherID), will prompt for userID if omitted.
pgp -krs userID [keyring]
Key Remove Signature: Remove a signature from userID's public-key.
pgp -kx userID keyfile [keyring]
Key Extract: Copy userID's key out of keyring into a separate keyfile, will prompt for necessary input.
pgp -kxa userID keyfile [keying]
Key Extract ASCII: Copy userID's key out of keyring into a separate ASCII armoured keyfile.
pgp -kd userID [keyring]
Key Disable: Revoke or disable a key.

Environment Variables

PGPPASS
Holds your pass phrase. PGPPASS stops PGP requesting the pass phrase when encryption or document signing is required. Extremely dangerous, it is very easy for someone else to learn your pass phrase by looking at your environment variables. Do not use.
PGPPASSFD
Specifies a file descriptor from which your pass phrase should be read (an advanced PGP feature normally used with UNIX shell scripts). As above - do not use.
PGPPATH
Specifies the directory used to store PGP files (pubring.pgp, secring.pgp, randseed.bin, config.txt, language.txt).
TMP
Specifies the directories used to store PGP's temporary files (if the TMP option is not set in the configuration file).
TZ
Specifies your current time zone (DOS only).

Configuration variables

You can specify configuration variables in the configuration file (config.txt) or on the command line. The command line overrides the configuration file. For example
	pgp -sat message +clearsig=on

Default values are shown in brackets (...).

AutoSign (ON)
Sign new userIDs. Will automatically sign a new key when it is generated. Leave on as a key should always be self-signed. I have seen too many keys that have no signatures, often from people who should know better.
armor (OFF)
Use ASCII armor for messages. Use -a option to turn on.
armorlines (0)
Maximum number of lines in e-mail message. Some mailers place a limit on the number of lines in any one message. Message will be sent as a series of packets. The default is for this to be turned off armorlines=0.
bakring (none)
Location of backup copy of secret key ring. This can be specified when performing a complete keyring check -kc to ensure that the keyrings have not become corrupted, though it is just as easy to perform a file comparison check on the files.
cert-depth (4)
Levels of introducers permitted to certify a key.
charset ("noconv")
Character set to use (ascii, alt-codes, latin-1, koi8, cp850).
clearsig (ON)
Append signatures on text files to the end of the files. Applies when -sat.
comment ("")
An optional comment to place in every ASCII-armored file.
completes_needed (1)
Number of completely trusted signatures needed to make a key valid.
compress (ON)
Compresses files before encrypting. Removes redundancy and reduces file size. Always leave on.
encrypttoself (OFF)
Automatically sends copies of all encrypted messages to self. Do not use. Extremely dangerous, pressure can be exerted on sender to reveal message.
interactive (OFF)
Asks for confirmation before adding new keys. It can be useful to have this left on.
keepbinary (OFF)
PGP keeps intermediate pgp files. Default do not keep intermediate binary files.
language ("en")
Language of PGP prompts and messages. Default English. Additional language modules are available.
Legal_Kludge (ON)
Enable backwards-compatible format. Allows earlier formats to be used. A standard feature of International versions of PGP.
marginals_needed (2)
Number of marginally trusted signatures needed to make a key valid.
myname ("")
Default User ID to use for secret key. Equivalent to -u option. Necessary if you wish to use an ID other than the default (the last on the keyring).
nomanual (OFF)
Generates key pairs without requiring that the PGP user documentation be on disk. This does not appear in the configuration file. It can only be disabled on the command line. That is the default is for the manuals to always be present.
pager ("")
Paging program for -m option. An external utility for display of output, for example list.
pkcs_compat (1)
None standard format for message digests and session keys (for old PGP versions).
pubring ($PGPPATH/pubring.pgp)
Location of default public key ring.
randseed ($PGPPATH/randseed.bin)
Location of random number seed file.
secring ($PGPPATH/secring.pgp)
Location of secret key ring.
showpass (OFF)
Echoes user's pass phrase. Always leave off, unless you wish the world and his dog to see your pass phrase.
textmode (OFF for DOS and UNIX, ON for VAX/VMS)
Plaintext files are text files. Turn on with -t option on the command line.
tmp ("")
Location of temporary file directory. Overridden by the environment variable TMP.
tzfix (none)
Increment for setting time. Alternative to TZ environment variable. Use TZ for time zone settings. The only time this is likely to be required, is if PGP is being run from floppy on a common system and access to the system files is not permitted.
verbose (1)
Amount of information PGP displays (0 only prompts and errors, 1 normal, 2 debugging information).

File Extensions

txt
Text file (before encryption).
pgp
Binary PGP file (after encryption), used for key rings and encrypted messages.
asc
ASCII-armored file (created with -a option).
bin
Used for PGP's randseed.bin file (created with -kg option). This is washed and laundered after use, nevertheless is best protected from exposure.

Notes

Simson Garfinkel has a pretty good crib card at the back of his book PGP: Pretty Good Privacy. This proved the inspiration for this Quick Reference. Kurt Huwig has produced the ultimate one line crib sheet. I'm grateful to Kurt for highlighting the undocumented -km which I have found very useful. My primary source was the documentation distributed with the International version of PGP, plus my own experience of using PGP.

Web page designers may wish to read my HTML 3.2 Quick Reference.


Home ~ Index ~ PGP ~ What is PGP ~ Why use PGP ~ Beginners Guide ~ My Key
(c) Keith Parkins 1996-1997 -- April rev 11