PGP Command Line 10.3.2 build 12316
Copyright (C) 2014 Symantec Corporation. All rights reserved.
All rights reserved.
Use of this product is subject to license terms.
This Symantec product may contain open source and other third party materials
that are subject to a separate license. Please see the applicable Third Party
Notice at http://www.symantec.com/about/profile/policies/eulas/.
Commands:
Generic:
--agent start the PGP agent (used for passphrase caching)
--create-keyrings create empty keyring files
-h --help this help message
--purge-all-caches purge all the caches
--purge-keyring-cache purge the keyring cache
--purge-passphrase-cache purge the passphrase cache
--speed-test run the speed tests
--version show version information
Cryptographic:
-a --armor armor data
--clearsign clearsign data
--decrypt decrypt data
-b --detached sign data and create a detached signature
--dump-packets list the packets in a PGP message
-e --encrypt encrypt data
--export-session-key get the session key out of an encrypted message
--list-archive list the contents of a PGP archive
--list-sda list the contents of a self decrypting archive
-s --sign sign data
-c --symmetric encrypt data with a symmetric cipher
--verify verify PGP data
-w --wipe securely delete data
Key List:
--fingerprint list key fingerprints
--fingerprint-details list key fingerprints in detailed format
--list-key-details list keys in detailed format
-l --list-keys list keys in the basic format
--list-keys-xml list keys in XML format
--list-sig-details list signatures in detailed format
--list-sigs list keys, user IDs, and sigs in the basic format
--list-userids list keys and user IDs in the basic format
Key Maintenance:
--check-sigs check the signatures on the local keyring
--check-userids check the user IDs on the local keyring
Key Edit:
--add-adk add an ADK to a key
--add-photoid add a photo ID to a key
--add-revoker add a revoker to a key
--add-userid add a user ID to a key
--cache-passphrase cache the passphrase of a key
--change-passphrase change the passphrase of a key
--disable disable a key
--enable enable a key
--export export key(s)
--export-key-pair export key pair(s)
--export-photoid export a photo ID from a key
--gen-key generate a key or key pair
--gen-subkey generate a subkey
--get-email-encoding get the email encoding to be used with a key
--import import key(s)
--remove remove a key
--remove-adk remove an ADK from a key
--remove-all-adks remove all ADKs from a key
--remove-all-photoids remove all photo IDs from a key
--remove-all-revokers remove all revokers from a key
--remove-expiration-date remove the expiration date from a key
--remove-key-pair remove a key pair
--remove-photoid remove a photo ID from a key
--remove-preferred-keyserver remove a preferred keyserver from a key
--remove-revoker remove a revoker from a key
--remove-sig remove a signature from a user ID
--remove-subkey remove a subkey
--remove-userid remove a user ID from a key
--revoke revoke a key pair
--revoke-sig revoke a signature on a user ID
--revoke-subkey revoke a subkey
--set-expiration-date set the expiration date of a key
--set-preferred-keyserver set the preferred keyserver on a key
--set-primary-userid set a user ID on a key to be primary for that key
--set-trust set the trust level of a key
--sign-key certify every user ID on a key
--sign-userid certify a specific user ID on a key
Key Edit (advanced):
--add-preferred-cipher add a preferred cipher to a key
--add-preferred-compression-algorithm add a compression algorithm to a key
--add-preferred-email-encoding add a preferred email encoding to a key
--add-preferred-hash add a preferred hash to a key
--clear-key-flag clear one of the key preferences flags
--gen-revocation generate a revocation certificate for a key
--join-key join a previously split key
--join-key-cache-only temporarily join a previously split key
--key-recon-recv reconstruct a secret key
--key-recon-recv-questions query key reconstruction questions
--key-recon-send send key reconstruction data to a server
--remove-preferred-cipher remove a preferred cipher from a key
--remove-preferred-compression-algorithm remove a compression algorithm
--remove-preferred-email-encoding remove a preferred email encoding
--remove-preferred-hash remove a preferred hash from a key
--send-shares send shares to a server joining a key
--set-key-flag set one of the key preferences flags
--set-preferred-ciphers set the preferred cipher list for a key
--set-preferred-compression-algorithms set the compression algorithm list
--set-preferred-email-encodings set the preferred email encodings on a key
--set-preferred-hashes set the preferred hash list for a key
--split-key split a private key into shares
Keyserver:
--keyserver-disable disable keys on a keyserver
--keyserver-recv add keys from a keyserver to the local keyring
--keyserver-remove remove keys from a keyserver
--keyserver-search search for keys on a keyserver
--keyserver-send send keys to a keyserver
--keyserver-update synchronize keys with a keyserver
Key Management:
--check-cert-validity ask a KMS whether a given cert is valid
--create-consumer create a consumer object
--create-mak create a managed asymmetric key (MAK)
--create-mek create a managed encryption key (MEK)
--create-mek-series create a MEK series
--create-msd create a managed secure data object (MSD)
--delete-mak delete a MAK from server
--delete-mek-series delete a MEK series from server
--delete-msd delete an MSD from server
--edit-mak edit a MAK
--edit-mek edit a MEK
--edit-mek-series edit a MEK series
--edit-msd edit an MSD
--export-mak export public portion of a MAK to file
--export-mak-pair export a MAK to file
--export-mek export a MEK to file
--export-msd export an MSD to plain-text file
--import-mak manage an existing asymmetric key
--import-mek manage an existing symmetric key
--request-cert request a certificate for a MAK
--search-consumer search server for consumer
--search-mak search server for MAK
--search-mek search server for MEK
--search-mek-series search server for MEK series
--search-msd search server for MSD
--usp-cache-auth cache authentication credentials for a KMS
--usp-clear-cache clear cached authentication credentials for a KMS
License:
--license-authorize authorize a license number for use
Options:
Boolean:
--always-trust treat all keys as trusted
--annotate annotate email data
--anonymize hide recipient key IDs
--archive use archive mode
--banner show a banner for every invocation
--brief only display UUID of KMS search results
--biometric show biometric output
--buffered-stdio buffer stdin and stdout operations in memory
--compress use compression
-d --debug show debug messages
--details show detailed output from search/list
--email treat input/output as email data
--encrypt-to-self attempt to encrypt to the default key
--eyes-only for your eyes only mode (do not write output)
--fast-key-gen fast key generation (canned primes)
--fips-mode run in FIPS mode
-f --force required for some dangerous operations
--import-certificates import pending certificate requests to MAK
--halt-on-error stop on error for multiple I/O operations
--keyring-cache use the keyring cache
--large-keyrings use large keyring mode
--local-mode run in local mode
--marginal-as-valid treat marginally valid keys as valid
--master-key use the master key for this operation
--pass-through pass through non-PGP data during decode
--passphrase-cache use the passphrase cache
--photo match a photo ID
-q --quiet show only error messages
--recursive use recursive mode
--reverse-sort reverse sort
--sda use SDA mode
--skep use SKEP when joining split keys
-t --textmode force the input to canonical text mode
--truncate-passphrase truncate passphrases at the first newline
-v --verbose show verbose messages
--warn-adk warn when using ADKs
--wrapper-key use a wrapper key for this operation
--xml show user output in XML format
Integer:
--3des precedence of the 3DES cipher algorithm
--aes128 precedence of the AES-128 cipher algorithm
--aes192 precedence of the AES-192 cipher algorithm
--aes256 precedence of the AES-256 cipher algorithm
--blowfish precedence of the Blowfish cipher algorithm
--bzip2 precedence of the BZIP2 compression algorithm
--cast5 precedence of the CAST5 cipher algorithm
--creation-days number of days before start of validity
--encryption-bits encryption key size
--expiration-days number of days until expiration
--idea precedence of the IDEA cipher algorithm
--index match a specific index
--keyring-cache-timeout keyring cache timeout
--keyserver-timeout keyserver timeout
--md5 precedence of the MD5 hash algorithm
--partitioned precedence of the partitioned email encoding
--passphrase-cache-timeout passphrase cache timeout
--pgpeml precedence of the PGPEML email encoding
--pgp-mime precedence of the PGP-MIME email encoding
--ripemd160 precedence of the RIPEMD-160 hash algorithm
--sha precedence of the SHA-1 hash algorithm
--sha256 precedence of the SHA-256 hash algorithm
--sha384 precedence of the SHA-384 hash algorithm
--sha512 precedence of the SHA-512 hash algorithm
--signing-bits signing key size
--signing-subkey-bits signing subkey size
--skep-timeout timeout for joining keys over the network (SKEP)
--threshold minimum share threshold when splitting keys
--trust-depth signature trust depth
--twofish precedence of the Twofish cipher algorithm
--uncompressed precedence of the "none" compression algorithm
--usp-port specify the port number for the KMS
--validity-duration new validity duration for MEK series
--wipe-input-passes set the number of wipe passes for input files
--wipe-overwrite-passes set the number of wipe passes for overwrite
--wipe-passes set the number of wipe passes
--wipe-temp-passes set the number of wipe passes for temp files
--zip precedence of the ZIP compression algorithm
--zlib precedence of the ZLIB compression algorithm
Enumeration:
--auto-import-keys off | merge | new | all
--cipher idea | 3des | cast5 | blowfish | aes128 |
aes192 | aes256 | twofish
--compression-algorithm zip | zlib | bzip2 | uncompressed
-z --compression-level default | fastest | balanced | smallest
--email-encoding pgpmime | partitioned | pgpeml
--enforce-adk off | attempt | require
--export-format compatible | complete | x509-cert | pkcs8 |
pkcs12 | csr
--hash md5 | sha | ripemd160 | sha256 | sha384 | sha512
--import-format auto | pgp | x509-cert | pkcs7 | pkcs12
--input-cleanup off | remove | wipe
--key-flag sign-userids | sign-messages | encrypt-storage |
encrypt-communications | sign | encrypt |
encrypt-and-sign | no-modify |
modification-detection | private-shared
--key-type dh | rsa | rsa-sign-only |
dh-sign-only
--manual-import-keys off | merge | new | all
--manual-import-key-pairs off | public | pair
--overwrite off | remove | rename | wipe
--sig-type local | exportable | meta-introducer |
trusted-introducer
--sort-order any | keysize | subkeysize | keyid | userid |
validity | trust | expiration | creation | email
--tar-cache-cleanup off | remove | wipe
--target-platform win32 | linux | solaris | aix | hpux | osx
--temp-cleanup off | remove | wipe
--trust never | marginal | complete | implicit
String:
--auth-key key for server authentication
--auth-passphrase passphrase for server authentication
--auth-username username for server authentication
--basic-constraint basic constraint flag for X.509 CSR
--cert-file file containing CSR to submit
--city city for X.509 CSR
--comment armor block comment string
--common-name common name for X.509 CSR
--contact-email contact email address for X.509 CSR
--country country for X.509 CSR
--creation-date creation date (YYYY-MM-DD)
--decrypt-with MAK to use for decryption
--default-key default signing key
--delim delimiter between objects in KMS search results
--end-of-life end of life (YYYY-MM-DD)
--expiration-date expiration date (YYYY-MM-DD)
--export-passphrase passphrase to use for key export operations
--extended-key-usage extended key usage flag for X.509 CSR
--field-delim delimiter between fields in KMS search results
--home-dir home directory location
--key-mode new key mode for MAK
--key-usage key usage flag for X.509 CSR
--license-number license number
-u --local-user local user for operation
--mime-type set MIME type for MSD
--name specify name of KMS object
--new-data set new data for MSD
--new-passphrase new passphrase
--organization organization for X.509 CSR
--organizational-unit organizational unit for X.509 CSR
-o --output output object
--output-file set a file to use for output messages
--parent specify parent object when creating KMS object
--passphrase passphrase
--preferred-keyserver preferred keyserver
--private-keyring private keyring file
--proxy-passphrase proxy server passphrase
--proxy-server proxy server name
--proxy-username proxy server username
--public-keyring public keyring file
--random-seed random seed file
--recon-server destination server for key reconstruction
--regular-expression regular expression
--root-path root path
--set-auth-mak set authentication MAK for KMS consumer
--set-key set key material for MAK
--share-server destination server for key shares
--state state for X.509 CSR
--status-file set a file to use for status messages
--subject-alt-name subject alternative name for X.509 CSR
--symmetric-passphrase symmetric (conventional) passphrase
--temp-dir specify the temporary directory
--type specify KMS consumer type
--valid-after-date valid after date (YYYY-MM-DD)
--valid-before-date valid before date (YYYY-MM-DD)
--verify-with MAK to use for signature verification
--usp-server specify KMS to operate on
List:
--additional-recipient additional recipients
--adk additional decryption key
--answer specify an answer
--attribute attr=val for KMS object edit
--clear-attribute clear attributes from KMS object
--email-address email address for KMS consumer
-i --input input object
--keyserver keyserver (protocol://host[:port][/baseDN])
--question specify a question
-r --recipient recipient
--revoker 3rd party revoker
--share specify a key share (number:user[:passphrase])
--usp-search-server KMS to search
--x509-extension X.509 extension in ASN.1 format for CSR
File Descriptors:
--auth-passphrase-fd auth passphrase
--auth-passphrase-fd8 auth passphrase (encoded in UTF8)
--export-passphrase-fd export passphrase
--export-passphrase-fd8 export passphrase (encoded in UTF8)
--new-passphrase-fd new passphrase
--new-passphrase-fd8 new passphrase (encoded in UTF8)
--passphrase-fd passphrase
--passphrase-fd8 passphrase (encoded in UTF8)
--proxy-passphrase-fd proxy passphrase
--proxy-passphrase-fd8 proxy passphrase (encoded in UTF8)
--symmetric-passphrase-fd symmetric passphrase
--symmetric-passphrase-fd8 symmetric passphrase (encoded in UTF8)