|Display the current public key in a format suitable for export. This can be used to place the keyring on one of the public key servers, for example.|
|Find the appropriate public key from the current keyring. If no keyring is provided, the users public keyring is used.|
|This command is used to generate a new public and private key pair. If provided on the command line, the argument will be given to the key generation routine to be used as the identity of the key. This is usually the email address and full name, but can be any identification token. The newly-generated keys are placed in a sub-directory of the "home directory" which is created at key generation time. At present, only RSA keys can be generated. The hash algorithm and keysize can be specified on the command line.|
|Import a public key as retrieved from one of the public key servers. This is in the form of a file which has previously been retrieved from elsewhere.|
|List all the public keys in the current keyring. If no keyring is provided, the users public keyring is used.|
|List all the public keys in the current keyring, along with the sub-key signatures which provide the key with trust. If no keyring is provided, the users public keyring is used.|
|Prints a list of keys in a more machine-readble format than is normally used, which can be used as input to other parsing engines. The output from this command is sent to stdout. Normal key-matching rules apply.|
|Print the version information from the libnetpgp(3) library.|
In addition to one of the preceding commands, a number of qualifiers or options may be given.
|Specify the cipher to be used for symmetric encryption. The default cipher is "CAST5".|
|Specify the hash algorithm which is used during fingerprint calculation. For reference, at the present time, ssh-keygen(1) uses "MD5" for its fingerprint values.|
|Keyrings are normally located, for historical reasons, within the users home directory in a subdirectory called ".gnupg" and this option specifies an alternative location in which to find that sub-directory.|
|This option specifies an alternative keyring to be used. All keyring operations will be relative to this alternative keyring.|
|specifies the number of bits to be used when generating a key. The default number of bits is 2048. This is considered the absolute minimum which should be chosen at the time of writing (2009). Due to advances in computing power every year, this number should be reviewed, and increased when it becomes easier to factor 2048 bit numbers.|
|This option specifies the user identity to be used for all operations. This identity can either be in the form of the full name, or as an email address. Care should be exercised with these ways of specifying the user identity, since the netpgpkeys utility has no way of verifying that an email address is valid, or that a key belongs to a certain individual. The trust for a signed key is given by the other signers of that key. The 16 hexadecimal digit user identity should be used when specifying user identities email addresses and names are provided as aliases.|
|This option is intended for the use of external programs which may like to use the libnetpgp(3) library through the netpgpkeys interface, but have their own ways of retrieving and caching the passphrase for the secret key. In this case, the netpgpkeys utility will read a line of text from the file descriptor passed to it in the command line argument, rather than using its own methods of retrieving the passphrase from the user.|
|This option can be used to view information during the process of the netpgpkeys requests.|
|specifies that the public and private keys should be taken from the ssh(1) host key files, usually found in /etc/ssh/ssh_host_rsa_key and /etc/ssh/ssh_host_rsa_key.pub for the private and public host keys.|
|in normal processing, if an error occurs, the contents of memory are saved to disk, and can be read using tools to analyse behaviour. Unfortunately this can disclose information to people viewing the core dump, such as secret keys, and passphrases protecting those keys. In normal operation, netpgpkeys will turn off the ability to save core dumps on persistent storage, but selecting this option will allow core dumps to be written to disk. This option should be used wisely, and any core dumps should be deleted in a secure manner when no longer needed.|
It is often useful to be able to refer to another users identity by using their netpgpkeys "fingerprint". This can be found in the output from normal -list-keys and -list-sigs commands.
The pass phrase cannot be changed by netpgpkeys once it has been chosen, and will be used for the life of the key, so a wise choice is advised. The pass phrase should not be an easily guessable word or phrase, or related to information that can be gained through "social engineering" using search engines, or other public information retrieval methods.
getpass(3) will be used to obtain the pass phrase from the user if it is needed, such as during signing or encryption, or key generation, so that any secret information cannot be viewed by other users using the ps(1) or top(1) commands, or by looking over the shoulder at the screen.
Since the public and private key pair can be used to verify a persons identity, and since identity theft can have far-reaching consequences, users are strongly encouraged to enter their pass phrases only when prompted by the application.
The netpgpkeys utility will return 0 for success, 1 if the files signature does not match what was expected, or 2 if any other error occurs.
% netpgpkeys --ssh-keys --sshkeyfile=/etc/ssh/ssh_host_rsa_key.pub --list-keys --hash=md5 1 key pub 1024/RSA (Encrypt or Sign) fcdd1c608bef4c4b 2008-08-11 Key fingerprint: e935 902d ebf1 76ba fcdd 1c60 8bef 4c4b uid osx-vm1.crowthorne.alistaircrooks.co.uk (/etc/ssh/ssh_host_rsa_key.pub) <firstname.lastname@example.org>
% ssh-keygen -l -f /etc/ssh/ssh_host_rsa_key.pub 1024 e9:35:90:2d:eb:f1:76:ba:fc:dd:1c:60:8b:ef:4c:4b /etc/ssh/ssh_host_rsa_key.pub (RSA) %
The following is an example of RSA key generation:% netpgpkeys --generate-key netpgp: default key set to "C0596823" pub 2048/RSA (Encrypt or Sign) 5bc707d1b495aaf2 2010-04-14 Key fingerprint: 08cb 4867 eeed 454c ce30 610d 5bc7 07d1 b495 aaf2 uid RSA 2048-bit key Lt]agc@localhostGt] netpgp: generated keys in directory /home/agc/.gnupg/5bc707d1b495aaf2 % ls -al /home/agc/.gnupg/5bc707d1b495aaf2 total 8 drwx------ 2 agc agc 512 Apr 13 18:25 . drwx------ 6 agc agc 512 Apr 13 18:25 .. -rw------- 1 agc agc 596 Apr 13 18:25 pubring.gpg -rw------- 1 agc agc 1284 Apr 13 18:25 secring.gpg % % netpgpkeys --list-keys --home ~/.gnupg/5bc707d1b495aaf2 1 key pub 2048/RSA (Encrypt or Sign) 5bc707d1b495aaf2 2010-04-14 Key fingerprint: 08cb 4867 eeed 454c ce30 610d 5bc7 07d1 b495 aaf2 uid RSA 2048-bit key Lt]agc@localhostGt]
.Rs OpenPGP Message Format
The netpgpkeys command first appeared in
.Nx 6.0 .
.An Ben Laurie ,
.An Rachel Willmer , and overhauled and rewritten by
.An Alistair Crooks Aq Mt agc@NetBSD.org . This manual page was also written by
.An Alistair Crooks .