is a low-level utility for transforming raw, PEM-encoded RSA secret
keys into OpenPGP-formatted certificates. The generated certificates
include the secret key material, so they should be handled carefully.
It works as an element within a pipeline: feed it the raw key on
stdin, supply the desired User ID as a command line argument. Note
that you may need to quote the string to ensure that it is entirely in
a single argument.
Other choices about how to generate the new OpenPGP certificate are
governed by environment variables.
The following environment variables influence the behavior of
PEM2OPENPGP_TIMESTAMP controls the timestamp (measured in
seconds since the UNIX epoch) indicated as the creation time (a.k.a
"not valid before") of the generated certificate (self-signature) and
the key itself. By default,
uses the current time.
PEM2OPENPGP_KEY_TIMESTAMP controls the timestamp (measured in
seconds since the UNIX epoch) indicated as the creation time of just
the key itself (not the self-signature). By default,
uses the value from PEM2OPENPGP_TIMESTAMP.
PEM2OPENPGP_USAGE_FLAGS should contain a comma-separated list of
valid OpenPGP usage flags (see section 184.108.40.206 of RFC 4880 for what
these mean). The available choices are: certify, sign, encrypt_comms,
encrypt_storage, encrypt (this means both encrypt_comms and
encrypt_storage), authenticate, split, shared. By default,
only sets the certify flag.
PEM2OPENPGP_EXPIRATION sets an expiration (measured in seconds
after the creation time of the key) in each self-signature packet. By
default, no expiration subpacket is included.
PEM2OPENPGP_NEWKEY indicates that
should ignore stdin, and instead generate a new key internally and
build the certificate based on this new key. Set this variable to the
number of bits for the new key (e.g. 2048). By default (when this is
will read the key from stdin.
Only handles RSA keys at the moment. It might be nice to handle DSA
keys as well.
Currently only creates certificates with a single User ID. Should be
able to create certificates with multiple User IDs.
Currently only accepts unencrypted RSA keys. It should be able to
deal with passphrase-locked key material.
Currently outputs OpenPGP certificates with cleartext secret key
material. It would be good to be able to lock the output with a
If you find other bugs, please report them at