NETPGPKEYS(1) | NetBSD General Commands Manual | NETPGPKEYS(1) |
netpgpkeys | --export-key [options] file ... |
netpgpkeys | --find-key [options] file ... |
netpgpkeys | --generate-key [options] file ... |
netpgpkeys | --import-key [options] file ... |
netpgpkeys | --list-keys [options] file ... |
netpgpkeys | --list-sigs [options] file ... |
netpgpkeys | --version |
netpgpkeys | [-Vgls] [-olong-option=value] file ... |
where the long options for all commands are:
[--cipher=cipher-algorithm]
The netpgpkeys command is used for all forms of PGP key management, from generation of new keys to propagation of public keys to key servers, and import of new public keys from other identities.
The netpgp(1) utility should be used for file management and transformation - encryption, decryption, signing and verification of files.
For signing and encryption, a unique identity is needed. This identity is made up of a private and public key. The public key part is made available and known to everyone. The private key is kept secret, and known only to the user who created the identity. The secret key is protected with a passphrase.
In rough terms, a digital signature is a digest of a file's contents, encrypted with the user's private key. Since together, the private and public keys identify the user uniquely, the signature can be used to identify the exact version of the file, and any changes made to the file will mean that the signature no longer matches.
As a corollary, the file can be transformed using a user's public key, into text such that the contents can only be viewed by someone with the corresponding private key. This is called encryption.
The netpgpkeys utility can be used to generate a new key-pair for a user. As mentioned before, this key is in two parts, the public key (which is known by other people) and the private key.
The other use of netpgpkeys is to maintain keyrings. Key and keyring management commands available are: --export-key, --find-key, --generate-key, --import-key, and --list-keys. Keyrings are collections of public keys belonging to other users. By using other means of identification, it is possible to establish the bona fides of other users. Once trust has been established, the public key of the other user will be signed. The other user's public key can be added to our keyring. The other user will add our public key to their keyring.
Keys can be listed, exported (i.e. made available to others), and imported (i.e. users who have signed our public key).
Key and keyring management can be done with the following commands:
In addition to one of the preceding commands, a number of qualifiers or options may be given.
It is often useful to be able to refer to another user's identity by using their netpgpkeys “fingerprint”. This can be found in the output from normal --list-keys and --list-sigs commands.
getpass(3) will be used to obtain the pass phrase from the user if it is needed, such as during signing or encryption, or key generation, so that any secret information cannot be viewed by other users using the ps(1) or top(1) commands, or by looking over the shoulder at the screen.
Since the public and private key pair can be used to verify a person's identity, and since identity theft can have far-reaching consequences, users are strongly encouraged to enter their pass phrases only when prompted by the application.
% netpgpkeys --ssh-keys --sshkeyfile=/etc/ssh/ssh_host_rsa_key.pub --list-keys --hash=md5 1 key pub 1024/RSA (Encrypt or Sign) fcdd1c608bef4c4b 2008-08-11 Key fingerprint: e935 902d ebf1 76ba fcdd 1c60 8bef 4c4b uid osx-vm1.crowthorne.alistaircrooks.co.uk (/etc/ssh/ssh_host_rsa_key.pub) <root@osx-vm1.crowthorne.alistaircrooks.co.uk> % ssh-keygen -l -f /etc/ssh/ssh_host_rsa_key.pub 1024 e9:35:90:2d:eb:f1:76:ba:fc:dd:1c:60:8b:ef:4c:4b /etc/ssh/ssh_host_rsa_key.pub (RSA) %
The following is an example of RSA key generation:
% netpgpkeys --generate-key netpgp: default key set to "C0596823" pub 2048/RSA (Encrypt or Sign) 5bc707d1b495aaf2 2010-04-14 Key fingerprint: 08cb 4867 eeed 454c ce30 610d 5bc7 07d1 b495 aaf2 uid RSA 2048-bit key <agc@localhost> netpgp: generated keys in directory /home/agc/.gnupg/5bc707d1b495aaf2 % ls -al /home/agc/.gnupg/5bc707d1b495aaf2 total 8 drwx------ 2 agc agc 512 Apr 13 18:25 . drwx------ 6 agc agc 512 Apr 13 18:25 .. -rw------- 1 agc agc 596 Apr 13 18:25 pubring.gpg -rw------- 1 agc agc 1284 Apr 13 18:25 secring.gpg % % netpgpkeys --list-keys --home ~/.gnupg/5bc707d1b495aaf2 1 key pub 2048/RSA (Encrypt or Sign) 5bc707d1b495aaf2 2010-04-14 Key fingerprint: 08cb 4867 eeed 454c ce30 610d 5bc7 07d1 b495 aaf2 uid RSA 2048-bit key <agc@localhost> %
November 4, 2010 | NetBSD 5.99 |