Using the RNP command-line interface

Generating an RSA private key

By default, rnpkeys --generate-key generates a 2048-bit RSA key.

export keydir=/tmp
rnpkeys --generate-key --homedir=${keydir}

⇒

rnpkeys: generated keys in directory ${keydir}/6ed2d908150b82e7

Note	Here 6ed2d…​ is the key fingerprint.

In order to use fully-featured key-pair generation, the --expert flag should be used.

With this flag added to rnpkeys --generate-key, the user will be able to generate a key-pair for any supported algorithm and/or key size.

Example:

> export keydir=/tmp
> rnpkeys --generate-key --expert --homedir=${keydir}

Please select what kind of key you want:
    (1)  RSA (Encrypt or Sign)
    (19) ECDSA
    (22) EDDSA
> 19

Please select which elliptic curve you want:
    (1) NIST P-256
    (2) NIST P-384
    (3) NIST P-521
> 2

Generating a new key...
signature  384/ECDSA d45592277b75ada1 2017-06-21
Key fingerprint: 4244 2969 07ca 42f7 b6d8 1636 d455 9227 7b75 ada1
uid              ECDSA 384-bit key <flowher@localhost>
rnp: generated keys in directory /tmp/.rnp
Enter password for d45592277b75ada1:
Repeat password for d45592277b75ada1:
>

Listing keys

export keyringdir=${keydir}/MYFINGERPRINT
rnpkeys --list-keys --homedir=${keyringdir}

⇒

1 key found
...

Signing a file

Signing in binary format

rnp --sign --homedir=${keyringdir} ${filename}

⇒

Creates ${filename}.gpg which is an OpenPGP message that includes the message together with the signature as a 'signed message'.

This type of file can be verified with:

• rnp --verify --homedir=${keyringdir} ${filename}.gpg

Signing in binary detached format

rnp --sign --detach --homedir=${keyringdir} ${filename}

⇒

Creates ${filename}.sig which is an OpenPGP message in binary format, that only contains the signature.

This type of file can be verified with:

• rnp --verify --homedir=${keyringdir} ${filename}.sig

Signing in armored (“ASCII-armored”) format

rnp --sign --armor --homedir=${keyringdir} ${filename}

⇒

Creates ${filename}.asc which is an OpenPGP message in ASCII-armored format, including the message together with the signature as a “signed message”.

This type of file can be verified with:

• rnp --verify --homedir=${keyringdir} ${filename}.asc

Other options

--clearsign

appends a separate OpenPGP signature to the end of the newly signed message.

--detach

saves the OpenPGP signature in a separate file from the newly signed message.

Encrypt

rnp --encrypt --homedir=${keyringdir} ${filename}

⇒

Creates ${filename}.gpg, which is an encrypted OpenPGP message.

Decrypt

rnp --decrypt --homedir=${keyringdir} ${filename}.gpg

⇒

Creates ${filename}, the decrypted form of the ${filename}.gpg encrypted OpenPGP message.

Check version

The output of rnp --version contains the git hash of the version the binary was built from, of which value is generated when cmake runs.

Consequently, a release tarball generated with make dist will contain this hash version.