INFORMATIONAL-h, --help
Displays a short help message. No options are expected.
-V, --version
Displays version information. No options are expected.
-l, --list-keys
List out keys and some brief information about each.
Additional options:
--with-sigs
Additionally display signatures of listed keys.
KEYGENERATION-g, --generate-key
Generate a new keypair.
Without additional options, an RSA primary key pair with an RSA sub-key pair will be generated, and
prompting for the encryption password afterwards.
Additional options:
--numbits
Overrides the default RSA key size of 2048 bits.
--expirationTIME
Set key and subkey expiration time, counting from the creation time.
By default generated keys do not expire.
Expiration time can be specified as:
• expiration date in the ISO 8601:2019 date format (yyyy-mm-dd); or
• hours/days/months/years since creation time with the syntax of 20h/30d/1m/1y;
• number of seconds.
--expert
Select key algorithms interactively and override default settings.
--userid
Specifies the userid to be used in generation.
--hash
Specify the hash algorithm used in generation.
--cipher
Specify the encryption algorithm used in generation.
--s2k-iterations
Specify the number of iterations for the S2K (string-to-key) process.
This is used during the derivation of the symmetric key, which encrypts a secret key from the
password.
--s2k-msec
Specify that rnpkeys should automatically pick a --s2k-iterations value such that the single key
derivation operation would take NUMBER of milliseconds on the current system.
For example, setting it to 2000 would mean that each secret key decryption operation would take
around 2 seconds (on the current machine).
KEY/SIGNATUREIMPORT--import, --import-keys, --import-sigs
Import keys or signatures.
While rnpkeys automatically detects the input data format, one may still wish to specify whether the
input provides keys or signatures.
By default, the import process will stop on the first discovered erroneous key or signature.
Additional options:
--permissive
Skip errored or unsupported packets during the import process.
KEY/SIGNATUREEXPORT--export-key [--userid=FILTER] [FILTER]
Export key(s). Only export keys that match FILTER if FILTER is given.
If filter matches a primary key, the subkeys of the primary key are also exported.
By default, key data is written to stdout in ASCII-armored format.
Additional options:
--outputPATH
Specifies output to be written to a file name instead of stdout.
--secret
Without this option specified, the command will only export public key(s). This option must be
provided to export secret key(s).
--export-revKEY
Export the revocation signature for a specified secret key.
The revocation signature can be used later in a case of key loss or compromise.
Additional options:
--rev-type
Specifies type of key revocation.
--rev-reason
Specifies reason for key revocation.
KEYMANIPULATION--revoke-keyKEY
Issue revocation signature for the secret key, and save it in the keyring.
Revoked keys cannot be used further.
Additional options:
--rev-type
Specifies type of key revocation, see options section for the available values.
--rev-reason
Specifies reason for key revocation.
--remove-keyKEY
Remove the specified key.
If a primary key is specified, then all of its subkeys are also removed.
If the specified key is a secret key, then it will not be deleted without confirmation.
Additional options:
--force
Forces removal of a secret key without prompting the user.
--edit-keyKEY
Edit or update information, associated with a key. Should be accompanied with editing option.
Currently the following options are available:
--add-subkey
Generate and add a new subkey to the existing primary key. All additional options for the
--generate-key command apply for subkey generation as well, except --userid.
--check-cv25519-bits
Check whether least significant/most significant bits of Curve25519 ECDH subkey are correctly
set. RNP internally sets those bits to required values (3 least significant bits and most
significant bit must be zero) during decryption, however other implementations (GnuPG) may
require those bits to be set in key material. KEY must specify the exact subkey via keyid or
fingerprint.
--fix-cv25519-bits
Set least significant/most significant bits of Curve25519 ECDH subkey to the correct values, and
save a key. So later export of the key would ensure compatibility with other implementations
(like GnuPG). This operation would require the password for your secret key. Since version 0.16.0
of RNP generated secret key is stored with bits set to a needed value, however, this may be
needed to fix older keys or keys generated by other implementations. KEY must specify the exact
subkey via keyid or fingerprint.
--set-expireTIME
Set key expiration time. See the description of the --expiration option for possible time
formats. Setting argument to 0 removes key expiration, the key would never expire. It is not
recommended due to security reasons.
OPTIONS--homedirDIR
Change homedir (where RNP looks for keyrings) to the specified value.
The default homedir is ~/.rnp .
--outputPATH
Write data processing related output to the file specified.
Combine it with --overwrite to overwrite file if it already exists.
--overwrite
Overwrite output file if it already exists.
--useridUSERID
Use the specified userid during key generation and in some key-searching operations.
--numbitsBITS
Specify size in bits for the generated key and subkey.
bits may be in range 1024-16384, as long as the public key algorithm does not place additional
limits.
--cipherALGORITHM
Set the key encryption algorithm. This is only used in key generation.
The default value is AES256.
--hashALGORITHM
Use the specified hash algorithm for signatures and derivation of the encrypting key from password
for secret key encryption.
The default value is SHA256.
--expert
Use the expertkeygeneration mode, allowing the selection of key/subkey algorithms.
The following types of keys can be generated in this mode:
• DSA key with ElGamal encryption subkey
• DSA key with RSA subkey
• ECDSA key with ECDH subkey
• EdDSA key with x25519 subkey
• SM2 key with subkey
Specifically, for ECDSA and ECDH the underlying curve can also be specified:
• NISTP-256, NISTP-384, NISTP-521
• brainpoolP256r1, brainpoolP384r1, brainpoolP512r1
• secp256k1--pass-fdFD
Specify a file descriptor to read passwords from instead of from stdin/tty.
Useful for automated or non-interactive sessions.
--passwordPASSWORD
Use the specified password when it is needed.
Warning
Not recommended for production use due to potential security issues. Use --pass-fd for batch
operations instead.
--with-sigs
Print signature information when listing keys via the -l command.
--force
Force actions to happen without prompting the user.
This applies to cases such as secret key removal, revoking an already revoked key and so on.
--permissive
Skip malformed or unknown keys/signatures during key import.
By default, rnpkeys will stop on the first erroring packet and exit with an error.
--rev-typeTYPE
Use the specified type during revocation signature generation instead of the default 0.
The following values are supported:
• 0, or "no": no revocation type specified.
• 1, or "superseded": key was superseded with another key.
• 2, or "compromised": key was compromised and no longer valid.
• 3, or "retired": key is retired.
Please refer to IETFRFC4880 for details.
--rev-reasonREASON
Add the specified human-readable revocation REASON to the signature instead of an empty string.
--s2k-iterationsNUMBER
Specify the number of iterations for the S2K (string-to-key) process.
This is used during the derivation of the symmetric key, which encrypts a secret key from the
password.
Please refer to IETF RFC 4880 for further details.
--s2k-msecNUMBER
Specify that rnpkeys should automatically pick a --s2k-iterations value such that the single key
derivation operation would take NUMBER of milliseconds on the current system.
For example, setting it to 2000 would mean that each secret key decryption operation would take
around 2 seconds (on the current machine).
--notty
Disable use of tty.
By default RNP would detect whether TTY is attached and use it for user prompts.
This option overrides default behaviour so user input may be passed in batch mode.
--current-timeTIME
Override system’s time with a specified value.
By default RNP uses system’s time in all signature/key checks, however in some scenarios it could be
needed to override this.
TIME could be specified in the ISO 8601-1:2019 date format (yyyy-mm-dd), or in the UNIX timestamp
format.