| NETPGPKEYS(1) | General Commands Manual | NETPGPKEYS(1) | 
netpgpkeys —
| netpgpkeys | --export-key[options]
      file ... | 
| netpgpkeys | --find-key[options]
      file ... | 
| netpgpkeys | --generate-key[options]
      file ... | 
| netpgpkeys | --import-key[options]
      file ... | 
| netpgpkeys | --list-keys[options]
      file ... | 
| netpgpkeys | --list-sigs[options]
      file ... | 
| netpgpkeys | --trusted-keys[options]
      key ... | 
| netpgpkeys | --version | 
| netpgpkeys | [ -Vgls]
      [-olong-option=value] file
      ...where the long options for all commands are: [ | 
netpgpkeys utility is still
  under development. Whilst the signing and verification, encryption and
  decryption parts of netpgp(1)
  are considered mature, netpgpkeys needs more work.
  Other key management utilities should be used in preference to this one.
The netpgpkeys command is used for all
    forms of PGP key management, from generation of new keys to propagation of
    public keys to key servers, and import of new public keys from other
    identities.
The netpgp(1) utility should be used for file management and transformation —encryption, decryption, signing and verification of files.
For signing and encryption, a unique identity is needed. This identity is made up of a private and public key. The public key part is made available and known to everyone. The private key is kept secret, and known only to the user who created the identity. The secret key is protected with a passphrase.
In rough terms, a digital signature is a digest of a file's contents, encrypted with the user's private key. Since together, the private and public keys identify the user uniquely, the signature can be used to identify the exact version of the file, and any changes made to the file will mean that the signature no longer matches.
As a corollary, the file can be transformed using a user's public key, into text such that the contents can only be viewed by someone with the corresponding private key. This is called encryption.
The netpgpkeys utility can be used to
    generate a new key-pair for a user. As mentioned before, this key is in two
    parts, the public key (which is known by other people) and the private
  key.
The other use of netpgpkeys is to maintain
    keyrings. Key and keyring management commands available are:
    --export-key,
    --find-key,
    --generate-key,
    --import-key, and
    --list-keys. Keyrings are
    collections of public keys belonging to other users. By using other means of
    identification, it is possible to establish the bona fides of other users.
    Once trust has been established, the public key of the other user will be
    signed. The other user's public key can be added to our keyring. The other
    user will add our public key to their keyring.
Keys can be listed, exported (i.e. made available to others), and imported (i.e. users who have signed our public key).
Key and keyring management can be done with the following commands:
--export-key--find-key--generate-key--import-key--list-keys--list-sigs--trusted-keysstdout. Normal
      key-matching rules apply.--versionIn addition to one of the preceding commands, a number of qualifiers or options may be given.
--cipher
    cipher-algorithm--hash
    hash-algorithm--homedir
    home-directory--keyring
    keyring--numbits
    numbits--userid
    useridnetpgpkeys utility has no way
      of verifying that an email address is valid, or that a key belongs to a
      certain individual. The trust for a signed key is given by the other
      signers of that key. The 16 hexadecimal digit user identity should be used
      when specifying user identities —email addresses and names are
      provided as aliases.--pass-fd=fdnetpgpkeys interface, but have
      their own ways of retrieving and caching the passphrase for the secret
      key. In this case, the netpgpkeys utility will
      read a line of text from the file descriptor passed to it in the command
      line argument, rather than using its own methods of retrieving the
      passphrase from the user.--verbosenetpgpkeys requests.--ssh-keys--coredumpsnetpgpkeys will turn off the ability to save core
      dumps on persistent storage, but selecting this option will allow core
      dumps to be written to disk. This option should be used wisely, and any
      core dumps should be deleted in a secure manner when no longer
    needed.It is often useful to be able to refer to another user's identity
    by using their netpgpkeys
    “fingerprint”. This can be found in the output from normal
    --list-keys and
    --list-sigs commands.
netpgpkeys once it
  has been chosen, and will be used for the life of the key, so a wise choice is
  advised. The pass phrase should not be an easily guessable word or phrase, or
  related to information that can be gained through “social
  engineering” using search engines, or other public information
  retrieval methods.
getpass(3) will be used to obtain the pass phrase from the user if it is needed, such as during signing or encryption, or key generation, so that any secret information cannot be viewed by other users using the ps(1) or top(1) commands, or by looking over the shoulder at the screen.
Since the public and private key pair can be used to verify a person's identity, and since identity theft can have far-reaching consequences, users are strongly encouraged to enter their pass phrases only when prompted by the application.
netpgpkeys utility will return 0 for success, 1 if
  the file's signature does not match what was expected, or 2 if any other error
  occurs.
% netpgpkeys --ssh-keys --sshkeyfile=/etc/ssh/ssh_host_rsa_key.pub --list-keys --hash=md5 1 key pub 1024/RSA (Encrypt or Sign) fcdd1c608bef4c4b 2008-08-11 Key fingerprint: e935 902d ebf1 76ba fcdd 1c60 8bef 4c4b uid osx-vm1.crowthorne.alistaircrooks.co.uk (/etc/ssh/ssh_host_rsa_key.pub) <root@osx-vm1.crowthorne.alistaircrooks.co.uk> % ssh-keygen -l -f /etc/ssh/ssh_host_rsa_key.pub 1024 e9:35:90:2d:eb:f1:76:ba:fc:dd:1c:60:8b:ef:4c:4b /etc/ssh/ssh_host_rsa_key.pub (RSA) %
The following is an example of RSA key generation:
% netpgpkeys --generate-key netpgp: default key set to "C0596823" pub 2048/RSA (Encrypt or Sign) 5bc707d1b495aaf2 2010-04-14 Key fingerprint: 08cb 4867 eeed 454c ce30 610d 5bc7 07d1 b495 aaf2 uid RSA 2048-bit key <agc@localhost> netpgp: generated keys in directory /home/agc/.gnupg/5bc707d1b495aaf2 % ls -al /home/agc/.gnupg/5bc707d1b495aaf2 total 8 drwx------ 2 agc agc 512 Apr 13 18:25 . drwx------ 6 agc agc 512 Apr 13 18:25 .. -rw------- 1 agc agc 596 Apr 13 18:25 pubring.gpg -rw------- 1 agc agc 1284 Apr 13 18:25 secring.gpg % % netpgpkeys --list-keys --home ~/.gnupg/5bc707d1b495aaf2 1 key pub 2048/RSA (Encrypt or Sign) 5bc707d1b495aaf2 2010-04-14 Key fingerprint: 08cb 4867 eeed 454c ce30 610d 5bc7 07d1 b495 aaf2 uid RSA 2048-bit key <agc@localhost> %
netpgpkeys command first appeared in
  NetBSD 6.0.
| February 21, 2012 | NetBSD 9.4 |