TurboPGP is a command line tool performing cryptography operations on file or text messages and related key management tasks. It is based on the OpenPGP standard (RFC 4880). TurboPGP runs on Windows, Linux, and macOS. It can perform the following actions:
Generate an OpenPGP key pair.
Import a user’s public or secret key.
Encrypt or decrypt a file using the OpenPGP standard.
Digitally sign a file and verify OpenPGP signatures.
TurboPGP uses a specific directory for application data, like keyring files. On any UNIX system, the application data resides in the .tbpgp folder, which, in turn, resides in the path represented by the $HOME environment variable. Installation on Linux deals with two types:
Installation on RPM-Based Linux Distributions (CentOS, Red Hat, Fedora, etc.)
On the command line, enter:
sudo rpm -i tbpgp-1.22.1032-1.x86_64.rpm
Installation on non-RPM Based Linux Distributions (Ubuntu, Debian, etc.)
Install the RPM file directly without conversion to a Debian package.
sudo dpkg -i tbpgp-1.22.1032-1.x86_64.deb
Double-click the downloaded installer file to begin the installation to install on Windows. You need to have administrator privileges to install.
The TurboPGP command line tool operates with parameters supplied in the standard UNIX style. Long commands are specified with two hyphens “--” and the command name, like “tbpgp --encrypt”. Short form commands are supplied with one hyphen and a single letter equivalent to the command name, like “tbpgp -e”.
Every correct and successful command returns a suitable response, while an incorrect command returns an error message.
Each command line statement must have one valid command combined with one or more options.
A command takes one or two mandatory arguments or none. For example, the –-encrypt command must be followed by a path to the physical file being encrypted. The only command that requires two arguments is the –-verify command to verify a detached signature, i.e., the detached signature (.sig file), then the original file.
A non-command option takes zero or one argument. For example, the –-output (-o) option provides an output file path explicitly specified by the user.
A single space is required to separate an option and its arguments. Additional spaces between flags and arguments are overlooked. An argument must be embedded between quotes if it has spaces (e.g., a file path). For example:
tbpgp --encrypt ... –o "hello world.pgp"
Options can be specified in any order and have short or long forms. For example, both statements below are valid and create a detached signature of the given file.
tbpgp --sign ... --signer
tbpgp --signer --sign ...
A key in a public or secret keyring must be specified for encryption, signing, and specific key management. A key can be identified by a Key ID, the low-order 64 bits of the key’s fingerprint. TurboPGP also takes a short form of key ID, which is the low-order 32 bits (4-octet) of the conventional Key ID.
For example, the following command uses the 4-octet form of key ID to reference the key to be exported:
tbpgp --export 244F31DC
TurboPGP maintains its key database in the form of keyrings. The public and secret keyrings reside in the .tbpgp folder under the user’s home directory.
Secret keys are stored in the file secring.tpg and usually are encrypted.
Public keys are stored in the file pubring.tpg.
This section describes the steps you need to take to get up and running with TurboPGP.
Generate an OpenPGP key pair.
List public keys in the keyring.
List secret keys in the keyring.
Export a public or secret key.
Import a public or secret key.
Although OpenPGP ultimately uses a symmetric cipher to encrypt the given message or data, the cipher’s encryption key will be protected by the public key cryptography, which operates with an OpenPGP key pair. Digital signing and signature verification rely on the signer’s public and secret keys. To use TurboPGP, make sure there is a least a public or secret key in its keyrings. TurboPGP provides a key generator to create an OpenPGP key pair.
A key pair contains a public key and a secret key. The public key algorithms below are currently supported.
RSA/RSA
DSA/El Gamal
ECDSA/ECDH
To generate a new key pair, use the --gen-key command. By default, a 2048-bit RSA key will be generated.
Command syntax:
tbpgp --gen-keys "{username} <{user_email}>"
where
"{username} <{user_email}>" is the User ID enclosed in double quotation marks. The User ID argument is in RFC 2822 name-addr string format, specifying the user’s name and email address.
Optional argument --key-type or –t
This option specifies the public-key algorithm of the key. It can be one of the following strings:
rsa
dsa
ecdsa
Optional argument --enc-bits or –b
This option specifies the key size of the encryption key. OpenPGP encryption services are provided by its subkey(s). The TurboPGP key generator creates one subkey for encryption purposes. Thus, the number of encryption bits here is the key size of the encryption subkey.
Optional argument --signing-bits or -B
This option specifies the key size of the signing key. By convention, OpenPGP signature services are provided by its top-level key (i.e., the master key). Thus, the number of bits here is the key size of the top-level key.
Example:
tbpgp --gen-key "joe anderson <joe@test.com>" --enc-bits 4096
Optional argument --cipher
This option specifies the preferred symmetric cipher to use when encrypting literal data. Valid options are:
blowfish, aes-128, aes-192, aes-256, twofish
Optional argument --hash
This option specifies the preferred hash algorithm to use.
To list the keys in a public keyring, use the --list-keys or -l command.
Command syntax:
tbpgp --list-keys
Example:
tbpgp --list-keys
pub RSA 2048 8724C498 2021-11-17
uid alice (alice) <alice@example.com>
sub RSA 2048 7FEF36A5 2021-11-17
pub RSA 2048 F344C947 2021-11-17
uid charlie (main) <charlie@example.com>
sub RSA 2048 4D34D33F 2021-11-17
Two keys are listed in the example above. In the first key section, the first line shows the information of the master key, which is a 2048-bit RSA public key, 8724C498 is the short form of the Key ID, 2021-11-17 is the key’s creation date, and Sub indicates a subkey’s information.
To list the keys on a secret keyring, use the --list-secret-keys or –L command.
Command syntax:
tbpgp --list-secret-keys
Example:
tbpgp --list-secret-keys
load_keychain: 2 keys loaded from secret key chain
load_keychain: 2 keys loaded from public key chain
secret keyring: /root/.tbpgp/secring.tpg
sec RSA 2048 8724C498 2022-11-17
uid alice (main) <alice@example.com>
sub RSA 2048 7FEF36A5 2022-11-17
sec RSA 2048 F344C947 2022-11-17
uid charlie (charlie) <charlie@example.com>
sub RSA 2048 4D34D33F 2022-11-17
Users can export their public key to send to other users who want to exchange data securely.
Command syntax
tbpgp --export <keyID> -o <outputFile>
where:
<keyID> KeyID of the public key to be exported.
<outputFile> is the name of the output public key file.
Optional argument --armor
Create the key file in ASCII armored text format.
Example:
tbpgp --export 8724C498 -o alice.bin
tbpgp --export 8724C498 -o alice.asc --armor
Another user’s public key may be added to your public keyring with the --import command. A key file can be in binary or ASCII format.
Command syntax:
tbpgp --import <filename>
where:
<fileName> the path of the public key file to be imported.
If it is successful, you will see output like the text below.
pgp_key_load: no ascii file, retry as binary...
key id ************ added to public keychain
Similarly, by using the same command, a secret key can be added to the secret keyring.
Public and secret keys can be deleted from its keyring with the --delete-key command.
Command syntax:
tbpgp --delete-key <keyID>
tbpgp --delete-key <wildcard>
where:
<keyID> the Key ID of the public key and secret key to be removed from the keyring.
Delete multiple public or secret keys
If the supplied argument is a wildcard, it will be matched against every key’s associated user email. If matched, both the public and secret keys will be deleted. Accepted wildcards are the asterisk (*), which represents one or more characters, and the question mark (?) which means a single character.
Example:
tbpgp --delete-key 8724C498
(Remove a key with a Key ID matching a short form Key ID “8724C498”.)
tbpgp --delete-key *@test.com
(Remove all keys with a User ID with an email address matching “@test.com”.)
The passphrase of a secret key can be changed with the --change-pass command. To complete the operation, you will be prompted to enter the old and new passphrases.
Command syntax:
tbpgp --change-pass <keyID>
where:
<keyID> the Key ID of the secret key to be encrypted with a different passphrase.
Example:
tbpgp --change-pass 8724C498
The TurboPGP command line tool supports the following cryptographic operations:
Encryption: Encryption converts sensitive data into a scrambled, incomprehensible form that only an authorized party can decode and restore. In OpenPGP, encryption is achieved with a symmetric cipher on a randomly generated encryption key, or session key, protected by a public key of a given key pair. Conversely, only the person with that corresponding secret key can decrypt the encrypted encryption key to decrypt the data further.
Decryption: Decryption reverses the encryption process by restoring the encryption key used to encrypt the data. OpenPGP typically requires a secret key of a given key pair to decrypt an encrypted archive.
Signature generation: A digital signature is used to endorse and timestamp a file. The user’s secret key and a signing algorithm are utilized to create the signature. The signature created is irreversible, and it is hard to recuperate the file from which the hash was calculated. Typically, digital signatures are used for user authentication and message/file integrity check.
Signature verification: Signature verification is the procedure to validate the authenticity and integrity of the file or document that was signed. The same hash function and the user’s public key are used to verify the signature.
For encryption, the command --encrypt or -e is used. The Key ID is specified with --recipient or –r, and the output file is specified with the --output or -o option.
Basic syntax:
tbpgp --encrypt <inputFile> --recipient <keyID> -o <outputFile>
where:
<inputFile> is the name of the file to be encrypted.
<keyID> Key ID of the secret key used to encrypt the file.
<outputFile> is the name of the encrypted output file.
Example:
tbpgp --encrypt guide.pdf --recipient 8724C498 -o guide.pdf.pgp
Optional argument --compress-algo
The compression algorithm can be specified with --compress-algo.
TurboPGP supports all the compression algorithms specified in OpenPGP: ZIP, zlib, and BZIP2. By default, zlib is used. To set an algorithm, use --compress-algo with argument zip, zlib, or bz2 in the command line.
Optional argument --compress-level
The valid range of compression level is 0-9, inclusive. Level 0 means no compression.
To decrypt a document, use the command --decrypt or -d. The output file can be specified with the -o option. This command can also be used to extract the original file from a signed file while at the same time verifying its signature.
Basic syntax:
tbpgp --decrypt <inputFile> -o <outputFile>
where:
<inputFile> is the name of the file to be decrypted.
<outputFile> is the name of output decrypted file.
Example:
tbpgp --decrypt guide.pdf.pgp --recipient 8724C498 -o guide.pdf
Use the command --sign or –s to sign a file. The Key ID of the signatory is specified with --signer and output file optionally specified by --output or -o option. In the absence of an --output option, the signed file will be created with the filename <inputFile>.pgp, and the detached signature will be made with the filename <inputFile>.sig.
Basic syntax:
tbpgp --sign <inputFile> --signer <keyID> -o <signedFile>
tbpgp --sign <inputFile> --signer <keyID> -o <detachedSignature> --detached
where:
<inputFile> the path of the file to be signed.
<keyID> Key ID of the secret key used to sign the file digitally.
<signedFile> the path of the signed file, which combines the clear text of the original file and its signature.
<detached> signifies to create a detached signature.
Example:
tbpgp --sign guide.pdf --signer 8724C498 -o guide.pdf.sig
Use the command –verify or -v to digitally verify a document. If the original file data in clear text is attached to the signature, only the signed file needs to be provided on the command line. If it is a detached signature, both the original and the attached file need to be provided.
Basic syntax:
tbpgp --verify <detachedSignature> <originalFile>
tbpgp --verify <signedFile>
where:
<detachedSignature> detached signature is created as a separate file from the original one.
<signedFile> clear text file combined with the signature.
<originalFile> name of the file whose signature must be verified.
Example:
tbpgp --verify guide.pdf.sig guide.pdf
tbpgp --verify guide.pdf.pgp
4
A
algorithm · 12, 13
armored · 10
ASCII · 10
authenticity · 12
B
binary · 10
bits · 8
BZIP2 · 13
C
cipher’s · 7
Command · 5, 7, 8, 9, 10, 11
compression · 13
Compression · 13
compression level · 13
cryptography · 3, 7
D
database · 7
Decryption · 13
detached · 5, 13, 14
DSA · 7
E
ECDH · 7
El Gamal · 7
encrypt · 5, 7, 12, 13
encrypted · 5, 7, 12
Encryption · 12
Export · 7, 9
extract · 13
H
home · 7
I
Import · 3, 7, 10
integrity · 12
K
Key ID · 9, 12, 14
keypair · 7
Keyring · 8, 9
L
Linux · 3, 4
M
macOS · 3
Management · 7
O
OpenPGP · 3, 7, 12, 13
original · 5, 13, 14
P
Public Key · 9
R
RSA · 7, 9
S
Secret Key · 10, 11
sign · 3, 5, 13, 14
signatory · 13
Signature · 12
signer · 7
subkey · 9
V
verification · 7, 12
W
wildcard · 10
Windows · 3, 4
Z
zip · 13
zlib · 13